The portlet aims at attributing roles to a permission. Below is an example to setup permissions for the forums portlet.

At the very top, a domain can be specified. A domain is defined by the portlet, it can be the name of a portal for example. It gives the scope of the permissions. THe first screen gives you the top level privileges, usually it will show global permissions.

Defined roles gives the list of roles that has been defined for the corresponding permission while implied roles will show all the roles that are implied. For example in the forums, the admin role implies the add permission, defining the role "Admins" on the Admin permission, would show "Admins" in the implied roles of the add permission. Only defined roles can be removed so if a permission need to be restricted, the most permissive permission has to be removed before a less permissive one is added.

Under the global permissions, there is a list of sub-components for a finer grain permission definition. For example, the forums portlet gives the ability to define permissions on a single category. By clicking on the category, the following screen would show up:

The forums security model dictates that the global admin permission implies the category admin permission, and the global add permission implies the category read permission, with that in mind, the implied roles should make sense. If you select a sub-component, you can define an even finer-grain permission and the following screen will show up: