Many Portal Controls have secured methods, meaning that any control attempting to execute such a method would need to be in an authorized security role. You can specify security roles in a Page Flow on each action. A user must be a member of the designated role(s) for the action to be fired. For example, the User Provider Control has a removeUser() method that requires the caller to be in the role of "PortalSystemAdministrator" or "Admin." See Portal Control Properties for more information.
For user and group management actions, the roles you specify in the WebLogic Administration Portal Authentication Security Provider Service determine whether or not the user can perform the action.
You can add security roles to a domain using the WebLogic Server Administration Console.
Security Roles (WebLogic Server e-docs topic)