The WebSphere Portal Server allows you to use external security manager such as Tivoli Access Manager or Netegrity's Siteminder for managing both authentication and access control (Authorization) for portal resources. WPs ships which authorization adapters for Tivoli Access Manager and Netegrity Siteminder.
Portal access control lets you put individual subtrees of the protected resource hierarchy under external protection. For example using the Resource permissions portlet you can select a resource and change its externalization state. As a result the selected resource and all resources contained in the subtree rooted at this resource are either put under external access control or brought back in to be protected by portal internal access control control depending on the specific externalization state chosen. Inheritance always stops between resources that have different externalization state.
This means that each resource is either exclusively protected by portal access control or by the external system. WHen you put a resource under external security manager, portal will still take care of making sure that user is able to perform only those actions for which role is assigned to him, only thing that will change is that mapping between roles and user/groups is managed through the external authorization system.