In order to make management of actions simpler the portal server has arranged the resources in hierarchy i.e. Lets say you have a Portlet Application that contains 5 Portlet, you want John Doe to act as manager or all those 5 portlets so instead of going and adding John Doe as manager for each of the portlet you can go and add him as manager or the Portlet Application (Portlets are children of the portlet application).
The vast majority of the resources within this hierarchy represent portal resource instances that require access control protection (such as individual portal pages or portlets); but some of them are special virtual resources.
Virtual resources are used in two ways:
1. They guard sensitive operations that do not affect specific resource instances as such but the whole portal or a whole portal concept. For example, the virtual resource XmlAccess is used to protect the ability to use the XmlAccess configuration tool.
2. They group resources of the same or related resource types. For example, the virtual resource Content Nodes is the root node of all pages (resource instances of resource type Content Node) within the portal page hierarchy