Unfortunately, we didn't interact with the portlet correctly during initial testing. User roles are lost during portlet interaction (we believed at the time it was due to Ajax Push) because those interactions take place via ServletRequest objects, not PortletRequest objects.
To support user roles with Portlets we will likely need either: acegi for Portlets, or to cache user role determinations (note that the caching cannot work in all cases because the user roles could change during portlet execution, which is potentially a security hole, and user roles requested during the initial page view may be different from those requested during subsequent views; there are reasonable ways to structure pages to work around this, however).
The new portlet bridge does support this usage and all the ICEfaces 1.8 components that rely on ExternalContext() isUserInRole method to determine the validity of the user's role are supported. This includes custom attributes like renderedOnUserRole. Going forward, the next generation of ICEfaces components will not expose similar custom attributes but the same functionality can be achieved by using simple EL expressions bound to standard attributes like rendered or disabled.