I would like to confirm my understanding of how Secured REST Services are handled in the Portal Security versus the ArcGIS Server Security.
In ArcGIS Server you added user Frank. Frank was added to ROLE WaterDepartment. Secured REST Service WaterMeters added access to the ROLE WaterDepartment. Frank could access this layer in his Flex Viewer by signing in, when he loaded the Flex Viewer.
ArcGIS for Portal:
At Federation of my ArcGIS Server to Portal, all my REST Services are registered with Portal as Portal Items.
In Portal I created a user Frank. Frank was added to GROUP WaterDepartment. Secured REST Service WaterMeters added access to the GROUP WaterDepartment. So if Frank signs into Portal and uses a new web app created in Portal, that uses this secured Portal Item, he will be granted access to this data, without further signing in.
Have I understood correctly?