This should be simple, but turns out it obviously isn't :-(
So I defined a couple of portlet actions in "resource-actions/default.xml" of my portlet module:

<resource-action-mapping>
&nbsp;&nbsp; &nbsp;<portlet-resource>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; <portlet-name>openHAB_OpenHABPortlet</portlet-name>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; <permissions>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <supports>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <action-key>DELETE_CONTENT</action-key>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...</supports></permissions></portlet-resource></resource-action-mapping>

And I added a Role where I can either add this permissions or not.
Note: These are Application / Portlet resource actions. Not model resource actions!
I used the portal configuration to assign a user to my custom role, but DIDN'T assign any of the available actions to the role.
Now I want to check if this user has the defined permissions.
There's this PortletPermissionUtil and this should do the trick. BUT
All of the following tests return true:

        PortletDisplay portletDisplay = themeDisplay.getPortletDisplay();
        PermissionChecker permissionChecker = themeDisplay.getPermissionChecker();

        Layout layout = themeDisplay.getLayout();
        long groupId = themeDisplay.getScopeGroupId();
        long plid = themeDisplay.getPlid();

            logger.debug("Variant1 " + PortletPermissionUtil.contains(permissionChecker, OpenHABPortletKeys.OPENHAB, actionId));

            logger.debug("Variant2 " + PortletPermissionUtil.contains(permissionChecker, portletDisplay.getId(), actionId));
            logger.debug("Variant3 " + PortletPermissionUtil.contains(permissionChecker, layout, OpenHABPortletKeys.OPENHAB, actionId));
            logger.debug("Variant4 " + PortletPermissionUtil.contains(permissionChecker, layout, portletDisplay.getId(), actionId));
            logger.debug("Variant5 " + PortletPermissionUtil.contains(permissionChecker, groupId, layout, portletDisplay.getId(), actionId));
            logger.debug("Variant6 " + PortletPermissionUtil.contains(permissionChecker, groupId, layout, OpenHABPortletKeys.OPENHAB, actionId));
            logger.debug("Variant7 " + PortletPermissionUtil.contains(permissionChecker, plid, OpenHABPortletKeys.OPENHAB, actionId));
            logger.debug("Variant8 " + PortletPermissionUtil.contains(permissionChecker, plid, portletDisplay.getId(), actionId));
            logger.debug("Variant9 " + PortletPermissionUtil.contains(permissionChecker, layout, OpenHABPortletKeys.OPENHAB, actionId, true));
            logger.debug("Variant10 " + PortletPermissionUtil.contains(permissionChecker, layout, portletDisplay.getId(), actionId, true));
            logger.debug("Variant11 " + PortletPermissionUtil.contains(permissionChecker, plid, OpenHABPortletKeys.OPENHAB, actionId, true));
            logger.debug("Variant12 " + PortletPermissionUtil.contains(permissionChecker, plid, portletDisplay.getId(), actionId, true));
            logger.debug("Variant13 " + PortletPermissionUtil.contains(permissionChecker, groupId, plid, portletDisplay.getId(), actionId, true));
            logger.debug("Variant14 " + PortletPermissionUtil.contains(permissionChecker, groupId, plid, OpenHABPortletKeys.OPENHAB, actionId, true));
            logger.debug("Variant15 " + permissionChecker.hasPermission(groupId, OpenHABPortletKeys.OPENHAB, 0, actionId));
            logger.debug("Variant16 " + permissionChecker.hasPermission(groupId, portletDisplay.getId(), 0, actionId));

where actionId is for example "DELETE_CONTENT".
They all return "true" although the users role is configured to NOT have the permission.
QUESTION: How to check for the presence or absence of a permission that is configured for the portlet resource?