To add a new action based security permission, 

Create an implementation of IAuthorizationAction

package org.pentaho.platform.api.engine;

/**
 *
 * Represents a Logical Role name used by some IAuthorizationPolicy implementations. Also known as Action-Based
 * Security
 *
 * User: nbaker Date: 3/19/13
 */
public interface IAuthorizationAction {
  /**
   * Get the name of the action
   *
   * @return action name
   */
  String getName();

  /**
   * Get the localized display name of action for a specific locale. If null is passed then default locale will be used
   *
   * @param locale
   * @return localized name
   */
  String getLocalizedDisplayName(String locale);
}

This is an example of a EXECUTE permission implementation. The interface allows a localized name which the implementation fetches in a local messages.properties.

package org.pentaho.platform.plugin.kettle.security.policy.rolebased.actions;

import java.util.ResourceBundle;

import org.pentaho.platform.plugin.kettle.messages.Messages;
import org.pentaho.platform.security.policy.rolebased.actions.AbstractAuthorizationAction;

public class RepositoryExecuteAction extends AbstractAuthorizationAction {
  public static final String NAME = "org.pentaho.repository.execute";
  ResourceBundle resourceBundle;

  @Override
  public String getName() {
    return NAME;
  }

  @Override
  public String getLocalizedDisplayName(String localeString) {
    return Messages.getInstance().getString(NAME);
  }

}


The last step is to add this new permission in the plugin.spring.xml. In order for the register to work properly,  make sure the ApplicationContextPentahoSystemRegisterer bean class is present in the plugin.spring.xml

  <bean class="org.pentaho.platform.engine.core.system.objfac.spring.ApplicationContextPentahoSystemRegisterer" scope="singleton"/>

  <bean class="org.pentaho.platform.plugin.kettle.security.policy.rolebased.actions.RepositoryExecuteAction">
    <pen:publish as-type="INTERFACES">
      <pen:attributes>
        <pen:attr key="priority" value="70"/>
      </pen:attributes>
    </pen:publish>
  </bean>

The new permission is now available in the platform. 

The new permission is now available in the platform.

To enforce this newly registered permission you will just need to invoke the isAllowed method on IAuthorizationPolicy

IAuthorizationPolicy authorizationPolicy = PentahoSystem.get(IAuthorizationPolicy.class, PentahoSessionHolder.getSession());

if(!authorizationPolicy.isAllowed(RepositoryExecuteAction.NAME)) {
  throw new IllegalStateException(org.pentaho.platform.plugin.kettle.messages.Messages.getInstance().getErrorString(
      "PdiAction.ERROR_0010_NO_PERMISSION_TO_EXECUTE")); //$NON-NLS-1$
}