Quick Overview
We recently migrated a Plone 2.1 site to Plone 3.3. While moving a skins file to a browser view, we needed a new permission to protect the browser view. Browser views need a named Zope 3 style permission, so the old Zope 2 style permission wouldn't work. It ended up taking 3 steps; declare the permission in zcml, assign the permission to a role in rolemap.xml, and use the permission to protect your view.
Step-by-step
Step 1: Declare the permission in ZCML
Most people declare the permissions in permissions.zcml and include that file in configure.zcml. But you can declare the permission in configure.zcml and just include permissions.zcml. Note that id is the zope 3 style identifier, and title is the zope 2 style identifier. The title shows up on the security tab in the ZMI.
src/your.product/your/product/browser/permissions.zcml:
<permission
id="myproduct.myNewPermission"
title="MyProduct: My New Permission"
/>
Step 2: Assign the permission to a role
Assign the permission to a role in rolemap.xml. Here, I assign my new permission to the manager role.
src/your.product/your/product/profiles/default/rolemap.xml:
<permission name="MyProduct: My New Permission">
<role name="Manager" />
</permission>
Step 3: Protect your view with the new permission
In configure.zcml protect your view with the new permission. Here, I'm protecting the class MyClass in the file common.py. We chose to put the permissions from Step 1 into permissions.zcml, so we include it here. Note that the permission must be the same as the id in Step 1.
src/your.product/your/product/browser/configure.zcml:
<include file="permissions.zcml" />
<browser:page
for="Products.CMFPlone.interfaces.IPloneSiteRoot"
name="myName"
class=".common.MyClass"
permission="myproduct.myNewPermission"
/>
As usual, the community developer manual at http://plonemanual.twinapex.fi/ was very helpful.