personalize & customize are permissions in default jetspeed database.
if someone has the role of the personalize permission ( default : admin, turbine ), he can do something about personalizing his portal and portlet ..
customization is the same thought !
however, u could add a new permission for ur new application for authorizating someone could do or couldn't do. I think that u *SHOULD* deciding what permissions and roles exists before developing one system .
well... the basic AA knowledege begins trying to know the ACL ..
WHAT is ROLE for?
WHAT is PERMISSION for?