The only way permissions will work if you scope them to a set using an MPR and if that set contains users from the portal. That being said, you are looking for a mechanism that keeps a set membership in sync with a security group.
One option could be a scheduled tasks on the FIM server which reads the AD group from time to time and adds the required people to the set you want. Perhaps not as nice, but if the group isn't changing that much, it could work for you.
Perhaps another way: have your security group synced from AD to FIM. have an MPR fire whenever a write to the member (or it's equivalent in FIM) happens. That could then execute a workflow (for example with a powershell script) which adds your user to your
set.
It's a bit creative, but it could cover your needs...