You are right, the security role and the business process role are separate entities. The security role defines permissions (what screens are available, what entity attributes can be edited, etc.), the process role defines only who will get the process task. They are not linked at present.
As for creating ProcessActors for each user with the given security role, I attached a demo project, that illustrates the process.
The project is similar to the one from the quick start. There is a Contract entity, Contract approval process with one task assigned to the Manager process role and screens for editing the contract.
If you create the contract, save the entity and click the Start process button, you will see that users who have ‘someSecRole’ security role are automatically assigned to the Manager process role.
The code that does this is inside the MyCustomForm class (see the createProcActors() method). myCustomForm is a new process form in the project (the discussion of process forms is here).
MyCustomForm has two parameters: secRoleName and procRoleCode (see the screenshots attached).
There is no special API for creating ProcActors, just a regular entities creation. The BPM data model is described here