To actually limit access to a JSF View, you can use container-based authorization to limit access to its URL based on the security role(s) of the user. However, in JSF you also have to add a "redirect" element to the navigation rules that go to that page, since otherwise, the URL used may be the "from" page URL, and it's the URL that's used for access control, not the view name itself.
In conjunction with that, you can set up the preceding action methods to select (navigate to) whichever view that particular user should be supplied with. Just remember to include the "redirect" option so that the URL will be secured.
For a generic "bookmarkable" URL, such as "main.jsf", you can create a
Servlet Filter that replaces that URL with the one for the appropriate page based on the user role.
You can also use a single page with access-controlled regions using div-like constructs (such as "h:panelGrid") and the "rendered=" attribute.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.