You can use a database to store your navigation rules and create a custom NavigationHandler to handle navigation based on those rules, but it won't enforce authorization, since a user can always access an URL directly by entering an URL in the address bar of his browser. The NavigationHandler doesn't intercept direct calls to the page.
A PhaseListener is at the moment probably the best way to do fine grained authorization. Just let it intercept the lifecycle after phase 1 (so the viewId is set on the UIViewRoot) and place some logic there to check the user rights against the viewId. If they don't match, redirect the user to an error page or something like that.
[Message sent by forum member 'jkva' (jkva)]
http://forums.java.net/jive/thread.jspa?messageID=292370