I think the good thing would be to use JAAS to handle both authentication and access authorization or Spring Security or Apache Shiro and set up ROLES and user groups.
But if the control is simple you could create a JSF Phaselistener where you can intercept the life cycle phases, an example is the view restore phase(Phaseid.RESTORE_VIEW), could create a logic so that when the resource that is accessed is being performed by a user who is not logged in to the system or who does not have due permission to access the page could redirect it to the login page (if it is not authenticated) or if it is already browsing but should not have access to the feature could display a friendly message. Below I added a link has an example of a very simple control, which from it I believe can adapt to your model, improve and use it if you do not opt for a more rigorozo control with the technologies I mentioned above.
Login Phaselistener