Welcome to the JavaRanch, Jay!
Hard-coding user IDs in a webapp isn't very flexible. It means that every time user responsibilities change, the WAR has to be rebuilt. It means that if Joe S. goes on vacation and Mike R. handles his responsibilities in the interim, you'd have to rebuild. And re-rebuild when Joe S. came back. If Sally G. got hospitalized because her selfie-taking quadrotor went berserk, it would be an emergency rebuild. And then there's the ever-popular "rightsizing" where the entire security staff is terminated and responsibility for security is given over to the janitor.
Using Role-Based Access Control (RBAC) means that you don't have to rebuild. You simply re-assign roles. It's a trivial operation that can be done by a security administrator without the need for programming skills, access to source code, or build tools.
And, as your organization gets progressively leaner, you can pile more and more roles on whoever's remaining.
So the long and short of it is, no.
J2EE doesn't work with user-based access control. User rights are determined by whatever role(s) they are assigned.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.