That actually wasn't a very clear question.
But what I think you meant was that depending on the user's role, you could do one thing or the other, but not both.
J2EE security roles are not simple labels. It's perfectly legal for Mary to be
both a Manager and an Employee:
Likewise, code security can allow users in more than one role:
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.