All page level security is driven from the "hasAccess" method of the Page Controller, which returns a boolean value indicating whether or not the current user has access to the page (more about Page Controller security).
This means that you can implement your own "hasAccess" method on any page, to make the logic as complicated as you like. You can even do so while taking advantage of the built-in functionality, if you like:
<cffunction name="hasAccess" access="public" returntype="boolean" output="no"> <cfset var result = Super.hasAccess()> <cfif result> <!--- Complicated logic goes here ---> </cfif> <cfreturn result> </cffunction>
You could do the same thing in "_config.PageController" as well, for more universal functionality.
This could include changing the "getNoAccessURL" method that indicates where a user should be forwarded if they have no access or changing the "blockAccess" method to have some other action be taken for users that have no access.