Hi vijenjoy,

Actually both are the solutions. You have to decide now what you should follow. If your application is of high level and object oriented, then follow my method. If you are not sure about application, follow second method.

I have tested such type of application, in which general user, broker and builder have different access rights. Functionality are same. I test for builder. Then security testing for broker, what he should not allowed to access. Then for normal user.