We went for option 2 eventually.
Main advantage is that we can easily add/remove certain authorizations on users. This will result in more user roles, but if you name them nicely to their function, it will be workable.
This suited our company the best, because a lot of functions overlap.
I would go for option 1. Option 2 can get really complicated real fast. Always try to have as little user roles because that makes the modeler life more easy. With stacking user roles it will hard to debug why a user is seeing / not seeing something in your form.
Regards,
Ronald