I vote for #1 - make the configuration configurable. I wrote a "framework" (two methods in a superclass) in one of my applications to allow the test to say what it wants the security role to be for the test (and putting it back at the end). This lets the test choose which role it wants to be run under independent of all other conditions.
I've used the same approach for other types of configuration as well.