In role based applications, a penetration tester should always ensure that he tests for privilege escalation. Let's take an example of a web application that has two user roles i.e admin user and a normal user.
Now as a tester we should first capture the traffic in our burp suite by logging in as both normal user and admin user. We should perform every action available to each role and also visit every single page accessible to the user and admin roles. This will help us later to test for privilege escalation vulnerabilities.
Now we should closely observe for the api endpoints and web pages that were accessible to the normal user and the admin user. After that we should make a note of the pages and endpoints that were accessible to the normal user and the admin user. In the next step we simply send the requests that were accessible only to the admin user to the repeater tab and replace the cookies and authentication tokens with that of the normal user. If we are able to perform the action or access the api url then it can be called a privilege escalation vulnerability.
Ex:
In a website there are two users: a doctor and a patient. The patient does exactly the same steps mentioned above and he is able to access the functionalities accessible only to the doctor role.