Hi,
This is the hardest thing to decide, and I'm not an expert in such architectures but I'll try to answer anyway.
Membership levels can be numbers from 0 to whatever, or user roles can be like "member-plus", "member-premium". Or you can have a table that grants certain content/course to a user ID:
course_id, user_id
30, 1
My personal opinion, what provides the most flexibility is the last approach above - that's what I would choose.
In the websites I build I only use Database Security provider, I don't use User Roles (I'm not familiar with them), every logic I build manually using Conditions to check if the user is allowed to access a given resource. I also make use of Global steps ("Globals") to run those checks: