roles, STI and convention

Hi, I have been using the restful_authentication plugin and the default roles setup that it came with. I have a system with 1 admin, 20-30 clients(customers) and 500+ users all of whom can login. I found that often when using certain role-based functions like user.has_role?, mysql would send an IN() query with the id of every user in the system (500+). This seemed a lot of overkill for what it was doing. There's no overlap between roles, and all of the user types authenticate at the User object level rather than the subclass. Now I'm using STI and running checks on the type(role) of the current_user with user.class instead. Somehow this seems a bit wrong, but I don't know why. Is it inherently a bad thing to do?