roles, STI and convention

I have been using the restful_authentication plugin and the default
roles setup that it came with. I have a system with 1 admin, 20-30
clients(customers) and 500+ users all of whom can login. I found that
often when using certain role-based functions like user.has_role?,
mysql would send an IN() query with the id of every user in the system
(500+). This seemed a lot of overkill for what it was doing. There's
no overlap between roles, and all of the user types authenticate at
the User object level rather than the subclass. Now I'm using STI and
running checks on the type(role) of the current_user with user.class
instead. Somehow this seems a bit wrong, but I don't know why. Is it
inherently a bad thing to do?