I personally think that CDdAuth class might be more flexible, letting some to by-pass assignments to AuthAssignment table, and having an option to assign one single role for each user, via usertable->role_id, that is, there must be id or role_id field in AuthItem table.
check for a specific/practical problem: http://www.yiiframework.com/forum/index.php?/topic/13332-rbac-user-relations/page__view__findpost__p__65605