We have a similar problem. A user can have two roles in one course:
he can participate as a student but he also has a poweruser role (kind of administration role which allows him to pull reports etc.).
Because of him having this sutdent role he no longer has the capability to see reports etc; He just has the students capabilities in the course.