Note that, if a use has one role which PROHIBIT's a capability, that that user can never have that capability themselves.
An example of why you need to be able to assign a role that has a capability you don't have:
- Student has mod/quiz:attempt.
- Teacher does not have mod/quiz:attempt (but does have mod/quiz:preview).
- Teacher needs to be able to assign Student.
There is control of which roles can assign which other roles built into the roles system. When you go to the define roles page, look at the tabs across the top.