Skip to content

WordPress Roles vs Membership Levels vs Feature Entitlements

Keep commercial truth in subscription or purchase records, define granular entitlements, and emit least-privilege roles only for interoperability.

Emran // ArrayHash17 min read

WordPress roles answer “what can this account do across WordPress,” membership levels answer “which commercial plan and lifecycle state does this customer currently have,” and feature entitlements answer “which specific capability or limit is available.” Use subscription or purchase records as commercial truth, explicit entitlements for fine-grained access, and least-privilege roles only where WordPress or another plugin needs them.

Confusing these three layers creates stale access, dangerous customer privileges, and role names such as pro_annual_analytics_10_seats. Separating them creates a system that billing, product, security, and support teams can reason about.

Key takeaways

  • A WordPress role is a bundle of site capabilities, not a payment ledger.
  • A membership level is a commercial state derived from the qualifying product and subscription lifecycle.
  • A feature entitlement is a granular flag, value, or limit such as exports enabled or 10 seats.
  • ArraySubs can map qualifying subscriptions to roles for interoperability and apply lifecycle-specific removal behavior.
  • ArraySubs Pro feature definitions support toggle, numeric, and text values with sum, max, or any aggregation behavior.

The three models in one table

QuestionWordPress roleMembership levelFeature entitlement
Primary purposesite-wide capabilities and plugin interoperabilitycommercial plan and lifecyclefine-grained product capability or value
Source of truthWordPress user-role assignmentsubscription/purchase record and current statefeature definition plus qualifying product/variation
Typical durationpersistent until changedtied to access/billing lifecyclerecomputed from qualifying ownership/state
Exampleforum recognizes pro_memberPro Annual is active through its access periodanalytics on; 10 seats; priority support
Main riskprivilege escalation or stale rolebilling/access driftunclear aggregation or usage semantics
Best authorization usecapability check where WordPress/plugin expects itplan-level policy and lifecycle decisionsspecific feature or limit check

A venue scene distinguishes a staff badge for WordPress capability, a paid ticket for membership level, and wristbands for individual entitlements.

What is a WordPress role?

A WordPress role is a named collection of capabilities assigned to a user. administrator, editor, shop_manager, and customer are familiar examples, but authorization code should check capabilities rather than trusting a role's display label. WordPress explains this model in Roles and Capabilities and its Plugin Handbook.

Roles are useful when:

  • a forum plugin recognizes a custom pro_member role;
  • an editorial user needs a controlled capability bundle;
  • another integration can consume only a WordPress role;
  • a persistent community identity is useful independently of billing.

Roles are risky when used as the only proof of paid status. A role does not inherently contain the subscription ID, product, renewal date, grace policy, plan-switch history, or reason it was granted. Manual assignments and multiple plugins can also create unclear ownership.

Never give a customer an administrative role as a plan benefit

Do not grant administrator or shop_manager to expose a member feature. Those roles include powerful back-office capabilities. Use a custom least-privilege adapter role or, better, check a specific current entitlement.

The principle follows both WordPress capability guidance and OWASP's least-privilege recommendation (OWASP Authorization Cheat Sheet). A plan called “Admin” is a marketing label; it must not silently become the WordPress Administrator role.

What is a membership level?

A membership level is the business meaning of a customer's qualifying ownership and current lifecycle state. Examples include Standard Monthly, Pro Annual, Agency, Lifetime, or Course Cohort.

Its inputs normally include:

  • subscription product or variation;
  • active, trial, pending, on-hold, cancelled, or expired state;
  • start, renewal, cancellation, and end dates;
  • plan switches and scheduled changes;
  • overlapping subscriptions or purchases;
  • grace and recovery policy.

WordPress does not provide this commercial concept natively. A membership system resolves it from records and policy. The level can then authorize content, catalog visibility, pricing, downloads, and other member experiences.

The safest source is the subscription/purchase record—not a copied role that might have become stale.

What is a feature entitlement?

A feature entitlement is a named right or value available to a qualifying customer. Common types are:

  • toggle: premium reports enabled or disabled;
  • number: 10 team seats or 100 exports;
  • text: support tier priority or region EU;
  • derived value: the maximum storage allowance among qualifying products.

Three separate drawers hold account permissions, the commercial plan, and feature entitlements instead of mixing them in one role.

Entitlements prevent “role explosion.” Instead of creating a role for every plan-feature combination, define stable feature keys such as analytics, team_seats, and support_tier, then resolve their values from qualifying products.

A numeric entitlement is not automatically usage metering. “10 exports” may describe an allowed limit, but a separate reliable counter is needed to record consumption, reset windows, handle concurrency, and prevent overspend.

Why does one role per plan break down?

Suppose a business has three plans, monthly and annual billing, two regions, an optional analytics add-on, and a community benefit. Encoding every combination as a role can produce dozens of names even though the underlying decisions are only plan, region, analytics, and community access.

The role model then accumulates avoidable questions:

  • Does pro_annual_eu outrank standard_monthly_eu when both remain assigned?
  • Is analytics implied by the role name or checked separately?
  • Which role represents a customer during downgrade-at-renewal?
  • Who removes the old role after a manual purchase or refund?
  • What happens when a forum plugin and the billing plugin both manage pro_member?

Adding more roles does not answer those questions; it hides product attributes inside labels. A layered model represents each fact once, resolves conflicts deliberately, and emits only the small compatibility role set that external WordPress components require.

Role count alone is not the problem. The problem is using a persistent, multi-owner capability bundle as a compressed record of price, term, lifecycle, geography, and product packaging.

Use this direction of data flow:

subscription and purchase records
→ resolved membership level and feature entitlements
→ optional least-privilege WordPress role adapters

An architectural layer illustration places subscriptions at the source, entitlements in the middle, and optional role adapters at the edge.

Do not reverse it by treating the role as the billing source of truth. Roles should be outputs when another WordPress component needs them.

Worked example: Pro community plus analytics

  • Source record: active Pro subscription.
  • Membership level: Pro.
  • Entitlements: analytics true, team seats 10, support tier priority.
  • Role adapter: grant pro_member because the forum plugin recognizes it.
  • Security rule: never grant shop_manager merely to expose reports.

If the subscription moves on hold, business policy determines whether access pauses immediately or continues through a recovery window. The resolver updates level and entitlements; role mapping follows the configured lifecycle behavior.

How current ArraySubs role mapping behaves

The current ArraySubs Role Manager synchronizes roles from membership conditions and subscription lifecycle events. A rule can grant or remove configured roles, specify what happens on pending/on-hold states, and apply a fallback role.

The annotated live role-mapping rule shows the qualifying subscription, granted role, on-hold policy, and fallback role.

Verified behavior in ArraySubs 1.8.11 includes:

  • active/trial subscriptions can grant roles through rule conditions;
  • on-hold and pending behavior can keep or remove the mapped role;
  • cancelled/expired transitions remove mapping-owned roles when appropriate;
  • another active subscription granting the same role prevents accidental removal;
  • a fallback role can be added if the user would otherwise have none;
  • plan switches trigger resynchronization.

That overlapping-subscription behavior matters. If Course A and Course B both grant student, cancelling Course A must not remove student while Course B still qualifies.

Document who owns each role. A support agent's manual role, a community plugin's role, and an ArraySubs-mapped role may look identical in wp_usermeta but have different intended lifecycles. Automated removal without provenance can create support incidents.

How ArraySubs Pro feature entitlements work

The current ArraySubs Pro Feature Manager defines toggle, number, and text values on products or variations. The access evaluator can aggregate qualifying values using behaviors represented by sum, max, or any.

The annotated Product Feature Manager separates feature identity, value type, source product, and aggregation behavior.

Examples:

  • team_seats with sum: two qualifying products granting 5 and 10 may resolve to 15.
  • storage_gb with max: 20 GB and 100 GB may resolve to 100, not 120.
  • analytics_enabled with any: one qualifying true value is enough.

The evaluator can consider active/trial subscriptions and purchased product IDs. Do not say feature entitlements are inherently subscription-only. Define each feature's commercial source, lifecycle, default, type, and aggregation rule.

Feature definitions are a Pro capability. Core ArraySubs can consume the feature-value condition when that Pro system is available; do not represent Feature Manager as part of the free core feature set.

How should an entitlement dictionary be designed?

Treat feature keys as a public contract between product packaging, access rules, application code, support, and reporting. Give every key a definition before attaching values to products.

Dictionary fieldExampleDecision to document
Stable keyteam_seatsmachine identifier; avoid plan names and display copy
Meaningconcurrent team-member allowancewhat the value authorizes and what it does not
Typenumbertoggle, number, or controlled text
Default0safe result when no source qualifies
SourcesPro monthly, Pro annual, seat add-onevery product/variation that can contribute
Aggregationsumwhether multiple sources add, choose a maximum, or satisfy any
Lifecycleactive and trial; recovery policy documentedwhich states contribute and when they stop
Consumerteam invitation serviceevery gate, API, UI, or remote integration that reads it
Migration ownerproduct operationswho reviews renames, deletions, and value changes

Use sum only when separate purchases genuinely stack. Seat packs may add; independent subscriptions that duplicate the same base allowance may not. Use max when the strongest qualifying plan should win without double-counting. Use any for a boolean-style right where one qualifying source is sufficient. For text values, define allowed values and precedence rather than assuming arbitrary strings form a meaningful hierarchy.

Keep entitlement, usage, and availability distinct. An entitlement might allow 10 exports; usage says 7 have been consumed; availability resolves to 3 only after a counter, reset window, concurrency policy, and correction process exist. Likewise, storage_gb = 100 does not provision storage or delete excess data when the value falls. The consuming system must safely implement the transition.

Renaming a feature key is a schema migration. Inventory every product value, rule, code check, report, and support playbook that consumes it. Write the new key, migrate producers and consumers, test accounts with overlapping sources, and remove the old key only after a readback proves it is unused.

How should support trace an access decision?

A useful diagnostic follows the data flow instead of editing the final role:

  1. identify the customer and all current subscriptions/purchases;
  2. confirm product, variation, lifecycle state, and effective dates;
  3. resolve the commercial membership level;
  4. list each feature source and its aggregation result;
  5. list role adapters, their owners, and their last synchronization event;
  6. evaluate the exact rule for the denied resource;
  7. check cache and any remote consumer after the source result is correct.

The diagnostic should distinguish “source does not qualify,” “policy resolved no access,” “derived role is stale,” and “downstream surface served stale data.” Those failures need different fixes. Manually adding a role may restore one screen while leaving the actual lifecycle, feature, or cache defect unresolved.

Record the correction at the owning layer and re-run the same trace. Support can then explain the decision to the customer and engineering can see whether the issue belongs to commerce data, entitlement policy, role synchronization, or delivery.

When should each layer make the access decision?

Use a WordPress capability or role when

  • the action is administrative or site-wide;
  • WordPress core or another plugin expects a capability/role;
  • the identity should persist independently of a subscription;
  • a narrow custom role is the cleanest interoperability contract.

Use membership level when

  • the decision is “may this current plan access this resource?”;
  • lifecycle, grace, renewal, switching, or expiration matters;
  • support must trace the decision to a subscription or purchase;
  • catalog, content, download, or pricing policy is plan-level.

Use a feature entitlement when

  • plans share some features but differ on others;
  • the decision is a particular capability or numeric/text value;
  • variations change the limit;
  • multiple qualifying products must aggregate predictably.

NIST's RBAC and ABAC material provides useful conceptual grounding for role- and attribute-based decisions (RBAC, SP 800-162). This architecture is not a claim of NIST certification; it simply applies the separation of policy inputs and authorization decisions.

Migration from one role per plan

Use this sequence:

  1. Inventory every role, capability, owner, grant path, removal path, and consuming plugin.
  2. Classify each use as administration, interoperability, membership level, or feature entitlement.
  3. Move billing truth to product/variation plus subscription lifecycle.
  4. Define feature keys, types, defaults, qualifying products, and sum/max/any behavior.
  5. Retain only necessary least-privilege member roles.
  6. Configure on-hold, pending, cancellation, expiration, and fallback behavior.
  7. Reconcile existing stale roles before enabling automatic removal.
  8. Test plan switches, overlapping subscriptions, manual roles, and third-party grants.
  9. Give support a diagnostic view from source record to derived outputs.

Standard and Pro product cards carry explicit feature chips, while only a forum connector emits a WordPress role.

Do not perform a big-bang role cleanup without a mapping table and rollback path. A seemingly unused role may still drive a community, LMS, form, or custom integration.

Governance and security checklist

  • Customer plans never grant Administrator or Shop Manager.
  • Access checks use capabilities or current membership/entitlement evaluation, not a label alone.
  • Every custom role has a documented owner and minimal capabilities.
  • On-hold and pending behavior is an explicit business decision.
  • Cancel-at-period-end and immediate cancellation are distinguished.
  • Overlapping subscriptions granting the same role are tested.
  • Manual or third-party role assignments are not silently removed.
  • Feature key, type, default, aggregation, and source products are documented.
  • Missing or disabled features fail safely.
  • Numeric entitlement and actual usage counter are not confused.
  • Support can trace the level, entitlement, and role to source records.
  • Access changes invalidate or vary relevant caches.

For complex grouped policies, use AND/OR Membership Access Rules and the combined-conditions recipe.

When a layered model may be unnecessary

A tiny site with one plan, one gated resource, and no third-party integration may need only a direct active-subscription condition. Do not create an entitlement catalog merely for architectural purity. Add layers when multiple plans, products, limits, integrations, or lifecycle rules make the added clarity valuable.

Conversely, a complex SaaS application with high-volume metering, tenant isolation, policy-as-code, or regulated authorization may require a dedicated entitlement service. WordPress roles and a commerce plugin are not automatically the complete identity plane.

Final recommendation

Keep the source of truth closest to the fact: subscription records for commercial lifecycle, entitlement definitions for specific capabilities, and WordPress roles for site capabilities and interoperability. Map outward from current commerce state, grant least privilege, and test every lifecycle transition plus overlapping ownership.

After mapping the architecture, review ArraySubs Pro pricing and the member-experience feature set.

Frequently asked questions

Is a WordPress role the same as a membership level?

No. A role is a WordPress capability bundle. A membership level is commercial/access state derived from a qualifying product and lifecycle.

Should every subscription plan have a custom role?

Only when a consuming plugin needs that adapter. Use direct level or entitlement checks when possible to avoid stale roles and unnecessary combinations.

Can an ArraySubs role remain during payment recovery?

Current role mappings can configure on-hold/pending behavior as keep or remove. Match that setting to the documented grace and recovery policy.

What is the difference between an entitlement and usage?

An entitlement states what is allowed, such as 10 exports. Usage records how much has been consumed. Reliable metering requires separate counters and concurrency rules.

What happens when two subscriptions grant the same role?

The current ArraySubs Role Manager checks for another active qualifying subscription before removing the role. Test the exact overlapping products and lifecycle transitions in your environment.

Are feature entitlements included in ArraySubs core?

The inspected feature-definition system is in ArraySubs Pro. Label Pro-dependent feature-value rules accordingly.

Author, technical review, and verification environment

Author: Emran, ArrayHash — product and editorial work across WooCommerce subscriptions, membership architecture, and access policy.

Technical reviewer: ArraySubs Engineering Team — review scope includes WordPress capabilities, role ownership, lifecycle mapping, overlapping subscriptions, and Pro feature aggregation.

Verification environment: Source and read-only live UI review of ArraySubs 1.8.11 and ArraySubs Pro 1.1.2 on July 16, 2026. No role mapping, feature value, subscription, or user was changed.

Disclosure, limitations, and update log

  • Commercial disclosure: ArraySubs is an ArrayHash product. Examples are architectural illustrations, not universal security prescriptions.
  • Limitations: Third-party role ownership, custom capabilities, cache layers, plan models, and entitlement semantics vary. Review high-privilege decisions independently.
  • July 16, 2026: First publication. Verified definitions, core role lifecycle behavior, overlapping-subscription guard, Pro feature types/aggregation, migration, and governance guidance.

Continue from strategy to setup

Use a recipe when the model is settled

These articles own the decision and operating model. The ArraySubs feature map and recipes cover the exact product, billing, and customer-workflow configuration.

Written by

Emran // ArrayHash

Research and practical guidance for WooCommerce subscription operators and implementation teams.

Technical review

ArraySubs Engineering Team

Reviewed against current ArraySubs code, product documentation, and the linked primary platform sources.

From plan to working store

Build the subscription system you just mapped

Start with the free ArraySubs core, then add Pro automation when the store needs supported automatic gateways and deeper operations.

No credit card required · Keep the same subscription records as you grow