WordPress roles answer “what can this account do across WordPress,” membership levels answer “which commercial plan and lifecycle state does this customer currently have,” and feature entitlements answer “which specific capability or limit is available.” Use subscription or purchase records as commercial truth, explicit entitlements for fine-grained access, and least-privilege roles only where WordPress or another plugin needs them.
Confusing these three layers creates stale access, dangerous customer privileges, and role names such as pro_annual_analytics_10_seats. Separating them creates a system that billing, product, security, and support teams can reason about.
Key takeaways
- A WordPress role is a bundle of site capabilities, not a payment ledger.
- A membership level is a commercial state derived from the qualifying product and subscription lifecycle.
- A feature entitlement is a granular flag, value, or limit such as exports enabled or 10 seats.
- ArraySubs can map qualifying subscriptions to roles for interoperability and apply lifecycle-specific removal behavior.
- ArraySubs Pro feature definitions support toggle, numeric, and text values with
sum,max, oranyaggregation behavior.
The three models in one table
| Question | WordPress role | Membership level | Feature entitlement |
|---|---|---|---|
| Primary purpose | site-wide capabilities and plugin interoperability | commercial plan and lifecycle | fine-grained product capability or value |
| Source of truth | WordPress user-role assignment | subscription/purchase record and current state | feature definition plus qualifying product/variation |
| Typical duration | persistent until changed | tied to access/billing lifecycle | recomputed from qualifying ownership/state |
| Example | forum recognizes pro_member | Pro Annual is active through its access period | analytics on; 10 seats; priority support |
| Main risk | privilege escalation or stale role | billing/access drift | unclear aggregation or usage semantics |
| Best authorization use | capability check where WordPress/plugin expects it | plan-level policy and lifecycle decisions | specific feature or limit check |

What is a WordPress role?
A WordPress role is a named collection of capabilities assigned to a user. administrator, editor, shop_manager, and customer are familiar examples, but authorization code should check capabilities rather than trusting a role's display label. WordPress explains this model in Roles and Capabilities and its Plugin Handbook.
Roles are useful when:
- a forum plugin recognizes a custom
pro_memberrole; - an editorial user needs a controlled capability bundle;
- another integration can consume only a WordPress role;
- a persistent community identity is useful independently of billing.
Roles are risky when used as the only proof of paid status. A role does not inherently contain the subscription ID, product, renewal date, grace policy, plan-switch history, or reason it was granted. Manual assignments and multiple plugins can also create unclear ownership.
Never give a customer an administrative role as a plan benefit
Do not grant administrator or shop_manager to expose a member feature. Those roles include powerful back-office capabilities. Use a custom least-privilege adapter role or, better, check a specific current entitlement.
The principle follows both WordPress capability guidance and OWASP's least-privilege recommendation (OWASP Authorization Cheat Sheet). A plan called “Admin” is a marketing label; it must not silently become the WordPress Administrator role.
What is a membership level?
A membership level is the business meaning of a customer's qualifying ownership and current lifecycle state. Examples include Standard Monthly, Pro Annual, Agency, Lifetime, or Course Cohort.
Its inputs normally include:
- subscription product or variation;
- active, trial, pending, on-hold, cancelled, or expired state;
- start, renewal, cancellation, and end dates;
- plan switches and scheduled changes;
- overlapping subscriptions or purchases;
- grace and recovery policy.
WordPress does not provide this commercial concept natively. A membership system resolves it from records and policy. The level can then authorize content, catalog visibility, pricing, downloads, and other member experiences.
The safest source is the subscription/purchase record—not a copied role that might have become stale.
What is a feature entitlement?
A feature entitlement is a named right or value available to a qualifying customer. Common types are:
- toggle: premium reports enabled or disabled;
- number: 10 team seats or 100 exports;
- text: support tier
priorityor regionEU; - derived value: the maximum storage allowance among qualifying products.

Entitlements prevent “role explosion.” Instead of creating a role for every plan-feature combination, define stable feature keys such as analytics, team_seats, and support_tier, then resolve their values from qualifying products.
A numeric entitlement is not automatically usage metering. “10 exports” may describe an allowed limit, but a separate reliable counter is needed to record consumption, reset windows, handle concurrency, and prevent overspend.
Why does one role per plan break down?
Suppose a business has three plans, monthly and annual billing, two regions, an optional analytics add-on, and a community benefit. Encoding every combination as a role can produce dozens of names even though the underlying decisions are only plan, region, analytics, and community access.
The role model then accumulates avoidable questions:
- Does
pro_annual_euoutrankstandard_monthly_euwhen both remain assigned? - Is analytics implied by the role name or checked separately?
- Which role represents a customer during downgrade-at-renewal?
- Who removes the old role after a manual purchase or refund?
- What happens when a forum plugin and the billing plugin both manage
pro_member?
Adding more roles does not answer those questions; it hides product attributes inside labels. A layered model represents each fact once, resolves conflicts deliberately, and emits only the small compatibility role set that external WordPress components require.
Role count alone is not the problem. The problem is using a persistent, multi-owner capability bundle as a compressed record of price, term, lifecycle, geography, and product packaging.
Recommended architecture: commercial truth first
Use this direction of data flow:
subscription and purchase records
→ resolved membership level and feature entitlements
→ optional least-privilege WordPress role adapters

Do not reverse it by treating the role as the billing source of truth. Roles should be outputs when another WordPress component needs them.
Worked example: Pro community plus analytics
- Source record: active Pro subscription.
- Membership level: Pro.
- Entitlements: analytics
true, team seats10, support tierpriority. - Role adapter: grant
pro_memberbecause the forum plugin recognizes it. - Security rule: never grant
shop_managermerely to expose reports.
If the subscription moves on hold, business policy determines whether access pauses immediately or continues through a recovery window. The resolver updates level and entitlements; role mapping follows the configured lifecycle behavior.
How current ArraySubs role mapping behaves
The current ArraySubs Role Manager synchronizes roles from membership conditions and subscription lifecycle events. A rule can grant or remove configured roles, specify what happens on pending/on-hold states, and apply a fallback role.

Verified behavior in ArraySubs 1.8.11 includes:
- active/trial subscriptions can grant roles through rule conditions;
- on-hold and pending behavior can keep or remove the mapped role;
- cancelled/expired transitions remove mapping-owned roles when appropriate;
- another active subscription granting the same role prevents accidental removal;
- a fallback role can be added if the user would otherwise have none;
- plan switches trigger resynchronization.
That overlapping-subscription behavior matters. If Course A and Course B both grant student, cancelling Course A must not remove student while Course B still qualifies.
Document who owns each role. A support agent's manual role, a community plugin's role, and an ArraySubs-mapped role may look identical in wp_usermeta but have different intended lifecycles. Automated removal without provenance can create support incidents.
How ArraySubs Pro feature entitlements work
The current ArraySubs Pro Feature Manager defines toggle, number, and text values on products or variations. The access evaluator can aggregate qualifying values using behaviors represented by sum, max, or any.

Examples:
team_seatswith sum: two qualifying products granting 5 and 10 may resolve to 15.storage_gbwith max: 20 GB and 100 GB may resolve to 100, not 120.analytics_enabledwith any: one qualifying true value is enough.
The evaluator can consider active/trial subscriptions and purchased product IDs. Do not say feature entitlements are inherently subscription-only. Define each feature's commercial source, lifecycle, default, type, and aggregation rule.
Feature definitions are a Pro capability. Core ArraySubs can consume the feature-value condition when that Pro system is available; do not represent Feature Manager as part of the free core feature set.
How should an entitlement dictionary be designed?
Treat feature keys as a public contract between product packaging, access rules, application code, support, and reporting. Give every key a definition before attaching values to products.
| Dictionary field | Example | Decision to document |
|---|---|---|
| Stable key | team_seats | machine identifier; avoid plan names and display copy |
| Meaning | concurrent team-member allowance | what the value authorizes and what it does not |
| Type | number | toggle, number, or controlled text |
| Default | 0 | safe result when no source qualifies |
| Sources | Pro monthly, Pro annual, seat add-on | every product/variation that can contribute |
| Aggregation | sum | whether multiple sources add, choose a maximum, or satisfy any |
| Lifecycle | active and trial; recovery policy documented | which states contribute and when they stop |
| Consumer | team invitation service | every gate, API, UI, or remote integration that reads it |
| Migration owner | product operations | who reviews renames, deletions, and value changes |
Use sum only when separate purchases genuinely stack. Seat packs may add; independent subscriptions that duplicate the same base allowance may not. Use max when the strongest qualifying plan should win without double-counting. Use any for a boolean-style right where one qualifying source is sufficient. For text values, define allowed values and precedence rather than assuming arbitrary strings form a meaningful hierarchy.
Keep entitlement, usage, and availability distinct. An entitlement might allow 10 exports; usage says 7 have been consumed; availability resolves to 3 only after a counter, reset window, concurrency policy, and correction process exist. Likewise, storage_gb = 100 does not provision storage or delete excess data when the value falls. The consuming system must safely implement the transition.
Renaming a feature key is a schema migration. Inventory every product value, rule, code check, report, and support playbook that consumes it. Write the new key, migrate producers and consumers, test accounts with overlapping sources, and remove the old key only after a readback proves it is unused.
How should support trace an access decision?
A useful diagnostic follows the data flow instead of editing the final role:
- identify the customer and all current subscriptions/purchases;
- confirm product, variation, lifecycle state, and effective dates;
- resolve the commercial membership level;
- list each feature source and its aggregation result;
- list role adapters, their owners, and their last synchronization event;
- evaluate the exact rule for the denied resource;
- check cache and any remote consumer after the source result is correct.
The diagnostic should distinguish “source does not qualify,” “policy resolved no access,” “derived role is stale,” and “downstream surface served stale data.” Those failures need different fixes. Manually adding a role may restore one screen while leaving the actual lifecycle, feature, or cache defect unresolved.
Record the correction at the owning layer and re-run the same trace. Support can then explain the decision to the customer and engineering can see whether the issue belongs to commerce data, entitlement policy, role synchronization, or delivery.
When should each layer make the access decision?
Use a WordPress capability or role when
- the action is administrative or site-wide;
- WordPress core or another plugin expects a capability/role;
- the identity should persist independently of a subscription;
- a narrow custom role is the cleanest interoperability contract.
Use membership level when
- the decision is “may this current plan access this resource?”;
- lifecycle, grace, renewal, switching, or expiration matters;
- support must trace the decision to a subscription or purchase;
- catalog, content, download, or pricing policy is plan-level.
Use a feature entitlement when
- plans share some features but differ on others;
- the decision is a particular capability or numeric/text value;
- variations change the limit;
- multiple qualifying products must aggregate predictably.
NIST's RBAC and ABAC material provides useful conceptual grounding for role- and attribute-based decisions (RBAC, SP 800-162). This architecture is not a claim of NIST certification; it simply applies the separation of policy inputs and authorization decisions.
Migration from one role per plan
Use this sequence:
- Inventory every role, capability, owner, grant path, removal path, and consuming plugin.
- Classify each use as administration, interoperability, membership level, or feature entitlement.
- Move billing truth to product/variation plus subscription lifecycle.
- Define feature keys, types, defaults, qualifying products, and
sum/max/anybehavior. - Retain only necessary least-privilege member roles.
- Configure on-hold, pending, cancellation, expiration, and fallback behavior.
- Reconcile existing stale roles before enabling automatic removal.
- Test plan switches, overlapping subscriptions, manual roles, and third-party grants.
- Give support a diagnostic view from source record to derived outputs.

Do not perform a big-bang role cleanup without a mapping table and rollback path. A seemingly unused role may still drive a community, LMS, form, or custom integration.
Governance and security checklist
- Customer plans never grant Administrator or Shop Manager.
- Access checks use capabilities or current membership/entitlement evaluation, not a label alone.
- Every custom role has a documented owner and minimal capabilities.
- On-hold and pending behavior is an explicit business decision.
- Cancel-at-period-end and immediate cancellation are distinguished.
- Overlapping subscriptions granting the same role are tested.
- Manual or third-party role assignments are not silently removed.
- Feature key, type, default, aggregation, and source products are documented.
- Missing or disabled features fail safely.
- Numeric entitlement and actual usage counter are not confused.
- Support can trace the level, entitlement, and role to source records.
- Access changes invalidate or vary relevant caches.
For complex grouped policies, use AND/OR Membership Access Rules and the combined-conditions recipe.
When a layered model may be unnecessary
A tiny site with one plan, one gated resource, and no third-party integration may need only a direct active-subscription condition. Do not create an entitlement catalog merely for architectural purity. Add layers when multiple plans, products, limits, integrations, or lifecycle rules make the added clarity valuable.
Conversely, a complex SaaS application with high-volume metering, tenant isolation, policy-as-code, or regulated authorization may require a dedicated entitlement service. WordPress roles and a commerce plugin are not automatically the complete identity plane.
Final recommendation
Keep the source of truth closest to the fact: subscription records for commercial lifecycle, entitlement definitions for specific capabilities, and WordPress roles for site capabilities and interoperability. Map outward from current commerce state, grant least privilege, and test every lifecycle transition plus overlapping ownership.
After mapping the architecture, review ArraySubs Pro pricing and the member-experience feature set.
Frequently asked questions
Is a WordPress role the same as a membership level?
No. A role is a WordPress capability bundle. A membership level is commercial/access state derived from a qualifying product and lifecycle.
Should every subscription plan have a custom role?
Only when a consuming plugin needs that adapter. Use direct level or entitlement checks when possible to avoid stale roles and unnecessary combinations.
Can an ArraySubs role remain during payment recovery?
Current role mappings can configure on-hold/pending behavior as keep or remove. Match that setting to the documented grace and recovery policy.
What is the difference between an entitlement and usage?
An entitlement states what is allowed, such as 10 exports. Usage records how much has been consumed. Reliable metering requires separate counters and concurrency rules.
What happens when two subscriptions grant the same role?
The current ArraySubs Role Manager checks for another active qualifying subscription before removing the role. Test the exact overlapping products and lifecycle transitions in your environment.
Are feature entitlements included in ArraySubs core?
The inspected feature-definition system is in ArraySubs Pro. Label Pro-dependent feature-value rules accordingly.
Author, technical review, and verification environment
Author: Emran, ArrayHash — product and editorial work across WooCommerce subscriptions, membership architecture, and access policy.
Technical reviewer: ArraySubs Engineering Team — review scope includes WordPress capabilities, role ownership, lifecycle mapping, overlapping subscriptions, and Pro feature aggregation.
Verification environment: Source and read-only live UI review of ArraySubs 1.8.11 and ArraySubs Pro 1.1.2 on July 16, 2026. No role mapping, feature value, subscription, or user was changed.
Disclosure, limitations, and update log
- Commercial disclosure: ArraySubs is an ArrayHash product. Examples are architectural illustrations, not universal security prescriptions.
- Limitations: Third-party role ownership, custom capabilities, cache layers, plan models, and entitlement semantics vary. Review high-privilege decisions independently.
- July 16, 2026: First publication. Verified definitions, core role lifecycle behavior, overlapping-subscription guard, Pro feature types/aggregation, migration, and governance guidance.
Continue from strategy to setup
Use a recipe when the model is settled
These articles own the decision and operating model. The ArraySubs feature map and recipes cover the exact product, billing, and customer-workflow configuration.
Written by
Emran // ArrayHash
Research and practical guidance for WooCommerce subscription operators and implementation teams.
Technical review
ArraySubs Engineering Team
Reviewed against current ArraySubs code, product documentation, and the linked primary platform sources.




