At first glance, the WordPress roles and capabilities system is simple. Users have roles, roles have capabilities, and plugins can make simple changes to them. Done, right? Not quite: You’ve been doing it the hard way. A deeper look inside the API reveals a surprising amount of flexibility, including the single most powerful (and dangerous) filter in WordPress. In this talk, you’ll learn how capabilities are “mapped” to other capabilities, and what the difference between primitive and meta capabilities means for your plugins and custom post types. We’ll explore the true hidden powers of the API, like using capability mapping to selectively grant and revoke privileges on the fly, making complex user management more maintainable.