Lightweight WordPress access-control plugin and governance example for partner-based multi-tenant environments.
RBAC-Lite demonstrates practical RBAC/IAM concepts in a WordPress context: users can be assigned to partner organizations, non-admin users are restricted to their own partner context, and access-management events can be recorded for auditability.
The repository also demonstrates how access-control-related changes can be governed through Gatehouse-style quality gates: risk classification, approvals, rollback planning, validation and audit evidence.
Concept note: RBAC-Lite is an intentionally lightweight reference implementation seed and governance example, not the final enterprise implementation. For the intended use as a concept scaffold / AI-assisted handoff artifact, see docs/CONCEPT_NOTE.md.
| Area | Evidence |
|---|---|
| RBAC / IAM thinking | Partner-based access context and user assignment |
| Tenant / partner isolation | Non-admin users are scoped to their own partner context |
| Auditability | Audit logging model for login and partner-change events |
| WordPress operations | Single-plugin architecture using WordPress hooks and user meta |
| Local Docker validation | WordPress + MariaDB Docker Compose environment for local testing |
| Change governance | Gatehouse compliance example and CI validation workflow |
| DevSecOps documentation | Risk class, approvals, rollback and evidence reporting |
sadepois-core/
└── sadepois-core.php # Main WordPress plugin file
dev-environment/
├── docker-compose.yml # Local WordPress + MariaDB runtime
├── .env.example # Local-only placeholder environment values
├── README.md # Local validation workflow
├── DOCKER_DESKTOP.md # Docker Desktop / Docker manager workflow
└── scripts/
└── reset-local.sh # Local test environment reset script
.github/workflows/
└── compliance-check.yml # Gatehouse compliance validation workflow
examples/
└── rbac-lite-partner-isolation-change.md
docs/
├── CONCEPT_NOTE.md
├── DEVELOPER_GUIDE.md
├── RBAC_LITE_GATEHOUSE_COMPLETION_REPORT.md
└── TECHNICAL_ARCHITECTURE.md
validation/
├── pre-merge-checks/ # Legacy validator
└── pre_merge_checks/ # Modular validator / CLI
Note: the plugin directory is currently
sadepois-core/and the main plugin file issadepois-core/sadepois-core.php. Some internal class/function names still use the originalSadePois_Corenaming for compatibility with the earlier project history.
RBAC-Lite Core provides a lightweight access-control baseline for partner, reseller, franchise or subsidiary-style environments.
Core concepts:
- Partner-based user assignment through WordPress user meta
- User-list filtering for non-admin users
- Admin bypass for controlled management access
- Fail-safe empty-partner behavior
- Audit logging for access-management events
- NDA / terms enforcement concept
This is a lightweight reference implementation and portfolio example, not a finished enterprise IAM platform.
Upload the plugin directory into WordPress:
/wp-content/plugins/sadepois-core/sadepois-core.php
Then activate it in WordPress Admin:
Plugins -> Installed Plugins -> RBAC-Lite Core -> Activate
After activation, verify:
- the plugin is active
- partner settings are visible for admin users
- partner assignment can be saved to a user profile
- non-admin users only see users in the same partner context
- audit log entries are created for relevant events
A local Docker Compose environment is included for repeatable WordPress + MariaDB validation without production data.
Start the local validation environment from the repository root:
docker compose -p rbac-lite-local -f dev-environment/docker-compose.yml --env-file dev-environment/.env.example up -dKey local documentation:
The local environment is intentionally bound to localhost only and is not a production deployment model.
RBAC-Lite is the access-control use case. Gatehouse is the governance and validation layer.
The related quality-gate workflow validates RBAC-Lite change requests with:
- required change-request sections
- risk classification
- rollback planning
- test plan requirements
- approval count requirements
- CISO / freeze checks for high-risk changes
- audit report generation
Workflow file:
.github/workflows/compliance-check.yml
Default example:
examples/rbac-lite-partner-isolation-change.md
Run the legacy validator:
python validation/pre-merge-checks/validate-change-request.py examples/rbac-lite-partner-isolation-change.mdRun the modular validator:
PYTHONPATH=. python validation/pre_merge_checks/cli.py examples/rbac-lite-partner-isolation-change.mdExpected result:
QUALITY GATE: PASSED
Errors: 0
Warnings: 0
- Concept Note
- Developer Guide
- Technical Architecture
- RBAC-Lite + Gatehouse Completion Report
- Local Docker Test Environment
- Docker Desktop / Docker Manager Workflow
RBAC-Lite demonstrates a partner-based access-control use case, while Gatehouse validates the governance side: risk class, approvals, rollback plan and audit evidence.
The goal is not only to show a plugin concept, but to make the related access-control change auditable, reviewable and CI/CD-validatable.
| Area | Status |
|---|---|
| Plugin concept | Implemented as lightweight baseline |
| Local Docker validation environment | Implemented |
| Docker Desktop / Docker manager workflow | Documented |
| Gatehouse validation example | Implemented |
| Compliance workflow | Implemented |
| Legacy validator | Present |
| Modular validator / CLI | Present |
| Enterprise IAM readiness | Not claimed |
GPL-2.0+