Privileges is an open source tool from SAP which helps folks manage admin rights for their account. As part of its feature set, it includes an option for time-limited admin using a specific function called Toggle privileges.
However, Toggle privileges’s time-limited admin feature for Privileges is its most misunderstood feature. The reason is that while the ability to set a time limit is only available if you’re using the Toggle privileges function, many users assume that this time-limited admin is available universally to all the functions used to get admin rights using the Privileges app.
It is not. Time limited admin is only available using the Toggle privileges function. If you’re not using the Toggle privileges function, there is no time limitation and you cannot set one from within the Privileges app.
This information is available in the Privileges FAQ:
- Question: By default, is there a time limit on the admin rights granted by Privileges?
- Answer: No. Admin rights are granted until some process (like running Privileges again) takes them away.
- Question: Can I set Privileges to give me administrator rights for a defined amount of time?
- Answer: Yes. You can use the Toggle Privileges option on the dock icon to get admin rights for a set amount of time (the default amount is 20 minutes.)
What does this mean?
- The only way time-limited admin is currently working on Privileges is by using the Toggle privileges function.
- If you are clicking on the icon in the dock and not selecting the Toggle privileges function, there’s no time limit.
- If you’re using the PrivilegesCLI command line tool, there is no time limit.
How long do you have admin if you’re not using the Toggle privileges function? Admin rights are granted until some process (like running Privileges again) takes them away. There’s no time limit.
All of the Privileges management options available for time-limited admin at this time apply only to the Toggle privileges function. If you’re using any of the management settings options listed below, they apply only and exclusively to the Toggle privileges function:
- DockToggleTimeout
- DockToggleMaxTimeout
They will not manage time-limited admin for any of Privileges’ functions outside of using the Toggle privileges function.
What if you want time-limited admin outside of using the Toggle privileges function? You will need to use a separate mechanism. In my case, I usually point folks towards using PrivilegesDemoter:
https://github.com/sgmills/PrivilegesDemoter
This tool uses a separate mechanism for figuring out the timing and then uses the PrivilegesCLI command line tool to take away admin when the time limit set for PrivilegesDemoter expires.