Privileges.app and time-limited admin
Privileges is an open source tool from SAP which helps folks manage admin rights for their account. As part of its feature set, it includes an option for time-limited admin using a specific function called Toggle privileges.
However, Toggle privileges’s time-limited admin feature for Privileges is its most misunderstood feature. The reason is that while the ability to set a time limit is only available if you’re using the Toggle privileges function, many users assume that this time-limited admin is available universally to all the functions used to get admin rights using the Privileges app.
It is not. Time limited admin is only available using the Toggle privileges function. If you’re not using the Toggle privileges function, there is no time limitation and you cannot set one from within the Privileges app.
This information is available in the Privileges FAQ:
- Question: By default, is there a time limit on the admin rights granted by Privileges?
- Answer: No. Admin rights are granted until some process (like running Privileges again) takes them away.
- Question: Can I set Privileges to give me administrator rights for a defined amount of time?
- Answer: Yes. You can use the Toggle Privileges option on the dock icon to get admin rights for a set amount of time (the default amount is 20 minutes.)
What does this mean?
- The only way time-limited admin is currently working on Privileges is by using the Toggle privileges function.
- If you are clicking on the icon in the dock and not selecting the Toggle privileges function, there’s no time limit.
- If you’re using the PrivilegesCLI command line tool, there is no time limit.
How long do you have admin if you’re not using the Toggle privileges function? Admin rights are granted until some process (like running Privileges again) takes them away. There’s no time limit.
All of the Privileges management options available for time-limited admin at this time apply only to the Toggle privileges function. If you’re using any of the management settings options listed below, they apply only and exclusively to the Toggle privileges function:
- DockToggleTimeout
- DockToggleMaxTimeout
They will not manage time-limited admin for any of Privileges’ functions outside of using the Toggle privileges function.
What if you want time-limited admin outside of using the Toggle privileges function? You will need to use a separate mechanism. In my case, I usually point folks towards using PrivilegesDemoter:
https://github.com/sgmills/PrivilegesDemoter
This tool uses a separate mechanism for figuring out the timing and then uses the PrivilegesCLI command line tool to take away admin when the time limit set for PrivilegesDemoter expires.
Great site and great tool, so I hate to sound picky, but I am wondering what the reasoning is for this design choice. In my mind, it seems like there would be a setting to make it work as a time limited admin all the time. Trust me, this isn’t a complaint, it is entirely a curiosity question about why there is this limitation in the tool.
just seems like this was created in a very overly convoluted and overcomplicated manner. seems like a simple version to enable admin for X time would be more useful in this application then the way its presented.
I agree with this. I feel that the timed admin capability should be the default, with the option of retaining admin being the “harder one to enable” with the right click and selecting the option. Having to setup a second mechanism to take away admin seems counter-intuitive. If we as admins wanted a user to have admin rights forever, we can do that at setup and not need this tool.
Also wondering about the reasoning behind this design choice.