Temporary Admin Elevation lets IT grant users short‑term local administrator rights on their devices, with strict limits and full visibility. It’s designed for teams that need flexibility (e.g., engineers installing tools) without the risk of permanent admin access.
With Temporary Admin Elevation, users can self‑elevate from the Swif DeskApp when allowed, and Swif automatically revokes admin rights when the time is up.
What is Temporary Admin Elevation?
Temporary Admin Elevation is a policy that:
Lets eligible users temporarily become local admins on their own devices.
Applies strict controls on:
How long a session can last.
How many sessions a user can start in a day/week.
How much total elevated time a user can accumulate.
How long they must wait between sessions.
Is fully configurable by administrators in the Swif web app.
Is enforced and audited by Swif, so IT keeps control and evidence for compliance.
This feature helps you:
Avoid giving long‑term or permanent local admin rights.
Reduce manual “please make me admin” tickets and Slack pings.
Support engineering and power‑user workflows safely.
Where to Configure Temporary Admin Elevation
Admins configure this feature in the Swif admin web app:
Go to Settings → Local Account Controls → Temporary Admin Access.
Use the Temporary Admin Access panel to:
Enable/disable the feature.
Choose which devices can use it.
Set OS support and limits.
When the feature hasn’t been configured yet, you’ll see an intro/empty state that explains what Temporary Admin Elevation does and prompts you to configure it.
Configuration Options
When you configure Temporary Admin Elevation, you control how and where it can be used.
1. Enable or Disable the Feature
Toggle Temporary Admin Access on/off.
When disabled:
Users cannot request elevation.
DeskApp will show that temporary admin access is unavailable for that device/user.
2. Scope: Which Devices Can Use It
You can decide where self‑service elevation is allowed:
All devices
Apply the same elevation rules to every managed device in your organization.Selected device groups
Limit elevation to specific device groups (e.g., “Engineering Laptops”, “QA Test Devices”).
When you choose this option:A “Choose device groups” selector appears.
Only devices in those groups will see the elevation option in DeskApp.
This scope configuration lives in the Temporary Admin Access configuration modal.
3. Supported Operating Systems
You can restrict elevation by OS:
Allowed OSes:
macOS
Windows
Linux
Only the OSes you select will support self‑service Temporary Admin Elevation. For example, you might initially enable it for macOS only and later add Windows/Linux as needed.
If a device’s OS is not in the allowed list, DeskApp will show that temporary admin access is not available on that device.
4. Session Duration and Frequency Limits
You define how powerful elevation is and how often it can be used:
Max elevation duration per session
The maximum length of a single elevated session (e.g., 15 / 30 / 60 / 120 minutes).
After this time, Swif automatically revokes local admin rights.
Max sessions per user per day (and/or week)
The maximum number of elevation sessions a user can start in a given period.
Helps prevent repeated back‑to‑back admin sessions.
Daily/weekly max accumulated elevated time per user (if exposed in your UI)
Caps the total amount of time per day/week a user can spend with elevated rights.
For example, “no more than 60 minutes total per day” even if sessions are shorter.
Cooldown time between elevation sessions
The minimum time a user must wait after an elevation session ends before starting another.
Reduces the risk of effectively “always‑on” admin access via frequent re‑elevation.
All these fields include client‑side validation:
Required fields must be completed.
Values must be positive and within supported ranges.
Invalid inputs will show inline error messages and the Save button will remain disabled until fixed.
5. Configuration Modal & Post‑Configuration State
The Configure / Edit button opens a modal where you:
Choose scope (“All devices” vs “Selected device groups”).
Select allowed OSes.
Set max duration, session limits, and cooldown.
After saving:
The modal closes.
The main Temporary Admin Access panel refreshes to show:
Whether the feature is enabled.
Scope summary (e.g., “All devices” or “Selected groups: Engineering Laptops, QA Lab”).
Current limits:
Max duration per session.
Max sessions per user per day/week.
Cooldown between sessions.
Which OSes are supported.
From this state you can:
Re‑open the modal to edit the configuration.
Turn off Temporary Admin Access entirely (if provided in your UI), returning the page to the intro/empty state.
How Temporary Admin Elevation Works for Users
Once configured, eligible users can request elevation through the Swif DeskApp.
High‑Level User Flow
User opens Swif DeskApp on a supported device and OS.
If:
Temporary Admin Access is enabled,
The device/user is in scope,
OS is allowed,
And the user is not over their limits,
then the DeskApp will show an option such as “Request temporary admin access”.
The user:
Sees the allowed duration and any relevant limits.
May be required to enter a reason for the request (e.g., “Install Xcode / Update Docker CLI”).
Confirms that they understand:
They will become a local admin for up to X minutes.
Their actions may be logged.
After confirmation:
The device enters elevated mode.
The user gains local admin privileges for the configured session duration.
DeskApp shows:
A clear indicator that admin mode is active (e.g., badge, banner).
A countdown timer.
An option to end admin access early.
When the session ends:
Swif automatically revokes local admin rights.
The user sees a confirmation that access has been removed.
Optionally, DeskApp may ask for quick feedback (“Did this solve what you needed?”).
Guardrails and Error States
The backend enforces the business rules you configured. From the user’s perspective, they may see messages like:
Feature disabled
“Temporary admin access is disabled by your administrator.”
Not in allowed group or device not in scope
“Temporary admin access isn’t available on this device.”
OS not supported
“Temporary admin access isn’t supported on this operating system.”
Daily/weekly time or session limit reached
“You’ve reached the maximum allowed admin time for today.”
Cooldown active
“You must wait X minutes before requesting admin access again.”
Behind the scenes, the DeskApp uses an employee‑role API to:
Check whether elevation is available for the current user and device.
Receive clear status/reason codes (e.g.,
featureDisabled,notInAllowedGroup,osNotSupported,overDailyLimit,cooldownActive) so it can display the right message.
Security and Compliance
Temporary Admin Elevation is designed to balance user autonomy with security:
Least privilege by default
Users do not keep long‑term local admin accounts; they elevate only when needed, for a limited time.Strict constraints
Admins define duration, frequency, cooldowns, OS support, and device groups, so you can closely align with internal security policies.Auditability (future/related features)
Swif’s elevation session APIs are designed to support:Detailed logs of each elevation event: who requested, which device, start/end times, duration, reason, and status.
Admin views in the web app to review elevation history by user or device.
Export or copy capabilities to support SOC 2 and similar audits.
When to Use Temporary Admin Elevation
Temporary Admin Elevation is a good fit if:
You have engineers or power users who regularly:
Install/update dev tools (SDKs, CLIs, IDEs).
Modify system configurations for testing.
Debug software in privileged environments.
Your security or compliance policies discourage permanent local admin accounts.
Your IT team spends time manually handling one‑off “make me admin” requests.
By configuring clear limits and scopes, you can support these workflows safely and reduce operational overhead.