Allows administrators and privileged users to log in with a low-privilege account and switch to a privileged session only when needed — similar to sudo on Linux. This follows security best practice of not using administrator accounts for daily tasks. Privileged sessions can be protected with existing MFA factors for additional security.

A secondary use case is working around bugs that appear when a user holds both teacher and student roles in the same course — the user can be enrolled as a normal student and switch to a privileged session only when acting as an editing teacher.

Features

• Low-privilege daily accounts with on-demand privilege escalation
• Configurable roles and contexts per privileged user
• Optional MFA verification before starting a privileged session

Configuration

1. Log in as admin
2. Go to Site administration / Users / Permissions / Privileged users
3. Press Add privileged user
4. Select the user to grant sudo access
5. Define the roles and contexts where the user will have privileged access
6. Optionally enforce MFA for additional security

Starting a privileged session

1. Log in with your regular low-privilege account
2. Click the user menu in the top right
3. Select Start privileged session
4. Press Continue or supply your MFA verification code
5. End the privileged session once your management tasks are complete

Known limitations

• This plugin uses the Switch role feature internally — course-level privileges appear as "Switched roles" in the Moodle UI