diff --git a/src/common/slurm_persist_conn.h b/src/common/slurm_persist_conn.h
index 3bdaa6551883b2d4cdf4e96cb01c64b02b0acf55..76d3bac7faa6e91b238e02fc39dc5f9549c3085f 100644
--- a/src/common/slurm_persist_conn.h
+++ b/src/common/slurm_persist_conn.h
@@ -43,6 +43,7 @@
 #define PERSIST_FLAG_DBD            0x0001
 #define PERSIST_FLAG_RECONNECT      0x0002
 #define PERSIST_FLAG_ALREADY_INITED 0x0004
+#define PERSIST_FLAG_DROP_PRIV      0x0008 /* must match SLURM_DROP_PRIV */
 
 typedef struct {
 	uint16_t msg_type;	/* see slurmdbd_msg_type_t or
diff --git a/src/slurmdbd/proc_req.c b/src/slurmdbd/proc_req.c
index 3e17f7198aaf559e1ae65c65142d889bdd7a8ecd..724993bce6106f015ef05d374e9d0ca313a3c681 100644
--- a/src/slurmdbd/proc_req.c
+++ b/src/slurmdbd/proc_req.c
@@ -234,6 +234,19 @@ static int   _step_complete(slurmdbd_conn_t *slurmdbd_conn,
 static int   _step_start(slurmdbd_conn_t *slurmdbd_conn,
 			 persist_msg_t *msg, Buf *out_buffer, uint32_t *uid);
 
+#ifndef NDEBUG
+/*
+ * Used alongside the testsuite to signal that the RPC should be processed
+ * as an untrusted user, rather than the "real" account. (Which in a lot of
+ * testing is likely SlurmUser, and thus allowed to bypass many security
+ * checks.
+ *
+ * Implemented with a thread-local variable to apply only to the current
+ * RPC handling thread. Set by SLURM_DROP_PRIV bit in the slurm_msg_t flags.
+ */
+static __thread bool drop_priv = false;
+#endif
+
 /* Process an incoming RPC
  * slurmdbd_conn IN/OUT - in will that the conn.fd set before
  *       calling and db_conn and conn.version will be filled in with the init.
@@ -254,6 +267,7 @@ proc_req(void *conn, persist_msg_t *msg,
 
 	DEF_TIMERS;
 	START_TIMER;
+
 	switch (msg->msg_type) {
 	case REQUEST_PERSIST_INIT:
 		rc = _unpack_persist_init(
@@ -596,6 +610,10 @@ proc_req(void *conn, persist_msg_t *msg,
  */
 static bool _validate_slurm_user(uint32_t uid)
 {
+#ifndef NDEBUG
+	if (drop_priv)
+		return false;
+#endif
 	if ((uid == 0) || (uid == slurmdbd_conf->slurm_user_id))
 		return true;
 
@@ -608,6 +626,10 @@ static bool _validate_slurm_user(uint32_t uid)
  */
 static bool _validate_super_user(uint32_t uid, slurmdbd_conn_t *dbd_conn)
 {
+#ifndef NDEBUG
+	if (drop_priv)
+		return false;
+#endif
 	if ((uid == 0) || (uid == slurmdbd_conf->slurm_user_id) ||
 	    assoc_mgr_get_admin_level(dbd_conn, uid) >= SLURMDB_ADMIN_SUPER_USER)
 		return true;
@@ -621,6 +643,10 @@ static bool _validate_super_user(uint32_t uid, slurmdbd_conn_t *dbd_conn)
  */
 static bool _validate_operator(uint32_t uid, slurmdbd_conn_t *dbd_conn)
 {
+#ifndef NDEBUG
+	if (drop_priv)
+		return false;
+#endif
 	if ((uid == 0) || (uid == slurmdbd_conf->slurm_user_id) ||
 	    assoc_mgr_get_admin_level(dbd_conn, uid) >= SLURMDB_ADMIN_OPERATOR)
 		return true;