diff --git a/src/common/read_config.c b/src/common/read_config.c
index bad330ee6e11d5bc35f7a071635aec1ad66f312b..3ea9ad803d1e44d97879503c8c6458d4d89f19b5 100644
--- a/src/common/read_config.c
+++ b/src/common/read_config.c
@@ -102,6 +102,10 @@ strong_alias(run_in_daemon, slurm_run_in_daemon);
 slurm_ctl_conf_t slurmctld_conf;
 bool ignore_state_errors = false;
 
+#ifndef NDEBUG
+uint16_t drop_priv_flag = 0;
+#endif
+
 static pthread_mutex_t conf_lock = PTHREAD_MUTEX_INITIALIZER;
 static s_p_hashtbl_t *conf_hashtbl = NULL;
 static slurm_ctl_conf_t *conf_ptr = &slurmctld_conf;
@@ -2763,6 +2767,22 @@ slurm_conf_init(const char *file_name)
 		return SLURM_ERROR;
 	}
 
+#ifndef NDEBUG
+	/*
+	 * This is done here to ensure all user commands parse this once at
+	 * launch, rather than trying to test this during each RPC call.
+	 * This environment variable is undocumented, and only
+	 * respected in development builds. When set, the remote end
+	 * will treat the request as if it was issued by an unprivileged
+	 * user account rather than the (likely elevated) privileges that
+	 * the account usually operates under. This makes it possible to
+	 * test various access controls while running the testsuite under
+	 * a single user account.
+	 */
+	if (getenv("SLURM_TESTSUITE_DROP_PRIV"))
+		drop_priv_flag = SLURM_DROP_PRIV;
+#endif
+
 	init_slurm_conf(conf_ptr);
 	if (_init_slurm_conf(file_name) != SLURM_SUCCESS)
 		fatal("Unable to process configuration file");
diff --git a/src/common/read_config.h b/src/common/read_config.h
index caaff9177107056660b9def13db634338581210e..d365713a45aea6000cce8274a51e004b918a7b6f 100644
--- a/src/common/read_config.h
+++ b/src/common/read_config.h
@@ -55,6 +55,10 @@ extern char *default_slurm_config_file;
 extern char *default_plugin_path;
 extern char *default_plugstack;
 
+#ifndef NDEBUG
+extern uint16_t drop_priv_flag;
+#endif
+
 #define ACCOUNTING_ENFORCE_ASSOCS 0x0001
 #define ACCOUNTING_ENFORCE_LIMITS 0x0002
 #define ACCOUNTING_ENFORCE_WCKEYS 0x0004
diff --git a/src/common/slurm_protocol_defs.c b/src/common/slurm_protocol_defs.c
index 3580643f8371652a3ee3c4fa88a9f61de5f7feec..9ee37de4f958c088e86f13add31e1d7a37a47ea9 100644
--- a/src/common/slurm_protocol_defs.c
+++ b/src/common/slurm_protocol_defs.c
@@ -108,6 +108,10 @@ extern void slurm_msg_t_init(slurm_msg_t *msg)
 	msg->msg_type = (uint16_t)NO_VAL;
 	msg->protocol_version = (uint16_t)NO_VAL;
 
+#ifndef NDEBUG
+	msg->flags = drop_priv_flag;
+#endif
+
 	forward_init(&msg->forward, NULL);
 
 	return;