About LastPass Enterprise Shared Folders

A shared folder is a special folder in your Vault that you can use to securely and easily share site password entries and secure notes with other LastPass users. Changes to the shared folder are synchronized automatically to everyone with whom the folder has been shared.

Different access controls – such as "Hide Passwords" – can be set per user/group or in the form of policies. Shared folders use the same technology to encrypt and decrypt data that a regular LastPass account uses, but are designed to accommodate multiple users for the same folder.

If you are a LastPass Enterprise admin, please see View and Manage LastPass Enterprise Shared Folders (Admins) for more information.

If you are a LastPass Enterprise user, please see Manage LastPass Enterprise Shared Folders (Users) for more information.

With Shared Folders:

  • Anyone can create a shared folder.
  • You can easily configure and maintain them.
  • You can share hundreds of passwords with hundreds of users individually or via user groups.
  • Changes automatically propagate to all assigned users.

If you have a LastPass Teams, Enterprise, or Identity account, the ability to perform these actions may be limited or prohibited due to policies enabled by your LastPass admin.

Limitations of shared folders

  • Each shared folder has an unlimited capacity of items that can be added (with the exception of using LastPass via Internet Explorer and/or the LastPass for Applications desktop app, which are hard-set at 5,000 items max).  However, users can expect to see performance degradation when 2,000 items or more are added for all other web browsers and applications.
  • Sites can be copied to multiple folders but must be updated manually in every folder. For this reason, it is recommended to use the "restrict" option in order to limit access for a specific sub-set of users, rather than copying the Site entry into multiple folders.
  • Site entries cannot be directly imported into shared folders.
  • Form Fill profiles cannot be shared.
  • While there is no limitation to the amount of users you can add to a shared folder, account performance may be affected if a shared folder is assigned more than 1,000 users.
  • Up to 5 external users (those who do have an active LastPass account but their account is not associated with your business account) can be invited to a shared folder
  • Individually shared Sites cannot be added to a shared folder; a copy will have to be made.
  • If a user is added more than once to a shared folder via multiple groups or individually multiple times with different permissions, the most restrictive settings take priority. If a user is added to the folder individually and via user groups, the individual permission would apply. This is important to remember when an admin is also part of a group, as they can limit their privileges.
  • A sub-folder cannot have separate permissions from its parent shared folder.
  • Users MUST generate sharing keys before being added to shared folders. This is done automatically by logging into the LastPass web browser extension at least once after creating an account. In Safari, if the web browser extension has not been installed yet, Sharing Keys can be created using the "Generate Sharing Keys” option in the online Vault. This can only be circumvented by enabling the “Pre-Create Sharing Key” policy. Learn more.

Shared folder management options

Once a folder is created and populated by the folder Admin, there are 3 different ways in which the folder can be assigned out to additional users:

  • The folder Admin assigns and manages the folder manually. From their Vault the folder admin (e.g., the division manager) can add and remove users, and edit user permissions on an individual by individual basis.
  • Automate all folder assignments through the user group assignments in Active Directory. The creator of the folder can assign the folder to the appropriate user group from the existing Active Directory groups. Once this mapping is complete, the Active Directory Connector will manage all user additions and removals for you based on any relevant changes in the AD environment.
  • Centralize the management function and have a dedicated person managing the groups manually through the Admin Console. In this case, the designated individual would need to be a LastPass admin. Using Groups in the Admin Console, the admin could add and delete users to groups, which would then map back to the relevant shared folders. The creator of the folder simply assigns the folder to the appropriate user group. In this scenario, you would typically publish the point of contact on your organization's LastPass wiki page or internal FAQs so that users would know to whom they should direct a change request.

Shared folder access permissions

The following are permission levels you can set for each of your shared folders:

  • Read-only prohibits the user or group from adding/removing items to/from a shared folder. It also prevents them from saving any updated username, password or Secure Note information to the folder. However, we cannot block the update from transpiring at the Site level. This option could, therefore, result in a lockout by the rest of the team. It is our recommendation that you articulate a "no update" policy outside of LastPass (if this is, in fact, your goal) and that you do not select "Read Only" as the permission option. If the user still updates the credentials, then the change will save back to LastPass, and the event will be captured in the reports so that you are able to track it back to the owner.
  • Administrator will grant the user equal admin rights over the shared folder including: adding and removing users and restricting access to individual Sites in the folder. Please note that a shared folder admin is not the same role as a LastPass Enterprise admin. Learn more about the shared folder options available to LastPass Enterprise admins.
  • Hide Passwords prohibits the user from seeing the credentials. They will be able to utilize the tools via Autofill or Autologin, but they will be unable to see the actual credentials.