About LastPass Enterprise Shared Folders
A shared folder is a special folder in your Vault that you can use to securely and easily share Sites and Secure Notes with other LastPass users. Changes to the shared folder are synchronized automatically to everyone with whom the folder has been shared. Different access controls – such as "Hide Passwords" – can be set per user/group or in the form of policies. Shared folders use the same technology to encrypt and decrypt data that a regular LastPass account uses, but are designed to accommodate multiple users for the same folder.
If you are a LastPass Enterprise admin, please see View and Manage LastPass Enterprise Shared Folders (Admins) for more information.
If you are a LastPass Enterprise user, please see Manage LastPass Enterprise Shared Folders (Users) for more information.
With Shared Folders:
- Anyone can create a shared folder.
- You can easily configure and maintain them.
- You can share hundreds of passwords with hundreds of users individually or via user groups.
- Changes automatically propagate to all assigned users.
Topics in this article:
- Each shared folder has an unlimited capacity of items that can be added (with the exception of using LastPass via Internet Explorer and/or the LastPass for Applications desktop app, which are hard-set at 5,000 items max). However, users can expect to see performance degradation when 2,000 items or more are added for all other web browsers and applications.
- Sites can be copied to multiple folders but must be updated manually in every folder. For this reason, it is recommended to use the "restrict" option in order to limit access for a specific sub-set of users, rather than copying the Site entry into multiple folders.
- Site entries cannot be directly imported into shared folders.
- Form Fill profiles cannot be shared.
- Up to 5 external users (those that do not have an active LastPass account) can be invited to a shared folder
- Individually shared Sites cannot be added to a shared folder; a copy will have to be made.
- If a user is added more than once to a shared folder via multiple groups or individually multiple times with different permissions, the most restrictive settings take priority. If a user is added to the folder individually and via user groups, the individual permission would apply. This is important to remember when an admin is also part of a group, as they can limit their privileges.
- A sub-folder cannot have separate permissions from its parent shared folder.
- Users MUST generate sharing keys before being added to shared folders. This is done automatically by logging into the LastPass web browser extension at least once after creating an account. In Safari, if the web browser extension has not been installed yet, Sharing Keys can be created using the "Generate Sharing Keys” option in the online Vault. This can only be circumvented by enabling the “Pre-Create Sharing Key” policy. Learn more.
Once a folder is created and populated by the folder Admin, there are 3 different ways in which the folder can be assigned out to additional users:
- The folder Admin assigns and manages the folder manually. From their Vault the folder admin (e.g., the division manager) can add and remove users, and edit user permissions on an individual by individual basis.
- Automate all folder assignments through the user group assignments in Active Directory. The creator of the folder can assign the folder to the appropriate user group from the existing Active Directory groups. Once this mapping is complete, the Active Directory Connector will manage all user additions and removals for you based on any relevant changes in the AD environment.
- Centralize the management function and have a dedicated person managing the groups manually through the Admin Console. In this case, the designated individual would need to be a LastPass admin. Using Groups in the Admin Console, the admin could add and delete users to groups, which would then map back to the relevant shared folders. The creator of the folder simply assigns the folder to the appropriate user group. In this scenario, you would typically publish the point of contact on your organization's LastPass wiki page or internal FAQs so that users would know to whom they should direct a change request.