Understanding User Roles
From IT service companies to marketing agencies, businesses of all types need to ensure access to sensitive company data is secure and appropriate. With customizable, role-based permissions in LastPass, you can give users just the right level of access to do their job, and nothing more. Employees can be productive, while company data is more secure.
LastPass includes 4 types of roles – users, helpdesk admin, admin, and super admin – each with specific functionality so you can give appropriate levels of access to LastPass. The helpdesk admin is a customizable role, so you can choose what is appropriate for IT helpdesk staff in your organization. For example, designate the helpdesk admin role to IT team members that handle day-to-day internal support tickets on passwords, without giving them access to all of the privileged information in your LastPass Enterprise account. Or, select key team members to be admins so they can set security policies and provision new users as needed.
Topics in this article:
These are individual account holders – employees – who only have access to their personal Vault and folders shared with them. They have:
- Access to their own Vault
- Feature usage and access limited by policies through LastPass
The least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions. They can:
- Resend user activation invitations
- Disable Multifactor Authentication
- Require a Master Password change
- Destroy all sessions for user(s)
- Add or disable a user
- Add or remove groups
These are your IT managers and team leads that have access to all areas of the admin dashboard for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and much more. Be sure to protect admin LastPass accounts by enabling Multifactor Authentication. Admins have all of the same permissions as the helpdesk admin, as well as:
- Access to all areas of the Admin Console
- Ability to enable/disable policies
- Add or remove users
You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios. Super admins have all of the same permissions as admins, as well as:
- Master Password reset on any user's Vault
- Access to all shared folders across the company
LastPass Enterprise admins can create as many custom admin roles as needed by doing the following:
- Log in and access the Admin Console.
- Go to Advanced Options > Roles > Add Role.
- Fill in the "Role Name" and "Role Description" fields.
- Check the box(es) to enable your desired permissions for this role in the "Allow Permission Tree" section.
- Click Add when finished.