Understanding User Roles
From IT service companies to marketing agencies, businesses of all types need to ensure access to sensitive company data is secure and appropriate. With customizable, role-based permissions in LastPass, you can give users just the right level of access to do their job, and nothing more. Employees can be productive, while company data is more secure.
LastPass includes 4 types of roles – users, helpdesk admin, admin, and super admin – each with specific functionality so you can give appropriate levels of access to LastPass. The helpdesk admin is a customizable role, so you can choose what is appropriate for IT helpdesk staff in your organization. For example, designate the helpdesk admin role to IT team members that handle day-to-day internal support tickets on passwords, without giving them access to all of the privileged information in your LastPass Enterprise account. Or, select key team members to be admins so they can set security policies and provision new users as needed.
Topics in this article:
These are individual account holders – employees – who only have access to their personal Vault and folders shared with them. They have:
- Access to their own Vault
- Feature usage and access limited by policies through LastPass
The least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions. You can restrict their level of Admin Console access by enabling the "Helpdesk Admin - Restricted Administrator" policy and selecting one of the following configurations:
- Only allows Reset Master Password for users (also requires enabling the "Super Admin - Master Password Reset" policy)
- Only allows the following actions:
- Reset Master Password for users (also requires enabling the "Super Admin - Master Password Reset" policy)
- Disable Multifactor Authentication for users
- Only allows management of the Users page
- Only allows management of the Users and Groups pages
These are your IT managers and team leads that have access to all areas of the admin dashboard for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and much more. Be sure to protect admin LastPass accounts by enabling Multifactor Authentication. Admins have all of the same permissions as the helpdesk admin, as well as:
- Access to all areas of the Admin Console
- Ability to enable/disable policies
- Add or remove users
You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios. Super admins have all of the same permissions as admins, as well as:
- Master Password reset on any user's Vault
- Access to all shared folders across the company
LastPass Enterprise admins can create as many custom admin roles as needed by doing the following:
- Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
- Go to Advanced Options > Roles > Add Role.
- Fill in the "Role Name" and "Role Description" fields.
- Check the box(es) to enable your desired permissions for this role in the "Allow Permission Tree" section.
- Click Add when finished.