Understanding User Types
LastPass includes 4 permissions-based user types – users, helpdesk admin, admin, and super admin – each with specific functionality so you can give appropriate levels of access to LastPass. The helpdesk admin is a customizable role, so you can choose what is appropriate for IT helpdesk staff in your organization. For example, designate the helpdesk admin role to IT team members that handle day-to-day internal support tickets on passwords, without giving them access to all of the privileged information in your LastPass Enterprise account. Or, select key team members to be admins so they can set security policies and provision new users as needed.
These are individual account holders – employees – who only have access to their personal Vault and folders shared with them. They have:
- Access to their own Vault
- Feature usage and access limited by policies through LastPass
The least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions. You can restrict their level of Admin Console access by enabling the "Helpdesk Admin - Restricted Administrator" policy and selecting one of the following configurations:
- Only allows Reset Master Password for users (also requires enabling the "Super Admin - Master Password Reset" policy)
- Only allows the following actions:
- Reset Master Password for users (also requires enabling the "Super Admin - Master Password Reset" policy)
- Disable Multifactor Authentication for users
- Only allows management of the Users page
- Only allows management of the Users and Groups pages
These are your IT managers and team leads that have access to all areas of the admin dashboard for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and much more. Be sure to protect admin LastPass accounts by enabling Multifactor Authentication. Admins have all of the same permissions as the helpdesk admin (listed above), as well as:
- Access to all areas of the Admin Console
- Ability to enable/disable policies
- Add or remove users
You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios. Super admins have all of the same permissions as admins (listed above), as well as:
- Master Password reset on any user's Vault
- Access to all shared folders across the company
Assign a user type
- Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
- Click Users in the left menu.
- Click to select your desired user.
- Click the More icon in the upper-right corner.
- Configuration options will vary depending on your user's account status, as follows:
- Make or Remove admin – You can promote any number of users to admin status and remove this status at any time. Granting admin rights means that the individual will have full access to the Admin Console. Removal of admin rights sets the individual back to a standard user.
To assign a Super Admin, you must enable the "Super Admin - Master Password Reset" and/or "Super Admin - Shared Folders" policies, then assign the existing admin to the policy.
Note: All users you add to the Super Admin policies must be account administrators in order to be added.