HELP FILE

What are admin roles?

LastPass includes preset admin levels and each level has a preset configuration to choose from. Each level grants specific functionality so you can give appropriate levels of access to LastPass.

Note: Are you seeing something different? See these instructions for the Password Manager Admin Console or the SSO & MFA Admin Console.
Note: Admins can only have one admin level at a time.

User

These are individual account holders - employees - who only have access to the following:

  • Access to their own Vault and folders shared with them
  • Feature usage and access limited by policies through LastPass

Legacy Helpdesk Admin

The least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions. You can restrict their level of Admin Console access by enabling the Grant limited access to Admin Console policy.

Each numeric value (i.e., 1, 2, 3, and 4) will include a new privilege in addition to the functionality outlined in the previous value. Select one of the following configurations:

  1. Only allows Reset Master Password for users but not full admins (also requires enabling the "Permit super admins to reset Master Passwords" policy)
  2. Only allows the following actions:
    1. Only allows Reset Master Password for users but not full admins (also requires enabling the "Permit super admins to reset Master Passwords" policy)
    2. Disable multifactor authentication for users
  3. Only allows the following actions:
    1. Only allows Reset Master Password for users but not full admins (also requires enabling the "Permit super admins to reset Master Passwords" policy)
    2. Disable multifactor authentication for users
    3. Management of the Users page
  4. Only allows the following actions:
    1. Only allows Reset Master Password for users but not full admins (also requires enabling the "Permit super admins to reset Master Passwords" policy)
    2. Disable multifactor authentication for users
    3. Management of the Users page
    4. Management of the Groups page
  5. Only allows access to Managed Companies (excludes permissions 1-4) – For more information, please see What are Managed Companies for LastPass Business?

Helpdesk Admin

Helpdesk Admins can perform the following limited tasks only in the new Admin Console:

Note: This admin cannot access the legacy Admin Console. If you want an admin to have access to the legacy Admin Console, you must assign them either as an Admin or Super Admin instead.
Restriction: Helpdesk Admins do not have the ability to disable multifactor authentication for users. If you want an admin to have the ability to disable multifactor authentication for users, you must assign them as either a Legacy Helpdesk Admin (with a value of 2, 3, or 4), Admin, or a Super Admin instead.
  • Reset Master Password for users but not full admins
  • Destroy user sessions
  • View-only access of Users page
  • View-only access of Groups page

Admin

These are your IT managers and team leads that have access to all areas of the admin dashboard for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and much more. Be sure to protect admin LastPass accounts by enabling multifactor authentication. Admins have all of the same permissions as the Legacy Helpdesk Admin (listed above), as well as:

  • Access to all areas of the Admin Console
  • Ability to enable/disable policies
  • Add or remove users

Super Admin

You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios. Super admins have all of the same permissions as admins (listed above), as well as: