Designating LastPass Admin roles in your organization

From IT service companies to marketing agencies, businesses of all types need to ensure access to sensitive company data is secure and appropriate. With customizable, role-based permissions in the LastPass admin console, you can give users just the right level of access to do their job, and nothing more.

Employees can be productive, while company data protected.

LastPass includes four types of roles – users, helpdesk admin, admin, and super admin – each with specific functionality so you can give appropriate levels of access to LastPass.

For example:

• The helpdesk admin is a customizable role, enabling you to choose what is appropriate for IT helpdesk staff in your organization.
• In the admin console you can designate the helpdesk admin role to IT team members that manage day-to-day internal support tickets on passwords, without giving them access to all of the privileged information in your LastPass account.
• Or, select key team members to be admins so they can set security policies and provision new users as needed.

Overview of LastPass admin roles

User

Use case:

These are individual account holders – employees – who only have access to their personal vault and folders shared with them.

Permissions:

• Access to their own vault
• Feature usage and access limited by policies through LastPass

Helpdesk Admin

Use case:

Helpdesk admins can perform the following limited tasks only in the new Admin Console:

Permissions:

• Resetting master password for users but not for admins. It also requires enabling the "Permit super admins to reset master passwords" policy.
  
  Important: The "Reset master password" option only becomes available for the admin after the selected user has logged out and logged back in using the LastPass browser extension (as login via the LastPass website at https://lastpass.com doesn't activate the "Reset master password" option for the admin). Additionally, the user must log out and log back in after the designated admins have been assigned to the policy (super admins only). For more information about the encryption process, view About the encryption process when a super admin resets a master password.
• Destroying user LastPass sessions.
• View-only access of the Users page.
• View-only access of the Groups page.
• View-only access of the Admins page.

Admin

Use case:

These are your IT managers and team leads that have access to all areas of the admin console for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and more. Be sure to protect admin LastPass accounts with MFA.

Permissions:

• All permissions of the helpdesk admin, plus:
• Access to all areas of the admin console
• Enable or disable policies
• Add or remove users

Super Admin

Use case:

These are your IT managers and team leads that have access to all areas of the admin console for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and more. Be sure to protect admin LastPass accounts with MFA.

Permissions:

• All permissions of the helpdesk admin, plus:
• Access to all areas of the admin console
• Enable or disable policies
• Add or remove users