HELP FILE

What are admin levels?

    LastPass includes preset admin levels and each level has a preset configuration to choose from. Each level grants specific functionality so you can give appropriate levels of access to LastPass In addition, it is also possible to define custom admin levels with only a limited or a wider range of permissions (depending on your use case).

    Note: Are you seeing something different? See these instructions for the Password Manager Admin Console or the SSO & MFA Admin Console.
    Note: LastPass Business admins can assign an admin level to as many account holders as needed, however, each admin can only have one admin level at a time.

    User

    These are individual account holders - employees - who only have access to the following:
    • Access to their own vault and folders shared with them
    • Feature usage and access limited by policies through LastPass

    Legacy Helpdesk Admin

    The least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions. You can restrict their level of Admin Console access by enabling the Grant limited access to Admin Console policy.

    Each numeric value (i.e., 1, 2, 3, and 4) will include a new privilege in addition to the functionality outlined in the previous value. Select one of the following configurations:
    1. Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
    2. Only allows the following actions:
      1. Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
      2. Disable multifactor authentication for users
    3. Only allows the following actions:
      1. Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
      2. Disable multifactor authentication for users
      3. Management of the Users page
    4. Only allows the following actions:
      1. Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
      2. Disable multifactor authentication for users
      3. Management of the Users page
      4. Management of the Groups page
    5. Only allows access to managed companies (excludes permissions 1-4) – For more information, please see What are managed companies for LastPass Business?

    Helpdesk Admin

    Helpdesk Admins can perform the following limited tasks only in the new Admin Console:
    Note: This admin cannot access the legacy Admin Console. If you want an admin to have access to the legacy Admin Console, you must assign them either as an Admin or Super Admin instead.
    Restriction: Helpdesk Admins do not have the ability to disable multifactor authentication for users. If you want an admin to have the ability to disable multifactor authentication for users, you must assign them as either a Legacy Helpdesk Admin (with a value of 2, 3, or 4), an Admin, a Custom Admin with User-level MFA modify permission, or a Super Admin instead.
    • Reset master password for users but not full admins
    • Destroy user sessions
    • View-only access of Users page
    • View-only access of Groups page
    • View-only access of Admins page

    Admin

    These are your IT managers and team leads that have access to all areas of the admin dashboard for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and much more. Be sure to protect admin LastPass accounts by enabling multifactor authentication. Admins have all of the same permissions as the Legacy Helpdesk Admin (listed above), as well as:

    • Access to all areas of the Admin Console
    • Ability to enable/disable policies
    • Add or remove users

    Super Admin

    You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios. Super admins have all of the same permissions as admins (listed above), as well as:

    To add a super admin, follow the procedure described in How do I view and assign admin levels in the new Admin Console?.

    Another way to add a super admin is to assign the following policies to a selected existing admin on the Policies > General policies page:

    • Permit super admins to reset master passwords
    • Permit super admins to access shared folders
    Note: In the future, the process to create a super admin will change. To create a super admin, you will simply assign a user to the Super Admin level on the Users > Admin levels page as described in How do I view and assign admin levels in the new Admin Console?. When assigning a user to the Super Admin level, the policies mentioned previously will be automatically enabled for that user. The permissions that come with these policies will also be automatically assigned. This future change will not impact existing super admins in any way.

    Custom Admin

    Custom admins are created with specific customized permissions in the new Admin Console (much like roles in the old Admin Console). This is useful when you want to enable someone in your organization to perform certain actions that require special permissions but you don't want them to become an admin with a wide range of admin rights. For example, you would like someone to be able to view reports but you do not want them to be able view and modify users/groups.

    A custom admin can be granted permissions to do a variety of tasks, such as help manage the following:
    • Adoption Dashboard
    • Users
    • Groups
    • Directories and federated login
    • User-level multifactor authentication
    • Reports

    To add a custom admin, follow the procedure described in the following article: How do I assign and edit custom admins in the new Admin Console?

    For those who migrate their roles (created in the old Admin Console) to custom admin levels, the following article has useful information: How do I migrate a role to a custom admin level?