What are admin levels?

LastPass includes preset admin levels and each level has a preset configuration to choose from. Each level grants specific functionality so you can give appropriate levels of access to LastPass In addition, it is also possible to define custom admin levels with only a limited or a wider range of permissions (depending on your use case).

Notice: LastPass Business admins can assign an admin level to as many account holders as needed, however, each admin can only have one (1) admin level at a time.

User

These are individual account holders - employees - who only have access to the following:

Access to their own vault and folders shared with them
Feature usage and access limited by policies through LastPass

Legacy Helpdesk Admin

The least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions. You can restrict their level of Admin Console access by enabling the Grant limited access to Admin Console policy.

Each numeric value (i.e., 1, 2, 3, and 4) will include a new privilege in addition to the functionality outlined in the previous value. Select one of the following configurations:

Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
Only allows the following actions:
1. Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
2. Disable multifactor authentication for users
Only allows the following actions:
1. Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
2. Disable multifactor authentication for users
3. Management of the Users page
Only allows the following actions:
1. Only allows Reset master password for users but not full admins (also requires enabling the "Permit super admins to reset master passwords" policy)
2. Disable multifactor authentication for users
3. Management of the Users page
4. Management of the Groups page
Only allows access to managed companies (excludes permissions 1-4) – For more information, please see What are managed companies for LastPass Business?

Helpdesk Admin

Helpdesk Admins can perform the following limited tasks only in the new Admin Console:

Reset master password for users but not full admins
Attention: The "Reset master password" option only becomes available after the selected user has logged out and logged back in using the LastPass browser extension (as login via the LastPass website at https://lastpass.com will not activate the "Reset master password" option for the admin). For more information about the encryption process, view What is the encryption process when a super admin resets a master password?
Destroy user sessions
View-only access of Users page
View-only access of Groups page
View-only access of Admins page

Restriction: This admin cannot access the legacy Admin Console. If you want an admin to have access to the legacy Admin Console, you must assign them either as an Admin or Super Admin instead.

Restriction: Helpdesk Admins do not have the ability to disable multifactor authentication for users. If you want an admin to have the ability to disable multifactor authentication for users, you must assign them as either a Legacy Helpdesk Admin (with a value of 2, 3, or 4), an Admin, a Custom Admin with User-level MFA modify permission, or a Super Admin instead.

Admin

These are your IT managers and team leads that have access to all areas of the admin dashboard for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and much more. Be sure to protect admin LastPass accounts by enabling multifactor authentication. Admins have all of the same permissions as the Legacy Helpdesk Admin (listed above), as well as:

Access to all areas of the Admin Console
Ability to enable/disable policies
Add or remove users

Super Admin

You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios. Super admins have all of the same permissions as admins (listed above), as well as:

Master Password reset on any user's vault
Access to all shared folders across the company

To add a super admin, follow the procedure described in View and assign admin levels in the new Admin Console.

Another way to add a super admin is to assign the following policies to a selected existing admin on the Policies > General policies page:

Permit super admins to reset master passwords
Permit super admins to access shared folders

Note: In the future, the process to create a super admin will change. To create a super admin, you will simply assign a user to the Super Admin level on the Users > Admin levels page as described in View and assign admin levels in the new Admin Console. When assigning a user to the Super Admin level, the policies mentioned previously will be automatically enabled for that user. The permissions that come with these policies will also be automatically assigned. This future change will not impact existing super admins in any way.

Custom Admin

Custom admins are created with specific customized permissions in the new Admin Console (much like roles in the old Admin Console). This is useful when you want to enable someone in your organization to perform certain actions that require special permissions but you don't want them to become an admin with a wide range of admin rights. For example, you would like someone to be able to view reports but you do not want them to be able view and modify users/groups.

A custom admin can be granted permissions to do a variety of tasks, such as help manage the following:

Adoption Dashboard
Users
Groups
Directories and federated login
User-level multifactor authentication
Reports

To add a custom admin, follow the procedure described in the following article: Manage custom admin levels in the new Admin Console

For those who migrate their roles (created in the old Admin Console) to custom admin levels, the following article has useful information: How do I migrate a role to a custom admin level?