What are shared folders?
A shared folder is a special folder in your vault that you can use to securely and easily share site password entries and secure notes with other LastPass users.
With shared folders:
- Anyone can create a shared folder.
- You can easily configure and maintain them.
- You can share hundreds of passwords with hundreds of users.
- Changes to the shared folder are synchronized automatically and propagate to everyone with whom the folder has been shared.
Restriction: This feature is not available for LastPass Free or LastPass Premium accounts.
Restriction: If you have a LastPass Teams or LastPass Business account, the ability to perform these actions may be limited or prohibited due to policies enabled by your LastPass admin.
Attention: If you encounter an error when using the sharing feature (either sharing individually or using shared folders), you must upgrade to the latest version of the LastPass browser extension (v4.104.0 or newer). Download the latest version of LastPass on your device.
Limitations of shared folders
- Each shared folder has an unlimited capacity of items that can be added (with the exception of using LastPass for Windows Desktop application, which are hard-set at 5,000 items max). However, users can expect to see performance degradation when 2,000 items or more are added for all other web browsers and applications.
- While there is no limitation to the amount of users you can add to a shared folder, account performance may be affected if a shared folder is assigned more than 1,000 users.
Note: LastPass Teams accounts have a max of 50 users so they do not run this account performance risk.
- Sites can be copied to multiple folders but must be updated manually in every folder. For this reason, it is recommended to use the "restrict" option in order to limit access for a specific sub-set of users, rather than copying the site entry into multiple folders.
- Site entries cannot be directly imported into shared folders.
- Form Fill profiles cannot be shared.
- Individually shared sites cannot be added to a shared folder; a copy will have to be made.
- If a user is added more than once to a shared folder with different permissions, the most restrictive settings take priority. If a user is added to the folder individually and via user groups, the individual permission would apply. This is important to remember when an admin is also part of a group, as they can limit their privileges.
Restriction: User groups are not supported with LastPass Teams, and therefore they cannot be used to assign shared folders or policies.
- A sub-folder cannot have separate permissions from its parent shared folder.
- Users must generate sharing keys before being added to shared folders. This is done automatically by logging into the LastPass browser extension at least once after creating an account. If the web browser extension has not been installed yet, sharing keys can be created using the "Generate Sharing Keys” option in the online vault (learn how here).
Note: For LastPass Business accounts, this can only be circumvented by enabling the “Pre-Create Sharing Key” policy. Learn more about policies for LastPass Business accounts.
- Up to five (5) "external users" (i.e., those who do have an active LastPass account but their account is not associated with your personal or business account) can be invited to a shared folder.
Shared folder access permissions
Different access controls – such as "Hide Passwords" – can be set per user. Shared folders use the same technology to encrypt and decrypt data that a regular LastPass account uses, but are designed to accommodate multiple users for the same folder.
The following are permission levels you can set for each of your shared folders:
| Permission level | Access |
|---|---|
| Read-only | Prohibits the user or group from adding/removing items to/from a shared folder. It also prevents them from saving any updated item information to the folder. However, we cannot block the update from transpiring at the site level. This option could, therefore, result in a lockout by the rest of the team. It is our recommendation that you articulate a "no update" policy outside of LastPass (if this is, in fact, your goal) and that you do not select "Read Only" as the permission option. If the user still updates the credentials, then the change will save back to LastPass, and the event will be captured in the reports so that you are able to track it back to the owner. |
| Administrator | Grants the user equal admin rights over the shared folder, including adding & removing users and restricting access to individual sites in the folder.
Note: A shared folder admin is not the same role as a LastPass admin. Learn more about the shared folder options available to LastPass admins.
Restriction: An invited user outside of your company account cannot be an admin for a shared folder – they can only have "Read Only" access.
|
| Hide Passwords | Prohibits the user from seeing the credentials. They will be able to utilize the tools via Autofill or Autologin, but they will be unable to see the actual credentials.
Warning: In LastPass Families accounts, the "Hide Passwords" feature is not available for shared folder items. This means when you create a shared folder that includes password items, any family member with access to that shared folder can view the password associated with each shared item.
|
Shared folder management options
Once a shared folder is created and populated by the shared folder admin, there are 3 different ways in which the shared folder can be assigned out to additional users, as shown below.
| Folder assignment method | Instructions |
|---|---|
| The folder Admin assigns and manages the folder manually | From their vault the folder admin (e.g., the division manager) can add and remove users, and edit user permissions on an individual by individual basis. |
| Automate all folder assignments through the user group assignments in Active Directory | The creator of the folder can assign the folder to the appropriate user group from the existing Active Directory groups. Once this mapping is complete, the Active Directory Connector will manage all user additions and removals for you based on any relevant changes in the AD environment.
Restriction: This option does not apply to LastPass Teams accounts.
|
| Centralize the management function and have a dedicated person managing the groups manually through the new Admin Console | In this case, the designated individual would need to be a LastPass admin. Using Groups in the new Admin Console, the admin could add and delete users to groups, which would then map back to the relevant shared folders. The creator of the folder simply assigns the folder to the appropriate user group. In this scenario, you would typically publish the point of contact on your organization's LastPass wiki page or internal FAQs so that users would know to whom they should direct a change request.
Restriction: This option does not apply to LastPass Teams accounts.
|