About custom admin level permissions

Custom admins can be granted a variety of modify and view permissions in the Admin Console, allowing them to manage users, groups, directories, and so on.

Custom admin permissions are grouped into several categories, as shown in the table below.

Tip: When you are adding a new custom admin level and assigning permissions (Users > Admin levels > New admin level), hover over the View and Modify checkboxes of any permission category to find out what each permission does.

Category	Sub-category	View permission	Modify permission
Dashboard	Dashboard Allows access to the adoption dashboard, which is a data visualization tool that quickly highlights pressing issues or gaps you may have in your LastPass enrollment and adoption	The View permission automatically comes with the Users > View and Users > Modify permissions, allowing a custom admin to take action in response to the insight provided by the dashboard.	N/A
Users and groups	Users Allows the managing of users in your organization such as adding, editing, and deleting	The View permission allows a custom admin to: View, search, and export users on the Users > Users page View the profile details, account details, and group details of individual users on the Users > Users page (when clicking a user entry) View groups, users assigned to a particular group, and policies assigned to a group on the Users > Groups page (when clicking a group entry) View admin levels and users assigned to a particular admin level on the Users > Admin levels page (when clicking an admin level entry)	Enabling the Modify permission, automatically assigns the Users > View permission. The Modify permission allows a custom admin to: Access all functionalities available through Users > Users > Add Users Access the following functionalities available for a single user or multiple selected users on the Users > Users page (when clicking the checkbox of a single user or multiple users): Resend invitation Activate/disable users Delete users Remove from company Set initial password Enable federated login Disable federated login Access the following functionalities available for a single user on the Users > Users page (when clicking a user entry): Edit user profile Display sites assigned to user Access the following functionalities on the Users > Groups page (when clicking a group in the list displayed and clicking the … icon): Invite Disable users Delete users Remove from company
	Groups Allows for group management	N/A	Enabling the Modify permission, automatically assigns the Users > View permission. The Modify permission allows a custom admin to: Create new group Assign users to a group Remove users from a group Edit group name Delete group
	Directories and federation Allows for the management of directory integrations (AD Connector, Azure AD, Okta, OneLogin, Google Workspace, PingOne, LastPass Provisioning API) and federated login solutions ( AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin	N/A	Enabling the Directories and federation > Modify permission, automatically assigns the Users > View permission. The Modify permission allows a custom admin to: View Users > Directories and Users > Federated login pages Perform the following actions on the Users > Directories page: Download AD Connector Reset provisioning token for Azure AD, Okta, and OneLogin Perform the following actions on the Users > Federated login page (AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin): Provide URLs, keys, and client IDs Edit configuration details using the various checkboxes Save changes
	User-level MFA Allows for the management of user-level multifactor authentication (MFA) settings	N/A	Enabling the User-level MFA > Modify permission, automatically assigns the Users > View permission. The Modify permission allows a custom admin to: Access the following functionalities on the Users > Users page: Send/Resend invitation for passwordless Disable multifactor authentication View registered device details of an individual user and lock/unlock registered device Access the following functionalities on the Users > Groups page (when clicking a group in the list displayed and clicking the … icon): Resend invitations for passwordless Disable multifactor authentication
Reporting Allows for the viewing of reports on various activities, for example, for audit purposes	General reports Allows for the viewing of events related to user, admin, and site login activities, as well as security risks	The View permission allows a custom admin to: View and search activities and security risks shown on the Reporting > General reports page Export user and admin activity reports available on the Reporting > General reports page	N/A
	LastPass SSO Login Activity Allows for the viewing of login activities related to SSO app usage	The View permission allows a custom admin to: View and search SSO login data shown on the Reporting > SSO login activity page	N/A
	LastPass SAML Response Allows for the viewing of SAML events from users	The View permission allows a custom admin to: View and search SAML events shown on the Reporting > SAML response page	N/A
	LastPass MFA User Activity Allows for the viewing of MFA actions performed by users Restriction: This feature might not be available for your account as this is a legacy feature.	The View permission allows a custom admin to: View and search user activity data shown on the Reporting > MFA user activity page	N/A
	LastPass MFA Admin Activity Allows for the viewing of MFA actions performed by admins Restriction: This feature might not be available for your account as this is a legacy feature.	The View permission allows a custom admin to: View and search admin activity data shown on the Reporting > MFA admin activity page	N/A