HELP FILE

What permissions can I assign to a custom admin?

    Custom admins can be granted a variety of modify and view permissions in the Admin Console, allowing them to manage users, groups, directories, and so on.

    Custom admin permissions are grouped into several categories, as shown in the table below.

    Tip: When you are adding a new custom admin level and assigning permissions (Users > Admin levels > New admin level), hover over the View and Modify checkboxes of any permission category to find out what each permission does.
    Category Sub-category View permission Modify permission
    Dashboard
    Dashboard
    Allows access to the adoption dashboard, which is a data visualization tool that quickly highlights pressing issues or gaps you may have in your LastPass enrollment and adoption

    The View permission automatically comes with the Users > View and Users > Modify permissions, allowing a custom admin to take action in response to the insight provided by the dashboard.

    N/A

    Users and groups
    Users
    Allows the managing of users in your organization such as adding, editing, and deleting

    The View permission allows a custom admin to:

    • View, search, and export users on the Users > Users page
    • View the profile details, account details, and group details of individual users on the Users > Users page (when clicking a user entry)
    • View groups, users assigned to a particular group, and policies assigned to a group on the Users > Groups page (when clicking a group entry)
    • View admin levels and users assigned to a particular admin level on the Users > Admin levels page (when clicking an admin level entry)

    Enabling the Modify permission, automatically assigns the Users > View permission.

    The Modify permission allows a custom admin to:

    • Access all functionalities available through Users > Users > Add Users
    • Access the following functionalities available for a single user or multiple selected users on the Users > Users page (when clicking the checkbox of a single user or multiple users):
      • Resend invitation
      • Activate/disable users
      • Delete users
      • Remove from company
      • Set initial password
      • Enable federated login
      • Disable federated login
    • Access the following functionalities available for a single user on the Users > Users page (when clicking a user entry):
      • Edit user profile
      • Display sites assigned to user
    • Access the following functionalities on the Users > Groups page (when clicking a group in the list displayed and clicking the icon):
      • Invite
      • Disable users
      • Delete users
      • Remove from company
    Groups
    Allows for group management

    N/A

    Enabling the Modify permission, automatically assigns the Users > View permission.

    The Modify permission allows a custom admin to:

    • Create new group
    • Assign users to a group
    • Remove users from a group
    • Edit group name
    • Delete group
    Directories and federation
    Allows for the management of directory integrations (AD Connector, Azure AD, Okta, OneLogin, Google Workspace, PingOne, LastPass Provisioning API) and federated login solutions ( AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin

    N/A

    Enabling the Directories and federation > Modify permission, automatically assigns the Users > View permission.

    The Modify permission allows a custom admin to:

    • View Users > Directories and Users > Federated login pages
    • Perform the following actions on the Users > Directories page:
      • Download AD Connector
      • Reset provisioning token for Azure AD, Okta, and OneLogin
    • Perform the following actions on the Users > Federated login page (AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin):
      • Provide URLs, keys, and client IDs
      • Edit configuration details using the various checkboxes
      • Save changes
    User-level MFA
    Allows for the management of user-level multifactor authentication (MFA) settings

    N/A

    Enabling the User-level MFA > Modify permission, automatically assigns the Users > View permission.

    The Modify permission allows a custom admin to:

    • Access the following functionalities on the Users > Users page:
      • Send/Resend invitation for passwordless
      • Disable multifactor authentication
      • View registered device details of an individual user and lock/unlock registered device
    • Access the following functionalities on the Users > Groups page (when clicking a group in the list displayed and clicking the icon):
      • Resend invitations for passwordless
      • Disable multifactor authentication

    Reporting

    Allows for the viewing of reports on various activities, for example, for audit purposes

    General reports
    Allows for the viewing of events related to user, admin, and site login activities, as well as security risks

    The View permission allows a custom admin to:

    • View and search activities and security risks shown on the Reporting > General reports page
    • Export user and admin activity reports available on the Reporting > General reports page

    N/A

     
    LastPass SSO Login Activity
    Allows for the viewing of login activities related to SSO app usage

    The View permission allows a custom admin to:

    • View and search SSO login data shown on the Reporting > SSO login activity page

    N/A

     
    LastPass SAML Response
    Allows for the viewing of SAML events from users

    The View permission allows a custom admin to:

    • View and search SAML events shown on the Reporting > SAML response page

    N/A

     
    LastPass MFA User Activity
    Allows for the viewing of MFA actions performed by users

    The View permission allows a custom admin to:

    • View and search user activity data shown on the Reporting > MFA user activity page

    N/A

     
    LastPass MFA Admin Activity
    Allows for the viewing of MFA actions performed by admins

    The View permission allows a custom admin to:

    • View and search admin activity data shown on the Reporting > MFA admin activity page

    N/A