Blog
Recent
LastPass For Admins

Helpdesk 101: How to Safeguard Access to the Admin Dashboard

Amber SteelApril 18, 2019
Historically, there were two roles in LastPass Enterprise: Admin and User. Admins were given complete access to and control over the admin dashboard, with the ability to manage users, edit policies, view reporting, and more. As you can see, that’s a lot of power for anyone designated as an admin!  As we discussed in our recent Master Class, we soon realized that an all-or-nothing approach to admin access didn’t meet the needs of many organizations. What if the Finance department needed to view billing statements? Or what if the IT helpdesk staff needed to help employees with basic LastPass tickets? The challenge was giving key employees access to the information they needed to do their jobs – without giving them the ability to change policies, delete users, or potentially abuse LastPass admin powers.

The Helpdesk role gives admins more flexibility

To address this, we created the Helpdesk Admin role. With this role, permissions can be tailored to suit different departments and employee permission levels.  For example, designate the helpdesk admin role to IT team members that handle day-to-day internal support tickets on password resets, without giving them access to all privileged information in the LastPass Enterprise admin dashboard. Or, select key team members to be admins so they can set security policies and provision new users as needed.

Customizing Roles for IT Helpdesk

LastPass Enterprise admins can create as many custom admin roles as needed by doing the following:
  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to Advanced Options > Roles > Add Role.
  3. Fill in the "Role Name" and "Role Description" fields.
  4. Check the box(es) to enable your desired permissions for this role in the "Allow Permission Tree" section.
  5. Click Add when finished. 
Now permissions better reflect the needs of your organization. You don’t need to choose between giving someone access to everything, or nothing at all.

Helpdesk Admin – Restricted Admin Policy

We recently added a new policy specifically with helpdesk staff in mind. This policy is intended for the least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions.  With this policy, you can give your helpdesk staff the ability to reset user’s master passwords, reset multifactor authentication, and access users and group pages within the admin dashboard. You decide the level of permissions they need.  You can restrict their level of Admin Console access by enabling the "Helpdesk Admin - Restricted Administrator" policy in the Policies tab of the Admin Console, and selecting one of the following configurations:
  1. Only allows Reset Master Password for users (also requires enabling the "Super Admin - Master Password Reset" policy)
  2. Only allows the following actions:
  3. Reset Master Password for users (also requires enabling the "Super Admin - Master Password Reset" policy)
  4. Disable Multifactor Authentication for users
  5. Only allows management of the Users page
  6. Only allows management of the Users and Groups pages

Your organization, your admin permissions

Ultimately, more granular control over admin permissions means better security and improved oversight of LastPass in your organization. You’ll ensure that employees, especially IT helpdesk staff, can focus on getting their work done, while you can feel confident that their access to LastPass is appropriate and secure. If you’re looking for more tips and best practices for empowering your IT helpdesk staff, be sure to check out the recording of our recent LastPass Enterprise Master Class!