Helpdesk 101: How to Safeguard Access to the Admin Dashboard

Woman at computer with headphones

Historically, there were two roles in LastPass Enterprise: Admin and User. Admins were given complete access to and control over the admin dashboard, with the ability to manage users, edit policies, view reporting, and more. As you can see, that’s a lot of power for anyone designated as an admin!  

As we discussed in our recent Master Class, we soon realized that an all-or-nothing approach to admin access didn’t meet the needs of many organizations. What if the Finance department needed to view billing statements? Or what if the IT helpdesk staff needed to help employees with basic LastPass tickets? The challenge was giving key employees access to the information they needed to do their jobs – without giving them the ability to change policies, delete users, or potentially abuse LastPass admin powers. 

The Helpdesk role gives admins more flexibility 

To address this, we created the Helpdesk Admin role. With this role, permissions can be tailored to suit different departments and employee permission levels.  

For example, designate the helpdesk admin role to IT team members that handle day-to-day internal support tickets on password resets, without giving them access to all privileged information in the LastPass Enterprise admin dashboard. Or, select key team members to be admins so they can set security policies and provision new users as needed. 

Customizing Roles for IT Helpdesk 

LastPass Enterprise admins can create as many custom admin roles as needed by doing the following: 

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard. 
  2. Go to Advanced Options > Roles > Add Role. 
  3. Fill in the “Role Name” and “Role Description” fields. 
  4. Check the box(es) to enable your desired permissions for this role in the “Allow Permission Tree” section. 
  5. Click Add when finished.  

Now permissions better reflect the needs of your organization. You don’t need to choose between giving someone access to everything, or nothing at all. 

Helpdesk Admin – Restricted Admin Policy 

We recently added a new policy specifically with helpdesk staff in mind. This policy is intended for the least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions.  

With this policy, you can give your helpdesk staff the ability to reset user’s master passwords, reset multifactor authentication, and access users and group pages within the admin dashboard. You decide the level of permissions they need.  

You can restrict their level of Admin Console access by enabling the “Helpdesk Admin – Restricted Administrator” policy in the Policies tab of the Admin Console, and selecting one of the following configurations: 

  1. Only allows Reset Master Password for users (also requires enabling the “Super Admin – Master Password Reset” policy) 
  2. Only allows the following actions: 
  3. Reset Master Password for users (also requires enabling the “Super Admin – Master Password Reset” policy) 
  4. Disable Multifactor Authentication for users 
  5. Only allows management of the Users page 
  6. Only allows management of the Users and Groups pages 

Your organization, your admin permissions 

Ultimately, more granular control over admin permissions means better security and improved oversight of LastPass in your organization. You’ll ensure that employees, especially IT helpdesk staff, can focus on getting their work done, while you can feel confident that their access to LastPass is appropriate and secure. 

If you’re looking for more tips and best practices for empowering your IT helpdesk staff, be sure to check out the recording of our recent LastPass Enterprise Master Class! 

4 Comments

  • Ron Kessler says:

    When I am looking for a password, I am first asker for the Master Password, which I Do Not always remember. I am 86 years old! Can I do away with that requirement?

    • Amber Steel says:

      The master password is currently required, but if you can select the option to “remember password” so you don’t have to type it when using LastPass. We don’t recommend this because it’s more likely you’ll forget your master password, but you can certainly us it if it helps.

  • Mohd Arif says:

    I am long time lastpass user, in the most recent GUI facing lot’s of issue related to form filling section, yes I know, user can create custom form, I created right way but not able to set hotkey and when We fill form manully then web address text field only fill “https” not the complete url like which we set manually on the custom field, second thing is form are not fill by the hotkey, and if we create one custom form then we can not choose in General>Default Form Fill place.. That’s why I am looking alternative of lastpass…

    • Amber Steel says:

      Thanks for the feedback, we’ve passed it to the product team for their consideration. We do have several improvements on the way in the next few weeks after we received feedback from users on the new release!