LastPass

Configuring the Veza integration for LastPass

The Veza integration for LastPass Enterprise connects to the platform to discover users, groups, roles, and folders used to store and share passwords and other secrets. Use the integration to:

Search for LastPass users and shared folders, and create rules and alerts.
See effective permissions within LastPass for users and groups, based on their roles.
Review LastPass user > group, user > folder, and user > role assignments.

Requirements

LastPass enterprise policies can restrict API access to report-only. This policy must be disabled to permit the Veza integration to make the required API calls.

You can view and manage this policy under LastPass Admin Console > Settings > Policies > Restrict Enterprise API to event reporting

The connector uses the LastPass Enterprise API to fetch authorization metadata. You will need a LastPass account number (cid) and provisioning hash (prohash) to authenticate. To retrieve these values, log in to LastPass using an account with permission to access the Admin Console at https://admin.lastpass.com.

Account ID: Unique Account ID provided by LastPass. This can be retrieved on page: https://admin.lastpass.com/dashboard
Provisioning Hash: This API secret can be generated on the LastPass Admin page. Go to Advanced > Enterprise API to manage provisoning hashes.

You can use an existing provisioning hash, which is unique for your organizations LastPass Enterprise API. If you cannot retrieve the current value, you will need to regenerate it and update any other applications to use the new hash.

See Where can I find the CID (account number) and API secret? for the latest guidance from LastPass.

Veza setup

To enable Veza to gather data from the LastPass platform:

Browse to your Veza instance
In the left navigation, expand Configuration, then click Integrations
In the main pane, click Add Integration. Pick LastPass.
Enter the required details:
- Insight Point: Use the default option unless you need to use an external Insight Point for the connection.
- Name: A friendly name to identity the unique connection.
- Account ID: The account number (CID) shown on the LastPass dashboard, e.g. 123456789012
- Provisioning Hash: your LastPass API secret, e.g. 94b95bc8bdf562b32e98eac06e9f6d597111e58XXXXXXX6584b3535d322718bc.

Notes and supported entities

LastPass User

Veza discovers and shows the following metadata for LastPass User entities. Attribute filters can be used to constrain searches and access reviews based on these properties:

Attribute (type)	Description
id (text)	LastPass User ID
name (text)	The full name of the user if set or Email is unset
created_at (datetime)	The date and time when of user account creation.
is_active (boolean)	Indicates whether the user's account is disabled (true or false).
email (string)	Email address configured for user
is_admin (boolean)	Indicates if the user has admin privileges (true or false).

Attribute (type)

Description

id (text)

LastPass User ID

name (text)

The full name of the user if set or Email is unset

created_at (datetime)

The date and time when of user account creation.

is_active (boolean)

Indicates whether the user's account is disabled (true or false).

email (string)

Email address configured for user

is_admin (boolean)

Indicates if the user has admin privileges (true or false).

LastPass Group

Veza discovers and shows the following metadata for LastPass Group entities. Attribute filters can be used to constrain searches and access reviews based on these properties:

Attribute (type)	Description
id (text)	LastPass Group ID
name (text)	Group Name

Attribute (type)

Description

id (text)

LastPass Group ID

name (text)

Group Name

LastPass Folder

LastPass folders have the following attributes:

Attribute (type)	Description
id (text)	LastPass Folder ID
name (text)	Folder Name

Attribute (type)

Description

id (text)

LastPass Folder ID

name (text)

Folder Name

LastPass Application Roles

The Veza LastPass integration discovers the user's role in LastPass as either Admin or User. LastPass does not currently return information about customer-created Admin Levels. Any admin-level user will be assigned the Admin role for the LastPass application. All other users will be assigned the User role.

LastPass Folder Roles

Users assigned to a Shared Folder (either directly or by group membership) have Roles based on the configuration of permissions on the assignment.

Veza creates these Authorization Graph entities to represent access controls enabled when managing Shared Folder recipients in LastPass:

LastPass Configuration	State	Veza Role
Read-Only	Checked	Folder Read-Only
Read-Only	Un-checked	Folder User
Administrate	Checked	Folder Administrate
Hide Passwords	Unchecked	Folder View Passwords

LastPass Configuration

State

Veza Role

Read-Only

Checked

Folder Read-Only

Read-Only

Un-checked

Folder User

Administrate

Checked

Folder Administrate

Hide Passwords

Unchecked

Folder View Passwords

A user may have multiple roles on a folder based on the pairings of these permissions.

PreviousKubernetes NextMongoDB

Last updated 2 months ago