# LastPass The Veza integration for LastPass Enterprise connects to the platform to discover users, groups, roles, and folders used to store and share passwords and other secrets. Use the integration to: * Search for LastPass users and shared folders, and create rules and alerts. * See effective permissions within LastPass for users and groups, based on their roles. * Review LastPass user > group, user > folder, and user > role assignments. ### Requirements {% hint style="warning" %} LastPass enterprise policies can restrict API access to report-only. This policy must be **disabled** to permit the Veza integration to make the required API calls. You can view and manage this policy under LastPass **Admin Console** > **Settings** > **Policies** > **Restrict Enterprise API to event reporting** {% endhint %} The connector uses the LastPass Enterprise API to fetch authorization metadata. You will need a LastPass *account number* (`cid`) and *provisioning hash* (`prohash`) to authenticate. To retrieve these values, log in to LastPass using an account with permission to access the Admin Console at . * Account ID: Unique Account ID provided by LastPass. This can be retrieved on page: * Provisioning Hash: This API secret can be generated on the LastPass Admin page. Go to [Advanced > Enterprise API](https://admin.lastpass.com/advanced/enterpriseApi) to manage provisoning hashes. * ![Regenerating a provisioning hash](/files/M3XwRrPo5JTCsIeoJZWj) > You can use an existing provisioning hash, which is unique for your organizations LastPass Enterprise API. If you cannot retrieve the current value, you will need to regenerate it and update any other applications to use the new hash. See [Where can I find the CID (account number) and API secret?](https://support.lastpass.com/s/document-item?bundleId=lastpass\&topicId=LastPass/t_cid_and_hash_locate.html) for the latest guidance from LastPass. ### Veza setup To enable Veza to gather data from the LastPass platform: 1. Browse to your Veza instance 2. In the left navigation, expand **Configuration**, then click **Integrations** 3. In the main pane, click **Add Integration**. Pick **LastPass**. 4. Enter the required details: * **Insight Point**: Use the default option unless you need to use an external Insight Point for the connection. * **Name**: A friendly name to identify the unique connection. * **Account ID**: The account number (CID) shown on the LastPass dashboard, e.g. `123456789012` * **Provisioning Hash**: your LastPass API secret, e.g. `94b95bc8bdf562b32e98eac06e9f6d597111e58XXXXXXX6584b3535d322718bc`. ### Notes and supported entities #### LastPass User Veza discovers and shows the following metadata for LastPass User entities. Attribute filters can be used to constrain searches and access reviews based on these properties: | Attribute (type) | Description | | ---------------------- | ----------------------------------------------------------------- | | id (text) | LastPass User ID | | name (text) | The full name of the user if set or Email is unset | | created\_at (datetime) | The date and time when of user account creation. | | is\_active (boolean) | Indicates whether the user's account is disabled (true or false). | | email (string) | Email address configured for user | | is\_admin (boolean) | Indicates if the user has admin privileges (true or false). | #### LastPass Group Veza discovers and shows the following metadata for LastPass Group entities. Attribute filters can be used to constrain searches and access reviews based on these properties: | Attribute (type) | Description | | ---------------- | ----------------- | | id (text) | LastPass Group ID | | name (text) | Group Name | #### LastPass Folder LastPass folders have the following attributes: | Attribute (type) | Description | | ---------------- | ------------------ | | id (text) | LastPass Folder ID | | name (text) | Folder Name | #### LastPass Application Roles The Veza LastPass integration discovers the user's role in LastPass as either **Admin** or **User**. LastPass does not currently return information about customer-created Admin Levels. Any admin-level user will be assigned the Admin role for the LastPass application. All other users will be assigned the **User** role. #### LastPass Folder Roles Users assigned to a Shared Folder (either directly or by group membership) have Roles based on the configuration of permissions on the assignment. Veza creates these Access Graph entities to represent access controls enabled when managing Shared Folder recipients in LastPass: | LastPass Configuration | State | Veza Role | | ---------------------- | ---------- | --------------------- | | **Read-Only** | Checked | Folder Read-Only | | **Read-Only** | Un-checked | Folder User | | **Administrate** | Checked | Folder Administrate | | **Hide Passwords** | Unchecked | Folder View Passwords | A user may have multiple roles on a folder based on the pairings of these permissions. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/lastpass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.