LastPass
Configuring the Veza integration for LastPass
The Veza integration for LastPass Enterprise connects to the platform to discover users, groups, roles, and folders used to store and share passwords and other secrets. Use the integration to:
Search for LastPass users and shared folders, and create rules and alerts.
See effective permissions within LastPass for users and groups, based on their roles.
Review LastPass user > group, user > folder, and user > role assignments.
Requirements
LastPass enterprise policies can restrict API access to report-only. This policy must be disabled to permit the Veza integration to make the required API calls.
You can view and manage this policy under LastPass Admin Console > Settings > Policies > Restrict Enterprise API to event reporting
The connector uses the LastPass Enterprise API to fetch authorization metadata. You will need a LastPass account number (cid
) and provisioning hash (prohash
) to authenticate. To retrieve these values, log in to LastPass using an account with permission to access the Admin Console at https://admin.lastpass.com.
Account ID: Unique Account ID provided by LastPass. This can be retrieved on page: https://admin.lastpass.com/dashboard
Provisioning Hash: This API secret can be generated on the LastPass Admin page. Go to Advanced > Enterprise API to manage provisoning hashes.
You can use an existing provisioning hash, which is unique for your organizations LastPass Enterprise API. If you cannot retrieve the current value, you will need to regenerate it and update any other applications to use the new hash.
See Where can I find the CID (account number) and API secret? for the latest guidance from LastPass.
Veza setup
To enable Veza to gather data from the LastPass platform:
Browse to your Veza instance
In the left navigation, expand Configuration, then click Integrations
In the main pane, click Add Integration. Pick LastPass.
Enter the required details:
Insight Point: Use the default option unless you need to use an external Insight Point for the connection.
Name: A friendly name to identity the unique connection.
Account ID: The account number (CID) shown on the LastPass dashboard, e.g.
123456789012
Provisioning Hash: your LastPass API secret, e.g.
94b95bc8bdf562b32e98eac06e9f6d597111e58XXXXXXX6584b3535d322718bc
.
Notes and supported entities
LastPass User
Veza discovers and shows the following metadata for LastPass User entities. Attribute filters can be used to constrain searches and access reviews based on these properties:
Attribute (type) | Description |
---|---|
id (text) | LastPass User ID |
name (text) | The full name of the user if set or Email is unset |
created_at (datetime) | The date and time when of user account creation. |
is_active (boolean) | Indicates whether the user's account is disabled (true or false). |
email (string) | Email address configured for user |
is_admin (boolean) | Indicates if the user has admin privileges (true or false). |
LastPass Group
Veza discovers and shows the following metadata for LastPass Group entities. Attribute filters can be used to constrain searches and access reviews based on these properties:
Attribute (type) | Description |
---|---|
id (text) | LastPass Group ID |
name (text) | Group Name |
LastPass Folder
LastPass folders have the following attributes:
Attribute (type) | Description |
---|---|
id (text) | LastPass Folder ID |
name (text) | Folder Name |
LastPass Application Roles
The Veza LastPass integration discovers the user's role in LastPass as either Admin or User. LastPass does not currently return information about customer-created Admin Levels. Any admin-level user will be assigned the Admin role for the LastPass application. All other users will be assigned the User role.
LastPass Folder Roles
Users assigned to a Shared Folder (either directly or by group membership) have Roles based on the configuration of permissions on the assignment.
Veza creates these Authorization Graph entities to represent access controls enabled when managing Shared Folder recipients in LastPass:
LastPass Configuration | State | Veza Role |
---|---|---|
Read-Only | Checked | Folder Read-Only |
Read-Only | Un-checked | Folder User |
Administrate | Checked | Folder Administrate |
Hide Passwords | Unchecked | Folder View Passwords |
A user may have multiple roles on a folder based on the pairings of these permissions.
Last updated