A ‘Shared Folder’ is a special folder in your vault that you can use to securely and easily share sites and notes with other people in your Enterprise account. Changes to the Shared
Folder are synchronized automatically to everyone with whom the folder has been shared. Different access controls – such as 'Hide Passwords' - can be set on a person-by-person basis. Shared Folders use the same technology to encrypt and decrypt data that a regular LastPass account uses, but are designed to accommodate multiple users for the same folder.
With Shared Folders:
- Anyone can create a shared folder.
- Simple to configure and maintain.
- You can share hundreds of passwords with hundreds of users individually or via user groups.
- Changes automatically propagate to all assigned users.
Limitations of Shared Folders
The current limitations of Shared Folders are:
- Sites can be copied to multiple folders but must be updated manually in every folder. The better option is to use ‘restrict’ to limit access for a specific sub-set of users, rather than copying the site into multiple folders.
- Site entries cannot be directly imported into Shared Folders.
- Form Fill Profiles cannot be shared.
- Individually shared sites cannot be added to a Shared Folder; a copy will have to be made.
- If an individual is assigned to a Shared Folder by group access, they are no longer available to be added individually. They can be added through another user group.
- If a user is added more than once to a Shared Folder via two different groups, the most restrictive settings take priority.
- A Sub-folder cannot have separate permissions from its parent Shared Folder.
- Empty Shared Folders cannot be seen by users in the Online Vault; they must have data added to them first or be viewed in the Local Vault.
- Users MUST generate sharing keys before being added to folders. This is done automatically by logging into the plugin at least once after creating an account when using FireFox, Chrome, Opera, and Internet Explorer. Sharing Keys are created using the "Generate Sharing Keys" button in the online vault for Safari only. This can only be circumvented by enabling the "Pre-Create Sharing Key" Policy.
Creating and Using Shared Folders
To create a new Shared Folder, log in to your LastPass Vault and click on the ‘Manage Shared folders’ link from the ‘Actions’ menu:
This will take you to the main Shared Folders dialog:
This gives you the options of creating new shared folders, or editing and deleting old shared folders. To create a new Shared folder, simply click Create A New Shared Folder. You'll be taken to the new folder dialog, where you can enter a folder name. Once you have given the folder a name, hit ‘Add’.
After creating, you'll be taken back to the main shared folder dialog. In order to assign users, click ‘Edit’ next to any given folder and then select the appropriate group or user from the dropdown menu. You can also add User Groups to Shared Folders. Groups can be added and edited by LastPass Administrators only. All users who are a part of the group will be given access to the Shared Folder once you add the group.
With each user or group, you have several additional choices regarding access via the Edit Screen and when you initially add the user or group to the folder:
- ‘Read-only’ prohibits the user from adding/removing items to/from a Shared Folder. It also prevents the user from saving any updated username or password to the folder. However, we cannot block the update from transpiring at the site level. This option could, therefore, result in a lockout by the rest of the team. It is our recommendation, therefore, that you articulate a 'no update' policy outside of LastPass (if this is, in fact, your goal) and that you do not select 'read only'. If the user still updates the credentials, then the change will save back to LastPass, and the event will be captured in the reports so that you are able to track it back to the owner.
- ‘Hide Passwords’ prohibits the user from seeing the credentials. They will be able to utilize the tools via autofill or autologin, but they will be unable to see the actual credentials.
- ‘Can Administer’ will grant the user equal admin rights over the shared folder including: adding and removing users and restricting access to individual sites in the folder.
- ‘Notify User Via Email’ will send the user a notification regarding their assignment to the shared folder. Please note, this is only available upon the initially addition of the users to the group.
Once you have made these selections, hit ‘Share’ and the user will be added to the list of assigned users. Next to each user’s name you will see the ‘Restrict’ and ‘Remove’ options:The ‘Remove’ button will remove the user from the folder which will automatically delete the Shared Folder from the user’s Vault – thereby preventing any future access to the sites or notes within the folder.The ‘Remove’ button will remove the user from the folder which will automatically delete the Shared Folder from the user’s Vault – thereby preventing any future access to the sites or notes within the folder.
- The 'Remove' button will remove the user or groups from the shared folder. This will revoke access to the folder and any sites stored within.
- The 'Restrict' feature allows you to limit access on a site-by-site, user-by-user basis. Simply hit ‘Restrict’ next to the appropriate user in order to prohibit access to any number of sites within the folder. By default, all items placed in a Shared Folder will be made available to every user unless they are restricted by moving the item from column A to column B. However, on the 'Restrict' screen, the toggle below the columns will reverse this logic. When selected, all items in column A will be unavailable to the user until they are moved to column B. Many enterprises prefer this 'opt in' rather than 'opt out' approach.
Once added, the Shared Folders will appear in your vault within 15 minutes. If you prefer to shorten this duration, you can alter this setting by clicking on the LastPass plug-in and selecting 'Preferences' -> 'Advanced' -> 'Poll Server for account changes (mins)'. Enter the number of minutes you desire, ranging from 1 minute upward. Frequent polling may create a slight delay in the user experience, but this should be negligible. Alternatively, you can manually force the poll simply by clicking on the plug-in and selecting 'Tools' -> 'Refresh Sites'.
Now that the folder has been created and is in your Vault, you can proceed to populate the folder with sites and Secure Notes via several methods:
- Drag and drop
- Right-click in Local Vault and select 'Change Group'
- Edit site (in plugin) and select 'Change Group'
- Add a new site and set the 'Group' to the Shared Folder name
Adding User Groups to Shared Folders
You can now add users to Shared Folders using User Groups. This is a quick and easy way to add pre-made groups of users to Shared Folders. User groups are added to Shared Folders just like individuals; the groups are available in the dropdown list of users when you create or edit a Shared Folder. You can set 'Read-only', 'Hidden Passwords', and 'Can Administer' access once for the entire group. You can also restrict what sites the group can view just like you can for an individual user. When adding groups to Shared Folders, there are a few things to keep in mind to avoid conflicts:
- If you add a user to a User Group that is assigned to a Shared Folder, they will gain access to that Shared Folder.
- If you add a user to your Enterprise via the Active Directory or LDAP sync, and the user is synced straight into a group that has already been assigned access to a Shared Folder, that user must be removed and then re-added to the Shared Folder in order to gain full access. The user will not have access to the shared folder through the AD/LDAP sync because he or she will still need to login to generate sharing keys.
- If a user is added to a folder via a group, they are no longer able to be added individually anymore. A user can be added to a Shared Folder more than once by adding two different groups they are apart of, or by adding them individually first, and then adding via a folder.
- If a user is added to a Shared Folder individually and then via a group, the most restrictive settings will take precedence. This applies to 'Read-only', 'Hidden Password', and 'Can Administer' rights, as well as what restrictions are in place regarding what sites can be seen in the folder.
- When a non-Enterprise admin creates a Shared Folder, they are able to add both individuals and groups. These non-admins do not have the ability to see who is in what group, so they should be aware who is in what user group before adding them to a Shared Folder.
Important note: Savvy end users could potentially access a hidden password if they capture it using advanced techniques during the login process such as using another password manager. LastPass recommends that you ensure that you've used a generated password specific to the individual site that you are sharing, and that you refrain from sharing any passwords that you are uncomfortable with the recipient obtaining. Regardless, LastPass helps facilitate the seamless update of passwords so that you can change them frequently and at a moment’s notice, without your end users even knowing that an update has taken place.
Active Directory Synced Groups and Shared Folders
You can use the LastPass Active Directory Synchronization Service to automatically provision and sync users and user groups from your Active Directory into your LastPass Enterprise, but there are a few limitations with AD Synced Groups and Shared Folders due to how the encryption and folder assignment works:
- When you sync an active directory user group into LastPass and assign the group to a shared folder before all users have logged in, the users will not be able to access the Shared Folder. This will happen regardless of whether or not you have the Pre-Create Sharing Key policy engaged. If you plan to sync user groups via AD, we suggest ensuring all your users have logged into the plugin at least once (thereby automatically generating a sharing key), before assigning the group to a Shared Folder.
- If you individually sync a single user into a group that is already assigned to a Shared Folder, you will need to remove the user from the group and re-add the user to the group after the user has logged into the plugin and automatically generated a sharing key. After re-adding to the group, the user will have access to any Shared Folders the group is assigned to.
For a better solution and easier long-term maintenance, LastPass recommends provisioning users with our simple LastPass Provisioning API.
Please see the video below to learn more about Enterprise Shared Folders: