LastPass Enterprise AD Agent

buffyg · ‎04-29-2018

You document that there is a Super Admin role. I have no evidence it exists: it's not in the roles page, the described privileges, which have to be enabled by policy, can only be assigned by enumerating users (and not roles) into the policy. The role page doesn't allow these privileges to be assigned to any role.

buffyg · ‎04-29-2018

You document a built-in but customisable Help Desk Admin role. It wasn't there, and I've checked for role deletions in the audit log and found none. It's not a huge problem, since the role can be customised, it can be created from scratch, but it caused great confusion that it wasn't there in the first place but is documented as though it should.

buffyg · ‎04-29-2018

The LastPass Enterprise Role assignment tab for a User caches name information from the previous user. This is dangerously confusing.

buffyg · ‎04-29-2018

The documentation for LastPass Enterprise clearly states as the first FAQ item:

"Do groups in Okta sync to the LastPass admin dashboard?
"No. While you can assign LastPass provisioning to specific groups in the Okta dashboard, groups themselves are not synced from Okta to LastPass."

However, when I first sync a user from Okta, their group memberships are all removed.

How is LastPass meant to be behave with group memberships? Do you expect use of something like the AD Agent (which, incidentally, doesn't resemble the documentation in the install screens and doesn't appear to accept config changes because the service isn't run on install)?

buffyg · ‎04-29-2018

There are quite substantial problems: the first screen from the install doesn't match the documentation, and when I try to configure it, I constantly get COM errors with the string "The service is not operational". I see no evidence that the service exists in the first place, but the installer generated no errors before allowing configuration to proceed.

buffyg · ‎04-29-2018

One of the collateral casualties when enabling Okta provisioning reconciliation and attribute sync for the first time was that stripping group memberships emptied out all groups, which then silently removed all empty groups from ACLs. There are two bugs here:

1) no audit record of removing groups from ACLs
2) at minimum, there should be a policy option to prevent empty groups from being removed from an ACL because, if this can happen merely as an interim state in synchronisation, this is silent subtraction of privileges that can be assigned via that group, which then becomes impossible to account for in automating provisioning

jpenny84 · ‎04-29-2018

I would file a support ticket and deal with their enterprise people directly. Unless LastPass has changed things, your enterprise license should also include telephone support.

https://lastpass.com/support.php?cmd=showfaq&id=5616

buffyg · ‎04-29-2018

My experience so far with bug reports via support has been terrible. I don't get an authoritative response back from the product side, I get cases closed, sometimes with questions about what approach I'm supposed to take by design left unanswered, where variations from documented interfaces are so substantial that it's not clear whether the documentation isn't the problem and the question is what the intended behaviour is meant to be.

LastPass Enterprise AD Agent

Help Desk role from documentation doesn't exist

LastPass Enterprise Role assignment tab for User management

LastPass Enteprise Okta integration

LastPass Enterprise AD Agent

LastPass Enterprise silently removes empty groups from ACLs

Re: LastPass Enterprise AD Agent

Re: LastPass Enterprise AD Agent