You document that there is a Super Admin role. I have no evidence it exists: it's not in the roles page, the described privileges, which have to be enabled by policy, can only be assigned by enumerating users (and not roles) into the policy. The role page doesn't allow these privileges to be assigned to any role.
You document a built-in but customisable Help Desk Admin role. It wasn't there, and I've checked for role deletions in the audit log and found none. It's not a huge problem, since the role can be customised, it can be created from scratch, but it caused great confusion that it wasn't there in the first place but is documented as though it should.
The documentation for LastPass Enterprise clearly states as the first FAQ item:
"Do groups in Okta sync to the LastPass admin dashboard? "No. While you can assign LastPass provisioning to specific groups in the Okta dashboard, groups themselves are not synced from Okta to LastPass."
However, when I first sync a user from Okta, their group memberships are all removed.
How is LastPass meant to be behave with group memberships? Do you expect use of something like the AD Agent (which, incidentally, doesn't resemble the documentation in the install screens and doesn't appear to accept config changes because the service isn't run on install)?
There are quite substantial problems: the first screen from the install doesn't match the documentation, and when I try to configure it, I constantly get COM errors with the string "The service is not operational". I see no evidence that the service exists in the first place, but the installer generated no errors before allowing configuration to proceed.
One of the collateral casualties when enabling Okta provisioning reconciliation and attribute sync for the first time was that stripping group memberships emptied out all groups, which then silently removed all empty groups from ACLs. There are two bugs here:
1) no audit record of removing groups from ACLs 2) at minimum, there should be a policy option to prevent empty groups from being removed from an ACL because, if this can happen merely as an interim state in synchronisation, this is silent subtraction of privileges that can be assigned via that group, which then becomes impossible to account for in automating provisioning
My experience so far with bug reports via support has been terrible. I don't get an authoritative response back from the product side, I get cases closed, sometimes with questions about what approach I'm supposed to take by design left unanswered, where variations from documented interfaces are so substantial that it's not clear whether the documentation isn't the problem and the question is what the intended behaviour is meant to be.