As an enterprise user I manage many external clients wanting access to some of their passwords that we have created or maintain within their systems. To facilitate this I permit the clients domain in our "Restrict sharing by domain" policy and add their LastPass account to the shared folder.
What I have found from testing is when the user is added with Read Only, Administrator and Hide Passwords options unselected they can move the password entry from our enterprise shared folder to their own Vault, removing it from our shared folder causing us to lose access! This presents a major security/functionality issue if the client accidentally or maliciously moves the password entry from our shared folder. I found only if I select the Read Only option does it prevent this from happening.
I would propose a change in functionality to restrict this behavior natively or be controlled by a policy in Enterprise licensing or an additional option below Hide Passwords that has an option like "Restrict Moving" or something similar to prevent this behavior. This would allow "Outside your Enterprise" users to add entries to these shared folders without the risk of moving all our critical passwords to their own vault.