Skip to content

Blocking SAP Users, Roles, and Profiles

You can exclude SAP users, roles and profiles from reports, filters, access reviews, and analyses, such as a Risk Analysis and What If Analysis. Block lists help you produce more focused analyses by excluding test accounts or other access items with technical permissions that are not relevant to your compliance reviews. Create up to 1000 block list rules per system.

Important

Items added to the block list will be excluded by default from all future analyses, simulations, and reports, but not from manually scheduled Security Extracts. Refer to Risk Analysis NEW for information on running an ad-hoc Risk Analysis that temporarily ignores block lists.

If you are using Emergency Access Management (EAM), you need to exclude roles assigned as entitlements on any EAM profile for temporary elevated access since there are already controls in place for managing emergency access requests.

Warning

If you block a role in Emergency Access Management, do not assign it to users as part of standard access as these roles will not appear in analyses and elevated permissions will be excluded from reports.

If you want to use a blocked role in Emergency Access Management, you can run a Security Extract that bypasses the block list and includes all roles. Refer to Selecting Profile Entitlements and Scheduling Security Extracts.

Creating a Block List

Admins can create block list rules to exclude SAP users, roles and profiles from Access Risk Management reports, filters, access reviews, and analyses.

  1. Go to Menu > Block Lists.
  2. On the Block Lists page, select Create New Block List Entry +.
  3. Use the dropdown to select a Type. Options include individual users, user name, user group, individual roles, role name, or profile name.
  4. If you selected the Individual Roles or Individual Users type, use the dropdown to select the SAP system(s) that this rule applies to.

  5. If you selected a type other than Individual Roles or Users, enter the value you want to block.

    Several options allow you to dynamically exclude access items by using an asterisk to indicate wildcard options. For example, for Role Name, you may enter the value TEST* to indicate all accounts that begin with TEST.

    • An asterisk after the value indicates that the item starts with the entered value.
    • An asterisk before the value indicates that the item ends with the entered value.
    • An asterisk on each side of the value indicates that the item contains with the entered value.
    • An asterisk after an initial value and after a second value indicates that the item starts with and contains the entered values. For example, ZS*TEST* indicates that the rule blocks all items that start with ZS and contain the word TEST.
    • An asterisk before an initial value and before a second value indicates that the item contains and ends with the entered values. For example, *TEST*2026 indicates that the rule blocks all items that contain TEST and end with 2026.
    • An asterisk after an initial value and after a second value, followed by a third value indicates that the item starts with and contains and ends with the entered values. For example, ZS*TEST*2026 indicates that the rule blocks all items that start with ZS and contain the word TEST and end with 2026.

  6. Optionally, add a description for your entry.

  7. Search, scroll, or filter to locate roles, users or systems you want to block. Select + to add entries. When you are finished, select X to close the window.

  8. If you selected the Individual Roles or Individual Users type, select +Add Roles or +Add Users and select the individuals you want to block.

  9. If you selected a type other than Individual Roles or Users, select +Add ERP System and choose the system(s) that you want to include in the entry.

  10. Review the selected roles, users, or systems. To remove an item from the list, select the Delete icon .

  11. Select Submit.

The newly excluded item is added as a row to the Block List table.

Managing Block Lists

Admins can manage block list entries from the Block List page. Use the Filter icon to filter items based on values in the ERP System(s), Type, and Value columns. To clear a filter, select Clear Filter.

Details for each rule include:

  • Actions - Edit or delete.
  • ERP System(s) - SAP system that the block rule applies to.
  • Type - Indicates whether the rule blocks Username, User Group, Role Name, and/or Profile Name.
  • System Count - Number of ERP systems that the block rule applies to.
  • Value - Value that is blocked.
  • Created Date - Timestamp of when the entry was added to the block list.
  • Created By - User who added the block list entry.

Edit entries by selecting Actions > Edit Block List Entry. Make the updates you need, then select Save.

To delete an entry, select the Delete icon >. To delete several items at once, select the checkboxes next to those rows, then select Delete Selected. Confirm your choice by selecting Delete or select Cancel.

Excluding User Types and Statuses

In addition to blocking specific entities, Admins can configure system-level exclusions to omit entire categories of users based on their SAP User Type or status. Configuring these settings ensures that technical accounts, expired users, or locked users do not appear in security extracts or risk analyses for that system.

  1. Go to Menu > Block Lists.
  2. At the top right, select System Details.
  3. In the System Setting window, use the SAP System dropdown to select the environment you wish to configure.

  4. Under Exclude Types and Statuses, select the checkboxes for the categories you want to exclude from risk analysis.

    • User Types - Select specific SAP user types to ignore (e.g., A - Dialog, B - System, L - Reference, C - Communication, or S - Service).
    • Expired users - Excludes users who are no longer valid, based on the validity dates defined in the SAP User Master Records, which are in turn based on the GLTGV and GLTGB dates in USR02.
    • Users locked by administrator - Excludes users who have an administrative lock applied, based on the UFLAG status in USR02.

    Note

    The Users locked by administrator setting only applies to administrative locks. Users who are currently locked due to failed logon attempts will not be blocked.

  5. Select Submit to apply the configuration.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.