Skip to content

Restricting Tenant Access

You can restrict the sign-in locations permitted for users in each defined identity profile. You can configure restrictions based on:

  • IP address blocks that define your network to prevent access from off-network IP addresses.
  • A Block List to prevent user access from specified countries.
  • An Allow List to permit user access only from specified countries.


These restrictions apply to password resets as well. During the password reset process, users are required to authenticate. If a user attempts to authenticate while they are off network, they will be blocked from resetting their password.

To apply these restrictions you must:

  1. Define the restrictions as global configurations.
  2. Choose which of those restrictions to apply to each identity profile.


These restrictions do not apply when you use single sign-on to authenticate users into your tenant. If you need restrictions and are using SSO, add them on the identity provider side.

Specifying Network IP Restrictions

To set up access restrictions based on network, define your network by adding the IP address blocks of your network.

  1. Go to Admin > Global > System Settings > Network Settings.

  2. Under Network Definition, specify a range of IP addresses using Classless Inter-Domain Routing (CIDR) notation.

  3. To add more IP addresses, select + Add and enter another range. Repeat until you've added all the IP address ranges you want to allow to access Identity Security Cloud.

    Select the X next to an IP address block to remove it.

  4. Select Save.

Specifying a Block List or Allow List

To restrict user access by country, define the permissible set of countries through either a block list or an allow list.

  1. Go to Admin > Global > System Settings > Network Settings.

  2. Under Trusted Countries, select either Block List or Allow List.

    • A block list defines countries that your organization considers untrusted and prevents sign-in from IP addresses associated with them.
    • An allow list defines countries that your organization considers trusted and allows sign-in only from IP addresses associated with them.
  3. Begin typing the name of a country in the field and select it from the list. Select Add to enter another country. Repeat until you've added all the countries you need.


    To remove a country from the list, select the Delete icon X next to the country.

  4. Select Save.

Applying Restrictions to Users per Identity Profile

Access restrictions must be applied to each identity profile to constrain those users' access to Identity Security Cloud.

  1. Go to Admin > Identity Management > Identity Profiles.

  2. Select the identity profile you want to edit.

  3. Under Block Access From, choose which restrictions to apply to those users.

    • Select Off Network to prevent them from accessing your tenant from outside your defined network.
    • Select Untrusted Geographies to prevent access from the countries in your block list or to allow access only from the countries in your allow list.
  4. Scroll to the bottom of the page and select Save.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at