A SaaS User List is a custom object that is referenced by certain SaaS policy rules. When session tracking is enabled, SaaS Security Inline administrators can submit policy rule recommendations for individual users on an application tenant. This capability enables you to allow some application traffic for a tenant, while blocking traffic from specific user accounts on that tenant. For example, for a trusted vendor, you might allow traffic only for your organization's Gmail accounts, while blocking traffic for the vendor's Gmail accounts or personal Gmail accounts. These user-level policy recommendations are supported for a subset of applications that also support tenant-level policy rule recommendations.

When you import the policy rule recommendation, PAN-OS creates SaaS Tenant List and SaaS User List custom objects, which represent the tenants and users to which the policy rule will apply. These custom objects are shown on the SaaS Policy Recommendations page (Device > Policy Recommendation > SaaS). You typically do not create a SaaS Tenant List manually.