I also have the same issue. The only way around it for me was to use different accounts for administrating the IronPort appliances. This fell into alignment with my organizations practice of setting up seperate Admin accounts for server/workstation administration that is seperate from a server admin's user account.
I think the appliance is confused, because when you login with an administrative level account you see the quarantine of all users, so it can't add safelist/blocklist addresses because it doesn't know what mailbox to add these to.
Be interested to hear what Cisco has to say about it.