Time-Based Policy Group Matching in Elisity allows administrators to control when devices are dynamically classified into a policy group based on a reusable time configuration. These configurations define specific time windows — with optional daily or weekly recurrence — during which devices are eligible to match a policy group’s criteria. This enables the enforcement of temporary or conditional access policies without requiring manual policy changes or device reassignment.
How Time-Based Access Works
Time configurations are reusable objects that define when a device is eligible to match a dynamic policy group. These configurations include a start time, end time, time zone, and optional recurrence (daily or specific days of the week). When recurrence is disabled, the configuration represents a non-recurring fixed time window, defined by a start and end date/time. This is ideal for enforcing access during a specific period — whether that period spans hours, days, or weeks.
To take effect, a time configuration must be explicitly assigned to a device. Devices that do not have a time configuration assigned will not match any policy group that includes time-based criteria — even if all other conditions are satisfied.
Once assigned, the Elisity platform automatically evaluates each device approximately every 1 minute to determine if it currently falls within the defined time window. If the configuration is active, the device is classified into the group. When the time window expires, the device is automatically removed from that group and reclassified based on any other applicable policies.
This mechanism allows for both recurring and fixed-duration access enforcement without relying on manual reassignment or policy changes.
Common Use Cases
Time-based policy group matching is useful in any environment where access should be limited to specific time windows. By applying a time configuration to a device and referencing that configuration in a dynamic policy group’s match criteria, administrators can enforce conditional access without manual intervention.
Typical use cases include:
Contractor or Guest Access
Grant limited-time access to third-party or temporary devices. For example, a contractor’s laptop may be permitted on the network only during business hours on weekdays.Business Hour Segmentation
Apply different policies to devices during recurring work hours. This is useful for restricting access to sensitive systems outside of standard operational periods.Maintenance Windows
Temporarily elevate permissions for devices like NAS systems or patch servers that require access during recurring maintenance windows (e.g., Saturday 8 PM–10 PM).Temporary Fixed-Time Access
Configure a non-recurring time window with a defined start and end date/time — whether for a few hours, several days, or a multi-week period. Ideal for scenarios like onboarding, time-bound audits, or limited project access.Time-Expired Device Reclassification
Automatically move devices to a restricted or monitoring group when their time-based access expires, without requiring any manual policy updates.
Creating a Time-Based Access Configuration
Before applying time-based conditions to policy groups, you’ll need to create at least one time configuration. These configurations define the valid access window and can be used across multiple devices and dynamic policy groups.
Step 1: Open the Time-Based Access Page
From the main navigation menu, go to Settings > Time-Based Access. This page displays all existing configurations and their current status.
Click the + Add Time Configuration button in the top-right corner to open the configuration form.
[Screenshot - Add Time Configuration]
Step 2: Fill Out the Time Configuration Details
Complete the form with the following:
| Input Field | Description |
| Name | A clear, descriptive label (e.g., Weekday Business Hours or Temporary Access for Audit). |
| Start Time and End Time | Define the access window. If recurrence is disabled, this window will be treated as a non-recurring fixed period using full date and time values. If left blank, the values are now (current time) and indefinite, respectively. |
| Time Zone | The time zone used to evaluate the access window. |
| Recurring | Enable recurrence to apply the configuration on a regular schedule. |
| Time Period | (Visible only if recurrence is enabled) Daily or Weekly - weekly enables selection of week days which recurrence is enabled. |
[Screenshot -Time Configuration form]
ⓘ Note: When recurrence is off, the configuration enforces a fixed time window based on the full start and end date/time — which may span multiple hours, days, or weeks.
Step 3: Save and Verify
Once saved, the configuration will appear in the list with a status column. If the current time falls within the defined window, the status will display Current.
[Screenshot - Time Configuration list with “Current” status]
Assigning Time Configurations to Devices
Time configurations must be explicitly assigned to devices in order for time-based policy group matching to take effect. Creating a configuration and applying it as a match condition in a dynamic policy group is not sufficient on its own — devices will only be evaluated against the time configuration if it has been manually applied to them.
This can be done on a per device basis as seen below:
Assign via Individual Device Edit
Navigate to the Devices page in the CCC.
Locate and open the device you want to configure.
Click Edit.
In the Time-Based Access section, select a previously created configuration from the dropdown.
Click Save.
[Screenshot - Individual device edit screen with Time-Based Access selection]
Once assigned, after initial evaluation devices will be reevaluated approximately every 15 minutes to determine whether they fall within the active window. If so, and all other policy group criteria are met, they will be dynamically classified into the matching policy group.
Bulk Assigning Time Configurations to Devices
For environments with large device inventories, Cloud Control Center supports bulk assignment of time configurations to multiple devices simultaneously. This streamlines the process of applying time-based access policies across groups of devices without requiring individual device edits.
Select Devices for Bulk Edit
- Navigate to the Devices page in Cloud Control Center.
- (Optional) Apply filters to narrow the device list. For example, filter by Category, Policy Group, Site, or other attributes to identify the specific devices that require time-based access.
- Select the devices you want to edit by clicking the checkbox next to each device. You can select individual devices or use the checkbox in the table header to select all devices matching your current filter.
- Click the BULK ACTIONS dropdown in the upper-right area of the device table.
- Select Edit Devices from the dropdown menu.
[Screenshot - Devices page with multiple devices selected and Bulk Actions → Edit Devices highlighted]
Apply Time Configuration to Selected Devices
The bulk edit panel will open, displaying the count of selected devices and an Attributes Configuration form. This form shows the current attribute values for the selected devices — if devices have different values for an attribute, the field will display "Mixed".
- Scroll down to the Time Configuration Name field in the Attributes Configuration section.
- Click the dropdown and select the time configuration you want to apply to all selected devices.
- (Optional) Expand the Selected Devices dropdown at the top of the panel to review the list of devices that will be updated.
- Click SUBMIT to apply the time configuration to all selected devices.
[Screenshot - Bulk edit attributes panel showing Time Configuration Name dropdown with a configuration selected]
ⓘ Note: Bulk editing will overwrite any existing time configuration assignments on the selected devices. If you need to preserve existing assignments for some devices, exclude them from the selection before submitting the bulk edit.
Once the time configuration is applied, the selected devices will begin evaluation based on the configured time window. If the current time falls within the active window and all other policy group match criteria are satisfied, devices will be dynamically classified into the appropriate policy group.
Applying Time-Based Access to a Dynamic Policy Group
Once you’ve created a time configuration and assigned it to devices, the final step is to apply that configuration as a match condition in a Dynamic Policy Group. Both Global and Local Dynamic Policy Groups support time-based matching.
Step 1: Create a Dynamic Policy Group
Go to Policies > Policy Groups and click Create Policy Group. Choose either Global or Local depending on your intended scope, then select Dynamic as the group type.
[Screenshot - Policy Groups page with “Create Policy Group” and Dynamic group type selected]
Step 2: Add Time-Based Matching Criteria
In the match conditions section, click + Add Matching Criteria. Under the Elisity Native category, select Time Based Access, then choose the appropriate time configuration from the dropdown.
You can combine time-based access with other criteria, such as device type, identity tags, or site label within Local Policy Groups, for more precise control.
[Screenshot - Match criteria with Time Based Access selected]
Step 4: Save the Policy Group
Click Save to finalize the group. Devices with the selected time configuration assigned will match the group only while the configuration is active. Once the window expires, the device will be automatically removed and reclassified based on other applicable policy logic.
ⓘ Tip: A single time configuration can be reused across multiple policy groups to enforce consistent time-based access behavior.
Evaluation Behavior and Best Practices
Time-based policy group evaluation is handled automatically by the Elisity platform and follows a predictable cycle to ensure consistent enforcement.
Evaluation Interval
Devices assigned a time configuration are evaluated approximately every 15 minutes. If the current time falls within the defined window, and all other match conditions are satisfied, the device will be dynamically placed into the corresponding policy group.
Reclassification on Expiration
When the time window ends, the device is automatically removed from the group and reclassified based on any other applicable policy logic. No manual intervention is required.
Time Zone Awareness
Time configurations are enforced based on the selected time zone in the configuration. Always confirm the correct time zone is selected, especially when managing devices across multiple geographic regions.
Assignment is Mandatory
Devices must have a time configuration explicitly assigned in order to match any time-based policy group. Creating a configuration and using it in the policy group is not sufficient on its own.
Best Practices
Use clear, descriptive names for time configurations (e.g., “Weekday 9–5 EST Access” or “Contractor – June 3–5”).
Consider creating fallback or restricted-access policy groups for devices once their time-based window expires.
Test configurations in a small-scale policy group before rolling out organization-wide.