Time-Based Policy Group Matching in Elisity allows administrators to control when devices are dynamically classified into a policy group based on a reusable time configuration. These configurations define specific time windows — with optional daily or weekly recurrence — during which devices are eligible to match a policy group’s criteria. This enables the enforcement of temporary or conditional access policies without requiring manual policy changes or device reassignment.
Common Use Cases
Time-based policy group matching is useful in any environment where access should be limited to specific time windows. By applying a time configuration to a device and referencing that configuration in a dynamic policy group’s match criteria, administrators can enforce conditional access without manual intervention.
Typical use cases include:
-
Contractor or Guest Access
Grant limited-time access to third-party or temporary devices. For example, a contractor’s laptop may be permitted on the network only during business hours on weekdays. -
Business Hour Segmentation
Apply different policies to devices during recurring work hours. This is useful for restricting access to sensitive systems outside of standard operational periods. -
Maintenance Windows
Temporarily elevate permissions for devices like NAS systems or patch servers that require access during recurring maintenance windows (e.g., Saturday 8 PM–10 PM). -
Temporary Fixed-Time Access
Configure a non-recurring time window with a defined start and end date/time — whether for a few hours, several days, or a multi-week period. Ideal for scenarios like onboarding, time-bound audits, or limited project access. -
Time-Expired Device Reclassification
Automatically move devices to a restricted or monitoring group when their time-based access expires, without requiring any manual policy updates.
How Time-Based Access Works
Time configurations are reusable objects that define when a device is eligible to match a dynamic policy group. These configurations include a start time, end time, time zone, and optional recurrence (daily or specific days of the week). When recurrence is disabled, the configuration represents a non-recurring fixed time window, defined by a start and end date/time. This is ideal for enforcing access during a specific period — whether that period spans hours, days, or weeks.
To take effect, a time configuration must be explicitly assigned to a device. This can be done individually or in bulk through the CCC. Devices that do not have a time configuration assigned will not match any policy group that includes time-based criteria — even if all other conditions are satisfied.
Once assigned, the Elisity platform automatically evaluates each device approximately every 15 minutes to determine if it currently falls within the defined time window. If the configuration is active, the device is classified into the group. When the time window expires, the device is automatically removed from that group and reclassified based on any other applicable policies.
This mechanism allows for both recurring and fixed-duration access enforcement without relying on manual reassignment or policy changes.
Creating a Time-Based Access Configuration
Before applying time-based conditions to policy groups, you’ll need to create at least one time configuration. These configurations define the valid access window and can be used across multiple devices and dynamic policy groups.
Step 1: Open the Time-Based Access Page
From the main navigation menu, go to Settings > Time-Based Access. This page displays all existing configurations and their current status.
Click the + Add Time Configuration button in the top-right corner to open the configuration form.
[Screenshot - Add Time Configuration]
Step 2: Fill Out the Time Configuration Details
Complete the form with the following:
| Input Field | Description |
| Name | A clear, descriptive label (e.g., Weekday Business Hours or Temporary Access for Audit). |
| Start Time and End Time | Define the access window. If recurrence is disabled, this window will be treated as a non-recurring fixed period using full date and time values. If left blank, the values are now (current time) and indefinite, respectively. |
| Time Zone | The time zone used to evaluate the access window. |
| Recurring | Enable recurrence to apply the configuration on a regular schedule. |
| Time Period | (Visible only if recurrence is enabled) Daily or Weekly - weekly enables selection of week days which recurrence is enabled. |
[Screenshot -Time Configuration form]
ⓘ Note: When recurrence is off, the configuration enforces a fixed time window based on the full start and end date/time — which may span multiple hours, days, or weeks.
Step 3: Save and Verify
Once saved, the configuration will appear in the list with a status column. If the current time falls within the defined window, the status will display Current.
[Screenshot - Time Configuration list with “Current” status]
Assigning Time Configurations to Devices
Time configurations must be explicitly assigned to devices in order for time-based policy group matching to take effect. Creating a configuration and applying it as a match condition in a dynamic policy group is not sufficient on its own — devices will only be evaluated against the time configuration if it has been manually applied to them.
This can be done in two ways:
Option 1: Assign via Individual Device Edit
-
Navigate to the Devices page in the CCC.
-
Locate and open the device you want to configure.
-
Click Edit.
-
In the Time-Based Access section, select a previously created configuration from the dropdown.
-
Click Save.
[Screenshot - Individual device edit screen with Time-Based Access selection]
Option 2: Assign via Bulk Edit
-
From the Devices page, use the checkboxes to select multiple devices.
-
Click the Bulk Edit button.
-
In the edit modal, find the Time-Based Access field.
-
Choose the desired configuration.
-
Apply the changes.
ⓘ Note: If a device does not have a time configuration assigned, it will not match any policy group using time-based criteria, even if all other match conditions are satisfied.
Once assigned, after initial evaluation devices will be reevaluated approximately every 15 minutes to determine whether they fall within the active window. If so, and all other policy group criteria are met, they will be dynamically classified into the matching policy group.
Applying Time-Based Access to a Dynamic Policy Group
Once you’ve created a time configuration and assigned it to devices, the final step is to apply that configuration as a match condition in a Dynamic Policy Group. Both Global and Local Dynamic Policy Groups support time-based matching.
Step 1: Create a Dynamic Policy Group
Go to Policies > Policy Groups and click Create Policy Group. Choose either Global or Local depending on your intended scope, then select Dynamic as the group type.
[Screenshot - Policy Groups page with “Create Policy Group” and Dynamic group type selected]
Step 2: Add Time-Based Matching Criteria
In the match conditions section, click + Add Matching Criteria. Under the Elisity Native category, select Time Based Access, then choose the appropriate time configuration from the dropdown.
You can combine time-based access with other criteria, such as device type, identity tags, or site label within Local Policy Groups, for more precise control.
[Screenshot - Match criteria with Time Based Access selected]
Step 4: Save the Policy Group
Click Save to finalize the group. Devices with the selected time configuration assigned will match the group only while the configuration is active. Once the window expires, the device will be automatically removed and reclassified based on other applicable policy logic.
ⓘ Tip: A single time configuration can be reused across multiple policy groups to enforce consistent time-based access behavior.
Evaluation Behavior and Best Practices
Time-based policy group evaluation is handled automatically by the Elisity platform and follows a predictable cycle to ensure consistent enforcement.
Evaluation Interval
Devices assigned a time configuration are evaluated approximately every 15 minutes. If the current time falls within the defined window, and all other match conditions are satisfied, the device will be dynamically placed into the corresponding policy group.
Reclassification on Expiration
When the time window ends, the device is automatically removed from the group and reclassified based on any other applicable policy logic. No manual intervention is required.
Time Zone Awareness
Time configurations are enforced based on the selected time zone in the configuration. Always confirm the correct time zone is selected, especially when managing devices across multiple geographic regions.
Assignment is Mandatory
Devices must have a time configuration explicitly assigned in order to match any time-based policy group. Creating a configuration and using it in the policy group is not sufficient on its own.
Best Practices
-
Use clear, descriptive names for time configurations (e.g., “Weekday 9–5 EST Access” or “Contractor – June 3–5”).
-
Consider creating fallback or restricted-access policy groups for devices once their time-based window expires.
-
Test configurations in a small-scale policy group before rolling out organization-wide.