Time Fencing Configuration
Time Fencing is a security feature that restricts user login access to specific time windows, days, and date ranges. This control mechanism ensures that users can only access systems during their designated login periods. Any login attempt outside the configured time frame will be denied.
Use Case Example:
Suppose users are allowed to log in during a certain time period such as:
From Monday to Friday, between 09:00 AM and 06:00 PM, and only from August 1st to August 10th, 2025.
If a user tries to log in on a Saturday or outside the 09:00–18:00 window, ZTrust will block the login and deny access.
Important: Time Fencing can be configured at two levels:
Realm-Level Time Fencing – Applies to all users present in the realm.
Group-Level Time Fencing – Applies only to specific user assigned to the groups.
Note: If a user is assigned both realm-level and group-level time fencing, the group-level configuration takes priority.
Key Features:
Two-Level Configuration → Realm-level and group-level fencing available.
Time-Based Control → Define allowed login time slots (e.g., 09:00–17:00).
Day-Based Restriction → Restrict logins to specific weekdays (e.g., Monday–Friday only).
Date Range Enforcement → Allow logins only within valid date ranges (e.g., 1st Aug to 10th Aug).
Visual Calendar Interface → Configure rules easily using an interactive calendar.
Realm-level Time Fencing:
Realm-level time fencing applies to all users in the realm unless overridden by group-level settings.
Step 1 — Enable Time Fencing in the Authentication Flow
Go to the Admin Console → Authentication section.
Open the Authentication tab.
Create a duplicate of the existing browser flow.
Name it, for example: Time Fencing Browser Flow.
Inside the new flow
Click Add Execution.
Choose Time Fencing Authenticator from the list.
Set it under Username Password Form.
Set Requirement to Required.
Note: "Setting this as Required ensures every login attempt is checked against the realm-level configuration".
Step 2 — Configure Realm-Level Time Fencing
Need to configure the settings directly in the Time-Based-Login-Fencing config form.
Here admin need to set up the following fields:
Alias → A unique name for this configuration.
Authenticator Reference → Optional reference name if needed.
Authenticator Reference Max Age → Maximum validity period for the authenticator.
Login Start Time → Define the start time when users are allowed to log in (e.g., 09:00 AM).
Login End Time → Define the end time when login is allowed (e.g., 06:00 PM).
Timezone → Select the applicable Timezone for enforcing the login window.
Allowed Login Days → Choose the days of the week when login is permitted (e.g., Mon–Fri).
Click Save to apply the realm-wide restrictions.
Group-Level Time Fencing:
Group-level time fencing applies only to users assigned to specific groups and overrides realm-level settings.
Step 1 — Create or Select a Group
Go to the Groups section in the Admin Console.
Click Create Group or select an existing group.
Step 2 — Configure Group-Level Time Fencing
Create a group
Navigate to the Time Fencing tab within the group settings.
Use the interactive calendar to:
Define login windows specific to this group.
Select allowed days (e.g., Mon–Fri).
Set start and end times (e.g., 08:00–17:00).
Specify valid date ranges.
Add titles for each time block if required.
Click Save to store the configuration in the group’s attributes.
Login Behavior After Configuration:
Once the configurations are saved in the Admin Console, the changes take immediate effect.
Example 1 — Time Window Change
Realm/group time changed from 09:00–18:00 to 08:00–17:00:
Login at 08:30 → Allowed
Login at 17:30 → Denied
Last updated