In Salesforce, restricting login access by time means defining specific days and hours during which users are allowed to log into your Salesforce org. Outside of these configured windows, users are denied access — even if they have the correct username and password.
This feature is called Login Hours, and it is configured at the Profile level. Every user assigned to a given Profile will be subject to that Profile’s login hour restrictions.
This is a fundamental piece of Salesforce’s layered security and access model, and every Salesforce Admin should know how to configure it correctly.
Why Should You Restrict Login Access (Time) in Salesforce?
Restricting login access by time serves several important purposes for organizations:
1. Security
Unauthorized access often happens outside of regular working hours. By limiting when users can log in, you reduce the window of vulnerability — especially for accounts that may have been compromised.
2. Compliance
Many regulated industries (finance, healthcare, legal) require organizations to demonstrate strict access controls. Time-based login restrictions provide an auditable layer of access governance.
3. Productivity Management
Businesses may want to prevent users from working outside of approved hours to ensure proper work-life balance policies or to manage licensing costs on time-sensitive plans.
4. Preventing Unauthorized After-Hours Activity
Disgruntled employees or contractors are less likely to tamper with data outside of business hours if they simply cannot log in.
5. Organizational Policy Enforcement
Different teams work different hours. For example, a support team working 9 AM–6 PM has different access needs than a global sales team with 24/7 access.
How Login Hours Work in Salesforce
Here are the key principles that govern how Login Hours function in Salesforce:
- Login Hours are configured per Profile — not per individual user.
- All users on a Profile share the same login hour settings.
- If a user attempts to log in outside of the allowed time window, they are denied access.
- The error message shown to the user is the same message displayed for an incorrect username or password — this is intentional, so the user cannot determine the exact reason for denial.
- The permission required to manage login hours is: Manage Profiles and Permission Sets.
Step-by-Step: How to Restrict Login Access (Time) in Salesforce
Follow these steps to restrict login access by time in your Salesforce org:
Step 1: Navigate to Setup
Log in to your Salesforce org and click the gear icon in the top-right corner, then select Setup.
Step 2: Find Profiles
In the Quick Find box on the left, type “Profiles” and select Profiles from the results.
Step 3: Select the Profile
From the list of Profiles, click the name of the Profile you want to configure login hours for (e.g., “Service Profile”, “Sales User”, “Custom Support Team”).
Step 4: Locate Login Hours
Scroll down to the System section within the Profile page and click “Login Hours”.
Step 5: Click Edit
Click the Edit button to open the Login Hours configuration screen.
Step 6: Set Days and Times
You will see a grid showing each day of the week with Start Time and End Time options.
- Set the desired Start Time and End Time for each day.
- To allow login at any time on a given day, click “Clear Times” for that day.
- To completely block login on a specific day, set both Start Time and End Time to 12:00 AM.
Example configuration:
| Day | Start Time | End Time |
|---|---|---|
| Monday | 8:00 AM | 6:00 PM |
| Tuesday | 8:00 AM | 6:00 PM |
| Wednesday | 8:00 AM | 6:00 PM |
| Thursday | 8:00 AM | 6:00 PM |
| Friday | 8:00 AM | 6:00 PM |
| Saturday | (Clear — any time) |  |
| Sunday | 12:00 AM | 12:00 AM (blocked) |
Step 7: Save
Click Save to apply the login hour restrictions to this Profile.
That’s it! The users assigned to this Profile can now only log in during the specified time windows.
Understanding Time Zones in Login Hours
Time zones can be a source of confusion when configuring login hours. Here’s what you need to know:
First-Time Setup:
The first time you configure Login Hours for a Profile, the time zone used is the org’s default time zone as specified in Setup > Company Information.
After the Initial Setup:
Once Login Hours have been set, changes to the org’s default time zone in Company Information do not affect the Login Hours time zone. The Profile’s login hours remain in the original time zone.
Viewing vs. Editing:
- On the Login Hours edit page, times appear in the org’s default time zone.
- On the Profile detail page (before clicking into Login Hours), times appear in the viewing user’s personal time zone.
This is an important gotcha — if your admin’s personal time zone differs from the org’s default, the times may appear differently depending on where you’re looking.
Best Practice: Always verify your org’s default time zone in Company Information before configuring Login Hours to avoid unintentional access restrictions.
What Happens When a User Is Already Logged In?
A common question Salesforce Admins face is: what happens if a user is actively working in Salesforce when their login hours expire?
The answer is: the user remains logged in, but their access becomes read-only.
Specifically:
- They can still navigate to pages and view existing records.
- They cannot perform any actions — no creating, editing, updating, or deleting records.
- They are effectively placed in a read-only mode until they log out or the session expires.
Example:
A user whose profile allows login from 4:00 PM to 5:00 PM logs in at 4:30 PM. At 5:01 PM, the user is still logged in but cannot take any actions. They can view their current page but cannot modify data.
This is an important behavior to communicate to your users so they understand what to expect when their login window closes.
How to Block Login on a Specific Day
To prevent users from logging in on a particular day entirely (for example, blocking all access on Sundays):
- Navigate to the Profile’s Login Hours edit page.
- For the day you want to block, set Start Time to 12:00 AM.
- Set End Time to the end of day (12:00 AM of the next day or equivalent)
- Save your changes.
This effectively creates a zero-length login window, meaning no login is permitted on that day.
How to Allow Login at Any Time (Clear Restrictions)
If you want users on a particular Profile to have unrestricted access on a specific day (e.g., allowing weekend access for a global team):
- Navigate to the Profile’s Login Hours edit page.
- For the day in question, click “Clear Times”.
- Save your changes.
Cleared times mean the user can log in at any time on that day — there is no restriction in place.
Best Practices for Restricting Login Access (Time)
Use these best practices when configuring Login Hours across your Salesforce org:
1. Align Login Hours to Business Operations
Set login windows to match each team’s actual working hours. A back-office accounting team doesn’t need the same access window as a 24/7 customer support team.
2. Document Every Profile's Login Hour Configuration
Keep an internal record of which Profiles have login restrictions and why. This helps with audits and change management.
3. Communicate Restrictions to Users
Users should know when they can and cannot log in. This prevents confusion and help desk tickets when users attempt to log in outside of their window.
4. Test Before Deploying to Production
Always test your login hour configuration in a Sandbox environment first to confirm the restrictions work as intended before applying them to your production org.
5. Use Login Hours Alongside Login IP Ranges
For maximum security, combine Login Hours (time-based restriction) with Login IP Ranges (location-based restriction) to create a multi-layered access control policy.
6. Review Login Hours Periodically
Business hours change — especially around daylight saving time, team restructuring, or geographic expansion. Set a reminder to review login hour configurations at least quarterly.
7. Don't Forget System/Integration Profiles
If you have integration users or API-connected accounts, be careful not to apply login hour restrictions that could break scheduled jobs, data syncs, or automated workflows running after hours.
Login Hours vs. Login IP Ranges — What's the Difference?
These two features are often discussed together as part of Salesforce’s access control model, but they serve different purposes:
| Feature | What It Controls | Configured At |
|---|---|---|
| Login Hours | When users can log in (time-based) | Profile level |
| Login IP Ranges | Where users can log in (location-based) | Profile level |
| Trusted IP Ranges | Networks where no verification is required | Org-wide level |
When used together, Login Hours and Login IP Ranges create a powerful combination: users can only access Salesforce from approved networks during approved hours.
Common Use Cases for Restricting Login Access (Time)
Here are real-world scenarios where restricting login access by time makes sense:
Retail / Customer Support Teams
Restrict access to shift hours only (e.g., 7 AM–9 PM for a contact center operating two shifts).
Finance & Accounting Teams
Lock access to weekday business hours to ensure data changes only happen during monitored windows.
Contractors and Temporary Staff
Set strict login windows that match contracted hours to limit exposure.
Multi-Region Organizations
Create region-specific Profiles with login hours matching each region’s time zone and office hours.
Compliance-Heavy Industries
Healthcare and financial services organizations often require time-bounded access as part of their data security frameworks.
FAQs About Salesforce Login Hours
Q: Can I set different login hours for individual users?
A: No. Login Hours are configured at the Profile level and apply to all users assigned to that Profile. If you need different hours for different users, you will need to create separate Profiles.
Q: What error does a user see when denied by Login Hours?
A: The user sees the same generic error as an incorrect username or password. Salesforce intentionally avoids revealing the specific reason for access denial.
Q: Do Login Hours apply to API access as well?
A: Yes. Login Hours apply to all login attempts including API connections, so be mindful when restricting Profiles used by integrations or automation tools.
Q: What happens if I don’t configure Login Hours at all?
A: If no Login Hours are set for a Profile, users can log in at any time — there are no default restrictions.
Q: Can I test my Login Hours configuration?
A: Yes. After setting login hours, attempt to log in outside the configured window to confirm that access is denied as expected.
Q: Does the System Administrator profile have login hour restrictions?
A: By default, the standard System Administrator profile does not have Login Hours restrictions. However, custom admin Profiles can have them applied.
Take Your Salesforce Admin Skills FurtherÂ
Understanding how to restrict login access by time is just one of many critical skills a Salesforce Admin needs to master. Topics like Login Hours, Profile configuration, security models, data access, and compliance controls are all covered in detail in the Salesforce Administrator Certification Exam.
If you’re looking to pass the Salesforce Admin Certification on your first attempt — or simply want to master the platform from the ground up — check out the:
This comprehensive course covers everything you need to know to become a certified Salesforce Administrator, including:
- Salesforce security and access model (Login Hours, IP Ranges, Profiles, Permission Sets)
- User management and data security
- Automation with Flows, Workflow Rules, and Process Builder
- Reports, Dashboards, and Analytics
- Sales Cloud, Service Cloud, and AppExchange
- Exam-focused practice questions and mock tests
Whether you’re a complete beginner or an experienced professional looking to get certified, this course is structured to take you from zero to exam-ready at your own pace.
Summary
Restricting login access by time in Salesforce is a straightforward yet powerful security measure that every Salesforce Admin should know how to configure. By setting Login Hours at the Profile level, you can:
- Prevent unauthorized after-hours access
- Enforce business policy and compliance requirements
- Manage user productivity within approved time windows
- Create a layered security posture alongside IP-based restrictions
The setup takes just a few minutes, but the security benefits are long-lasting. Start with your highest-risk Profiles, test in a Sandbox, and roll out to production with confidence.
