Skip to main content

SF-0062 · Scenario · Medium

Can we restrict a user to login into salesforce after office hours?

✓ Verified by Vikas Singhal · Last reviewed 5/17/2026

Yes — Salesforce supports login hours on each profile. You define a weekly schedule of allowed login windows, and users on that profile cannot log in outside those hours. Active sessions that are open when the window closes get logged out at the boundary. This is a profile-level control, not a permission-set-level one, which is one of the few things permission sets still can’t replace.

Where to configure it

  1. Setup → Profiles → [select the profile] → Login Hours.
  2. Set start and end times for each day of the week. Leaving a day blank means no logins allowed that day. Setting Start = End = 12:00 AM means no restriction for that day.
  3. Save.

Times use the org’s default time zone (Setup → Company Information). If your users span multiple time zones, that matters — see the gotchas below.

What happens at the boundary

  • Login attempt outside the window: rejected with an error message saying logins aren’t allowed at this time. The login is recorded in Setup → Login History with the failure reason.
  • Active session at the close of window: the user is logged out. They can finish their current operation if it’s already in flight, but they can’t navigate to a new page or save unsaved work. This is why “login hours” is sometimes confusingly described as “session hours” — it actually controls both.
  • API logins: also restricted. Integration users on a restricted profile will fail outside the window — typically you put integration users on a profile with 24/7 hours.

Practical scenario

“Reps should not be able to log in between 9pm and 6am on weekdays, or at all on Sundays.”

On the Sales Rep profile, set login hours:

  • Monday-Friday: 6:00 AM - 9:00 PM
  • Saturday: 6:00 AM - 9:00 PM (or whatever Saturday policy)
  • Sunday: leave blank (no logins allowed)

Repeat for any other profiles where the same restriction applies.

Gotchas interviewers love to probe

  • Time zone is the org’s, not the user’s. If your org is in Pacific time but a rep is in IST, you need to translate the window. Set the profile’s hours in Pacific time covering the rep’s intended local window.
  • Mid-session logout. Users get no warning by default. If they’re mid-edit when the window closes, unsaved work is lost. Consider session warning settings in Session Settings.
  • System Administrators. Don’t lock yourself out — Salesforce will let you set login hours on your own profile and then enforce them. If you set bad hours on the System Admin profile and the window passes, you’re locked out until Salesforce Support helps.
  • Permission sets can’t override. This is profile-only; assigning a permission set with no hours restriction doesn’t loosen the profile’s hours.
  • API + integration users. Use a dedicated profile (e.g., “API Integration Profile”) with 24/7 hours, no login IP restrictions or a fixed range, and a strong password rotation policy. Don’t share login hours with end-user profiles.

Common interview follow-ups

  • Where do I see who tried to log in outside hours? Setup → Login History — failures are recorded with the reason “Restricted login hours.”
  • Can I set login hours on a permission set? No. Profile-only as of all current Salesforce releases.
  • What about login IP ranges? Same idea? Same idea, different field. See the companion question on restricting logins from a different network.

Verified against: Salesforce Help — Restrict Login Hours by Profile. Last reviewed 2026-05-17.