Articles in this section

See more

Security Settings

The Security section controls how your team accesses and uses ClickTime, including Session Timeout, Audit Logging, manager permissions for approvals, and Single Sign‑On (SSO).

Summary: Set how long users stay signed in, decide whether Managers can unlock or un‑approve, enable Audit Logging for traceability and DCAA requirements, and choose whether SSO is disabled, allowed, or required. If you require SSO, some tools and flows are limited (details below).

Where to find it: Company > Preferences > Security (section). 
Security section in Company › Preferences showing timeout, audit logging, unlock/un‑approve, and SSO

Jump to a section:

Session Timeout Period

Define how long a signed‑in session remains active without user activity. When the timer expires, the user is automatically logged out and returned to the login page.

Session Timeout dropdown with durations from 30 minutes to 1 day
  • 30 minutes
  • 1 hour
  • 2 hours
  • 4 hours
  • 8 hours
  • 12 hours
  • 1 day (24 hours)

Not sure what to choose? Align with your organization’s security policy or ask your IT team.

General Security Options

Configure core security behaviors for approvals and auditing.

General security options including unlock/un‑approve, audit logging, and historical change control

  • Allow Managers to unlock or un‑approve timesheets and expense sheets when they also have permission to lock or approve: Disabled by default. Enable if Managers should be able to reverse approvals on items they can approve. This is different from rejecting, which remains available regardless of this setting.
  • Enable Audit Logging: Records who created or edited records and when (including time entries and certain company settings). Required for DCAA compliance. Demo customers should contact Sales; paying customers can email support@clicktime.com for availability and pricing.

  • Allow changes (not logged) to billing rates, costs, and other values that affect historical time and expense entries (locked or unlocked): Permits bulk changes that can rewrite historical calculations. The Audit Log notes the rate‑change event, but not each affected entry.

Historical note: The legacy “Require secure (SSL) connections for web entry” setting was removed in December 2020. All ClickTime pages load over HTTPS.

Single Sign‑On (SSO) Preferences

Choose how users authenticate to ClickTime.

SSO preferences selector with Disable, Allow, Require
  • Disable: Users sign in with ClickTime email and password.
  • Allow: Users can sign in with SSO or with ClickTime email and password.
  • Require: Users must sign in with SSO. Password reset emails from ClickTime are not available, and admins will not see the Reset Password action on the Person Details page.

Plan notes: Supported Identity Providers include Google Workspace and—on higher tiers—providers such as Okta, OneLogin, and Microsoft Entra/Azure AD. Ensure the email address stored in ClickTime matches the user’s identity in your IdP. For current prerequisites and setup, see the SSO guide below.

Identity Provider dropdown example

Important: Requiring SSO can limit certain tools or flows. For example, the ClickTime Connector for QuickBooks Desktop is not supported when SSO is required. See the QuickBooks Connector article for specifics.

Learn more: Single Sign‑On (SSO) & SCIM Guide

Update SSO Certificates

If your Identity Provider’s certificate has been renewed, update it here to keep SSO working.

Certificate paste/upload field for SSO

  • Paste the full certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, or upload the file.
  • If SSO stops working after a renewal, update the certificate and test. If issues persist, contact professionalservices@clicktime.com.

Notes & Limitations

  • Audit Logging: Enable to meet DCAA traceability requirements; be aware of downstream impacts on storage and report volume for very large change histories.
  • Unlock or un‑approve: Grants Managers the ability to reverse approvals on items they already manage. Does not replace Reject.
  • SSO Required: Disables ClickTime password reset emails and the admin reset action. Confirm your help‑desk workflow before switching to Require.
  • QuickBooks Desktop: The ClickTime Connector is not supported when SSO is required. Review the connector article for alternatives.

Troubleshooting

  • “I was logged out while working.” Session Timeout counts from the last action (page load, save, etc.). Increase the timeout or encourage saving periodically.
  • “Managers can’t un‑approve.” Ensure the Allow Managers to unlock/un‑approve… option is enabled and the manager has approve permissions for that person/project.
  • “We turned on Require SSO and password resets stopped.” That is expected. Use your Identity Provider’s password reset flow; ClickTime will not send reset emails while SSO is required.
  • “SSO broke after our certificate renewal.” Update the certificate in Update SSO Certificates; include the BEGIN/END lines. If issues persist, contact Professional Services.
  • “User can’t sign in with SSO.” Confirm the ClickTime email exactly matches the IdP account email and that the correct IdP is selected in SSO Preferences.

Related articles

Comments

0 comments

Article is closed for comments.