You could use the 'time range' function found under access control to set up periods of the day/week where access is not permitted.
You then apply the time ranges to the policies under the role(s) you would like to have control over.
Alternatively you can place a 'deny time range' on an entire SSID. So that would, as an example, block guests from connecting after hours, or on weekends easily.