Normally, Advanced Server Access creates user accounts when a server is enrolled or a new user is added to a project. Configuring on-demand users for a project forces Advanced Server Access to only create an account when a user attempts to access a server. While the account is active, on-demand users hold the same level of access and permissions as all other users.
The On Demand User TTL (Time to Live) starts when the user signs in. For example, if the TTL is set to 120 seconds and the session is closed in 10 seconds, the Advanced Server Access server agent waits for 120 seconds and then removes the account. On Windows servers, the associated user account and home directory are removed when the account expires. This also includes any data stored within the home directory.
You can configure on-demand users for a project at any time by configuring the On Demand User TTL (Time to Live) setting. See Create a project.
If you enable on-demand users, you must make the server accessible through port 4421 of the previous network hop. For connections through a bastion or gateway, the server must be accessible from port 4421 of the bastion or gateway. For direct connections, the server must be accessible from port 4421 on the client. For more information, see Access Broker Options.