Administrative updates could include deleting a user, changing membership in a group, updating the access controls for a resource, and so on.
Enterprise Server components that use ESF provide various ways for an administrator to trigger an Administrative Update Notification request to ESF. After making security changes, you may need to tell MFDS and/or one or more Enterprise Servers to notify ESF, so that running systems pick up the security changes. This might be done through a GUI or with a command-line client; see the Enterprise Server administration documentation for details.
The Enterprise Server component will then make an Administrative Update Notification request to its ESF subsystem. ESF will flush any related cached results, and notify the affected ESM Module to do the same.
In environments where multiple processes use ESF and communicate through shared memory, such as ES/MTO, one process will handle each Update request. That process will flush any affected data from shared memory. However, each individual process will also need to be notified of the update before they handle any other ESF requests, in case those processes have cached security information in private memory.
So each time CAS SEPs make an ESF call, they check to see if any updates have been processed by other SEPs. If so, they will flush any relevant process-private data, and call the affected ESM Modules to instruct them to do the same.
These "pending update" operations come in two types. If only one update has been processed since the last time ESF was called, ESF will flush any data affected by that single update. However, if multiple updates have been processed, ESF flushes all cached information (also called a "refresh"). This avoids having to save an unbounded number of old update requests for processes that are rarely activated.