ESF uses external security managers to make security decisions. Because those managers are not part of ESF, administrative changes to security information - changes to the security information for users, groups, or resources - are often made directly to the managers without any interaction with ESF. In some cases, it's necessary to notify ESF of these changes, so it (and its ESM Modules) can flush any cached results and update any internal information regarding the updated entity.
The ESF Administrative Update Notification request is part of the ESF API. It lets the calling environment notify ESF that one or more administrative changes have been made in an external security manager, so it should update any internal information that may be affected.
Administrative updates could include deleting a user, changing membership in a group, updating the access controls for a resource, and so on.
Enterprise Server components that use ESF provide various ways for an administrator to trigger an Administrative Update Notification request to ESF. After making security changes, you may need to tell MFDS and/or one or more ES servers to notify ESF, so that running systems pick up the security changes. This might be done through a GUI or with a command-line client; see the Enterprise Server administration documentation for details.
The ES component will then make an Administrative Update Notification request to its ESF subsystem. ESF will flush any related cached results, and notify the affected ESM Module to do the same.
In environments where multiple processes use ESF and communicate through shared memory, such as ES/MTO, one process will handle each Update request. That process will flush any affected data from shared memory. However, each individual process will also need to be notified of the update before they handle any other ESF requests, in case those processes have cached security information in private memory.
So each time CAS SEPs make an ESF call, they check to see if any updates have been processed by other SEPs. If so, they will flush any relevant process-private data, and call the affected ESM Modules to instruct them to do the same.
These "pending update" operations come in two types. If only one update has been processed since the last time ESF was called, ESF will flush any data affected by that single update. However, if multiple updates have been processed, ESF flushes all cached information (also called a "refresh"). This avoids having to save an unbounded number of old update requests for processes that are rarely activated.
The remainder of this page is for programmers calling the ESF API to make Update Notification requests.
Administrative Update Notification uses the UPDATE form of the ESF API.
The Update Notification request has only one required parameter, a pointer to a valid ACEE (returned by an VERIFY request). Note that this means that Update Notifications require a valid set of user credentials. This allows Update Notifications to be audited with user information, and in the future may be used to restrict access to the Update Notification feature.
The Update Notification request can contain additional information that describes what was updated. Setting this information may reduce the amount of cached information that ESF and the ESM Modules have to discard, or the additional work needed to be done by the ESM Modules to update other internal state (such as information about group membership).
Not setting this additional information has some performance cost, but will probably only be noticeable under relatively heavy loads.
The optional fields include:
Note that if a user's primary group is changed, that will generally be a user update. Supplementary group membership may be stored as part of a user's definition or as part of a group's definition, depending on the ESM. For the MLDAP ESM Module, changes to a user's supplementary group information should be signalled with a saf78_TYPE_UPDATE_GROUP Update request.
You can also set the ESM Index in the request block to a non-zero value to indicate that the specified ESM Module is the one to receive the update notification. (ESM Modules are numbered consecutively from 1, in the order that they're shown in the security configuration in MFDS.) Unless performance becomes an issue, however, we recommend leaving this set to 0 and letting all ESM Modules be notified, to avoid errors that could leave an ESM Module with stale data.
ESF uses the optional ESM Update callback to notify ESM Modules of Update Notification requests. ESM Modules need to support this callback if they want to be informed of updates. See the ESF ESM Module Interface for more information.