EndpointSecurity caching semantics

When responding to ES_ACTION_TYPE_AUTH event, there is a flag called cache we can pass to either es_respond_auth_result or es_respond_flags_result functions.

In the documentation it states caching semantics depend on specific event - but actual caching semantics to each event is never documented. This means we pass this flag, hoping not too much or too little will be considered as cached.
For example, we have learned it in the hard way that if we cache an authorization for an event executed by root, it will be cached for all users (as caching semantics apparently does not take user into account).

Are those semantics documented anywhere? It is hard to use this framework solely counting on trial-and-error.

Thanks.
I saw your other post first, so I responded there.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
EndpointSecurity caching semantics
 
 
Q