A call to the method **`ISecurityContext.findRole(...)`** will result in a query to the system database, because the roles are stored there, so no query to the external security system (LDAP) is needed.
The first call to the methode **`IWorkflowSession.hasRole(IRole, Boolean)`** could results in a query to the external security system (LDAP). Latest all following calls within 5 minutes will use the cache of the first call, independent of the parameter.
In fact the cache is initialized/handled by the method `IUser.getRoles()`, which is called internally by the method `IWorkflowSession.hasRole(IRole, Boolean)`. The method `IUser.getRoles()` caches the result for 10 seconds on the user-instance (this means, further calls within 10 seconds on the same instance will return the cached result. The method ISecurityContext.findUser(...) will always return a new instance.). However, if the method is called on the current logged-in user the result is cached on the session and has therefore a timeout of 5 minutes.
In 4.3 only the cache for the current logged-in user exists. The ‘10 second cache’ on any user-instance was introduced with 5.0.15.5.0.15.
**UPDATE: A code example for clarification:**
IRole.getUsers() / IRole.getAllUsers() is NEVER cached
IRole role = ISecurityContext.findRole("RoleA"); // only access to system db
role.getUsers(); // first call not cached
role.getUsers(); // subsequent calls not cached
Cache of IUser.getRoles() / IUser.getAllRoles()
ISecuritySession.findUser("Max").getRoles(); // NOT cached
ISecuritySession.findUser("Max").getRoles(); // NOT cached, because findUser() returns a new instance
IUser user = IWorflowSession.findUser("Max"); // if user is not already synchronized, it will be looked up in the LDAP.
user.getRoles(); // first call NOT cached
user.getRoles(); // subsequent calls are cached, because called on the same instance
