Currently, CDAP has a 5 minutes cache timeout for security extensions. This is a pretty high timeout and adversely affect the user experience where the user needs to wait for 5 mins after privilege management. At this point, it's debatable if we really need 5 mins cache timeout or not. I think the intention behind having a larger cache timeout was to not affect the throughput of dataset operations.
It will be helpful to either lower the cache timeout or have two different timeouts one for cdap master and another for remote containers.