When a change is made in Grouper, check if that change adds or deletes permissions. A permission here is considered a combination of role, resource (attribute def name), action, and subject. And add change log events for each subject/role combination. The change log doesn't include the action or resource. I think this implies that (1) if a user is given a new permission (subject/action/resource) in a single event and they actually get it via multiple roles (in that single event), then you'd have multiple change log events for the user (one for each role). And (2) if a user already has a permission (subject/action/resource) but they are now getting it via another role, there would also be a change log event.