Index: lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java
===================================================================
diff -u -ra95da9a25304bdc449188c818764e1a40a982042 -r95f155cfbcac4d650cc30c18ef0d611cdd311db4
--- lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java	(.../SecurityService.java)	(revision a95da9a25304bdc449188c818764e1a40a982042)
+++ lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java	(.../SecurityService.java)	(revision 95f155cfbcac4d650cc30c18ef0d611cdd311db4)
@@ -34,6 +34,8 @@
 import org.lamsfoundation.lams.usermanagement.Organisation;
 import org.lamsfoundation.lams.usermanagement.OrganisationType;
 import org.lamsfoundation.lams.usermanagement.Role;
+import org.lamsfoundation.lams.usermanagement.User;
+import org.lamsfoundation.lams.web.filter.AuditLogFilter;
 
 /**
  * Contains methods for checking and logging user access to LAMS content. Should be used throughout the whole project.
@@ -56,6 +58,7 @@
 		    + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -67,6 +70,7 @@
 		    + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -80,6 +84,7 @@
 		    + " is learner and can \"" + action + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -97,6 +102,7 @@
 		    + "\"";
 	    SecurityService.log.debug(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -115,6 +121,7 @@
 		    + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -126,6 +133,7 @@
 		    + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -139,6 +147,7 @@
 		    + " is monitor and can \"" + action + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -160,6 +169,7 @@
 	    if (action != null) {
 		SecurityService.log.debug(error);
 		logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+		logAuditRoleFailure(userId, error);
 	    }
 	    if (escalate) {
 		throw new SecurityException(error);
@@ -178,6 +188,7 @@
 	    String error = "Missing lesson ID when checking if user " + userId + " is owner and can \"" + action + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -189,6 +200,7 @@
 		    + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -202,6 +214,7 @@
 		    + " is owner and can \"" + action + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -213,6 +226,7 @@
 	    String error = "User " + userId + " is not owner of lesson " + lessonId + " and can not \"" + action + "\"";
 	    SecurityService.log.debug(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -231,6 +245,7 @@
 		    + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -242,6 +257,7 @@
 		    + action + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -255,6 +271,7 @@
 		    + " is participant and can \"" + action + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -275,6 +292,7 @@
 		    + "\"";
 	    SecurityService.log.debug(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -291,13 +309,15 @@
 	    String error = "Missing user ID when checking if is sysadmin and can \"" + action + "\"";
 	    SecurityService.log.error(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, null, null, error);
+	    logAuditRoleFailure(userId, error);
 	    throw new SecurityException(error);
 	}
 
 	if (!securityDAO.isSysadmin(userId)) {
 	    String error = "User " + userId + " is not sysadmin and can not \"" + action + "\"";
 	    SecurityService.log.debug(error);
 	    logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, null, null, error);
+	    logAuditRoleFailure(userId, error);
 	    if (escalate) {
 		throw new SecurityException(error);
 	    } else {
@@ -364,13 +384,19 @@
 		+ orgId + " and can not \"" + action + "\"";
 	SecurityService.log.debug(error);
 	logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, null, null, error);
+	logAuditRoleFailure(userId, error);
 	if (escalate) {
 	    throw new SecurityException(error);
 	} else {
 	    return false;
 	}
     }
 
+    private void logAuditRoleFailure(Integer userId, String message) {
+	User user = (User) securityDAO.find(User.class, userId);
+	AuditLogFilter.log(userId, user.getLogin(), "failed role check with message: " + message);
+    }
+
     public void setSecurityDAO(ISecurityDAO securityDAO) {
 	this.securityDAO = securityDAO;
     }