Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java
===================================================================
diff -u -re0dbb500c2a4fc98b9bfec440e4f07af39be5b19 -rbd5afdb894181e618bc5871783f7c621bbb1453f
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java	(.../UserOrgSaveController.java)	(revision e0dbb500c2a4fc98b9bfec440e4f07af39be5b19)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java	(.../UserOrgSaveController.java)	(revision bd5afdb894181e618bc5871783f7c621bbb1453f)
@@ -42,6 +42,7 @@
 import org.lamsfoundation.lams.usermanagement.UserOrganisation;
 import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
+import org.lamsfoundation.lams.web.filter.AuditLogFilter;
 import org.lamsfoundation.lams.web.session.SessionManager;
 import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -56,6 +57,7 @@
 @Controller
 public class UserOrgSaveController {
     private static Logger log = Logger.getLogger(UserOrgSaveController.class);
+    private static Logger auditLogger = Logger.getLogger(AuditLogFilter.class);
 
     @Autowired
     private IUserManagementService userManagementService;
@@ -68,6 +70,8 @@
 	Integer orgId = userOrgForm.getOrgId();
 	request.setAttribute("org", orgId);
 
+	UserDTO loggedInUser = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER));
+
 	boolean canEditRole = false;
 
 	// sysadmin, global course admins can add/change users and their roles.
@@ -79,8 +83,6 @@
 	    canEditRole = true;
 	} else {
 
-	    Integer loggeduserId = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER))
-		    .getUserID();
 	    Organisation organisation = (Organisation) userManagementService.findById(Organisation.class, orgId);
 	    if (organisation == null) {
 		String message = "Adding users to organisation: No permission to access organisation " + orgId;
@@ -91,8 +93,8 @@
 	    if (organisation.getOrganisationType().getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) {
 		organisation = organisation.getParentOrganisation();
 	    }
-	    if (userManagementService.isUserInRole(loggeduserId, organisation.getOrganisationId(), Role.GROUP_MANAGER)
-		    && !orgId.equals(rootOrgId)) {
+	    if (userManagementService.isUserInRole(loggedInUser.getUserID(), organisation.getOrganisationId(),
+		    Role.GROUP_MANAGER) && !orgId.equals(rootOrgId)) {
 		canEditRole = true;
 	    } else {
 		String message = "Adding users to organisation: No permission to access organisation " + orgId;
@@ -125,6 +127,8 @@
 		user.setUserOrganisations(userUos);
 		iter.remove();
 		log.debug("removed userId=" + userId + " from orgId=" + orgId);
+		auditLogger.info("\"" + loggedInUser.getLogin() + "\" (" + loggedInUser.getUserID() + ") removed user "
+			+ userId + " from organisation " + orgId);
 		// remove from subgroups
 		userManagementService.deleteChildUserOrganisations(uo.getUser(), uo.getOrganisation());
 	    }
@@ -134,7 +138,7 @@
 	for (int i = 0; i < userIdList.size(); i++) {
 	    Integer userId = new Integer(userIdList.get(i));
 	    Iterator iter2 = uos.iterator();
-	    Boolean alreadyInOrg = false;
+	    boolean alreadyInOrg = false;
 	    while (iter2.hasNext()) {
 		UserOrganisation uo = (UserOrganisation) iter2.next();
 		if (uo.getUser().getUserId().equals(userId)) {
@@ -162,6 +166,9 @@
 	    for (UserOrganisation uo : newUserOrganisations) {
 		userManagementService.setRolesForUserOrganisation(uo.getUser(), orgId,
 			Arrays.asList(Role.ROLE_LEARNER.toString()));
+
+		auditLogger.info("\"" + loggedInUser.getLogin() + "\" (" + loggedInUser.getUserID() + ") added user "
+			+ uo.getUser().getUserId() + " as " + Role.LEARNER + " to organisation " + orgId);
 	    }
 	    return "redirect:/usermanage.do?org=" + orgId;
 	} else {
Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java
===================================================================
diff -u -r96033f32ff880d045b4c087f52628d233dc98095 -rbd5afdb894181e618bc5871783f7c621bbb1453f
--- lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java	(.../UserManagementService.java)	(revision 96033f32ff880d045b4c087f52628d233dc98095)
+++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java	(.../UserManagementService.java)	(revision bd5afdb894181e618bc5871783f7c621bbb1453f)
@@ -81,6 +81,7 @@
 import org.lamsfoundation.lams.util.LanguageUtil;
 import org.lamsfoundation.lams.util.MessageService;
 import org.lamsfoundation.lams.util.imgscalr.ResizePictureUtil;
+import org.lamsfoundation.lams.web.filter.AuditLogFilter;
 import org.lamsfoundation.lams.web.session.SessionManager;
 import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.beans.factory.InitializingBean;
@@ -100,7 +101,8 @@
  */
 public class UserManagementService implements IUserManagementService, InitializingBean {
 
-    private Logger log = Logger.getLogger(UserManagementService.class);
+    private static Logger log = Logger.getLogger(UserManagementService.class);
+    private static Logger auditLogger = Logger.getLogger(AuditLogFilter.class);
 
     private static final String SEQUENCES_FOLDER_NAME_KEY = "runsequences.folder.name";
 
@@ -740,6 +742,8 @@
 	    setRolesForUserOrganisation(user, org.getParentOrganisation(), rolesList, checkGroupManagerRoles);
 	}
 
+	UserDTO loggedInUser = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER));
+
 	List<String> rolesCopy = new ArrayList<>();
 	rolesCopy.addAll(rolesList);
 	log.debug("rolesList.size: " + rolesList.size());
@@ -755,6 +759,11 @@
 			// remove from the Copys the ones we are keeping
 			rolesCopy.remove(roleId);
 			uorsCopy.remove(uor);
+
+			auditLogger.info((loggedInUser == null ? "Unauthenticated user"
+				: "\"" + loggedInUser.getLogin() + "\" (" + loggedInUser.getUserID() + ")")
+				+ " removed user " + uo.getUser().getUserId() + " as " + uor.getRole().getName()
+				+ " from organisation " + uo.getOrganisation().getOrganisationId());
 		    }
 		}
 	    }
@@ -770,7 +779,13 @@
 	    Role role = (Role) findById(Role.class, Integer.parseInt(roleId));
 	    UserOrganisationRole uor = new UserOrganisationRole(uo, role);
 	    save(uor);
+
 	    log.debug("setting role: " + role.getName() + " in organisation: " + org.getName());
+	    auditLogger.info((loggedInUser == null ? "Unauthenticated user"
+		    : "\"" + loggedInUser.getLogin() + "\" (" + loggedInUser.getUserID() + ")") + " added user "
+		    + uo.getUser().getUserId() + " as " + uor.getRole().getName() + " to organisation "
+		    + uo.getOrganisation().getOrganisationId());
+
 	    uors.add(uor);
 	    // when a user gets these roles, they need a workspace
 	    if (role.getName().equals(Role.AUTHOR) || role.getName().equals(Role.SYSADMIN)) {
@@ -853,8 +868,16 @@
 	UserOrganisationRole uor = new UserOrganisationRole(uo, role);
 	save(uor);
 	uo.addUserOrganisationRole(uor);
+
+	UserDTO loggedInUser = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER));
+
 	log.debug("setting role: " + uor.getRole().getName() + " in organisation: "
 		+ uor.getUserOrganisation().getOrganisation().getName());
+	auditLogger.info((loggedInUser == null ? "Unauthenticated user"
+		: "\"" + loggedInUser.getLogin() + "\" (" + loggedInUser.getUserID() + ")") + " added user "
+		+ uo.getUser().getUserId() + " as " + uor.getRole().getName() + " to organisation "
+		+ uo.getOrganisation().getOrganisationId());
+
 	return uo;
     }