UPDATE (15 Aug 2011): There’s a Part II to this post which you can read here.

If you have an SPAuditEntry object and its Event property is set to SPAuditEventType.SecRoleBindUpdate, this means that the “permissions of a user or group for the audited object are changed” — basically, someone was given permissions to the the audited item, or their permissions were removed.

When the SPAuditEventType is SecRoleBindUpdate, the SPAuditEntry object’s EventData property will contain the following XML structure:

<roleid>1073741829</roleid>
<principalid>7</principalid>
<scope>BEFA8A05-F97A-46C4-80A3-FBC1350C8247</scope>
<operation>ensure added</operation>

To read this data (in .NET) you would preferably load it into an XMLDocument, but first you need to append your own root node around this XML or your XMLDocument’s LoadXml() method will fail. Something like this should do the trick:

XmlDocument xmlEventData = new XmlDocument();
xmlEventData.LoadXml("<EventData>" + entry.EventData + "</EventData>");

*entry is the SPAuditEntry object

Now that you have an XmlDocument, you can get the user whose permissions were affected:

int principalId = Convert.ToInt32(xmlEventData.DocumentElement.SelectSingleNode("/EventData/principalid").InnerText);  SPUser eventUser = web.SiteUsers.GetByID(principalId);

*web is obviously the SPWeb object that contains the item that was audited

To get the role that the user was given permissions to, try this:

int roleId = Convert.ToInt32(xmlEventData.DocumentElement.SelectSingleNode("/EventData/roleid").InnerText);
SPRoleDefinition eventRole = web.RoleDefinitions.GetById(roleId);

Note that roleId can be -1, which seems to be the case if a user’s permissions were removed. You can check if permissions were granted or removed by checking the <operation> node:

string operation = xmlEventData.DocumentElement.SelectSingleNode("/EventData/operation").InnerText;

I’ve only seen it contain the following two values, although there could be other values that SharePoint writes into this node (let me know if you know of any):

<operation>ensure added</operation>
<operation>ensure removed</operation>

Some Substring jiggery pokery should allow you to check if permissions were added or removed.

You can write out the audit entry to the page like this:

Response.Write((eventUser.Name.Length > 0 ? eventUser.Name : eventUser.LoginName) + " was granted " + eventRole.Name + " permissions");