Currently, in 2.0.0, we have notifications on changes to flattened permissions (subject, action, resource). These notifications don't take into account deny permissions (they think allow == deny so the notifications will be wrong if you use deny permissions).
For 2.1, we want to stop having flattened permission notifications due to performance concerns. There are 3 of them I think. First, it can start to become costly for the change log processor to determine flattened permission changes whenever anything that involves a permission changes (including deny permissions). Second, it can become costly for the change log processor to add the events (once it has found them). For instance if the employee role is given a permission, then that could be thousands of inserts into the change log table. And third, it would be expensive for consumers to process each of these changes individually.
So for 2.1, we want to simplify the permission notifications. Whenever anything related to a permission changes, we would just get all the roles that are part of any permission containing the object changed and send notifications for those roles. So maybe there would be a change log action of permissionChangeOnRole and the change log entry would contain the role id and role name. The consumer would then perform a callback and query for permissions in Grouper for the role and perform a sync with their application.