Audit when user permissions are changed

I've used the term "admin_roles" in the event data to try and show
that these are not the permissions we store in the DB. This is the
name we use for the abstracted form of permissions in the Admin app.
While we could store the DB permissions, that would be a bit more
effort and arguably it's clearer to keep the event data consistent
with the options the user actually saw / chose.

app/models/user.py

@@ -4,7 +4,10 @@ from notifications_python_client.errors import HTTPError
 from notifications_utils.timezones import utc_string_to_aware_gmt_datetime
 from werkzeug.utils import cached_property
 
-from app.event_handlers import create_add_user_to_service_event
+from app.event_handlers import (
+    create_add_user_to_service_event,
+    create_set_user_permissions_event,
+)
 from app.models import JSONModel, ModelList
 from app.models.organisation import Organisation
 from app.models.roles_and_permissions import (
@@ -122,13 +125,20 @@ class User(JSONModel, UserMixin):
             datetime_string
         )
 
-    def set_permissions(self, service_id, permissions, folder_permissions):
+    def set_permissions(self, service_id, permissions, folder_permissions, set_by_id):
         user_api_client.set_user_permissions(
             self.id,
             service_id,
             permissions=permissions,
             folder_permissions=folder_permissions,
         )
+        create_set_user_permissions_event(
+            user_id=self.id,
+            service_id=service_id,
+            original_admin_roles=self.permissions_for_service(service_id),
+            new_admin_roles=permissions,
+            set_by_id=set_by_id,
+        )
 
     def logged_in_elsewhere(self):
         return session.get('current_session_id') != self.current_session_id