Currently when you get the actions associated with the internal user, you get back a list of every action defined in the server.

In the future, if we add actions to the system, this could break in a mix-ed mode scenario, namely if mongos is running a new version with new actions, and the config servers are still running an old version of mongod without those actions. In that case, the system may think the internal user lacks the required privileges to perform the new actions.

Instead, when asking for the privileges of the internal user, you should get back a list of actions with just one element "anyAction" that will unambiguously mean every single action.