Right now getParameter always requires the same privileges (granted via the clusterMonitor built-in role) no matter what the parameter being asked for is. But different parameters may have different levels of sensitivity. For example, it'd be nice if the userAdminAnyDatabase role could run
{getParameter:1, authSchemaVersion: 1}.