Currently if a user has the permission to run the "touch" command then they can run it on any collection in the system. There is no way to say a user is allowed to run "touch" on db1.foo but not db2.bar. This also means that only roles on the "admin" database can grant the ability to run "touch".

This is because the access control check for the "touch" command requires the "touch" action on the cluster resource. Since the touch command operates on a collection, the access control check should require the "touch" action on the collection resource.