For compliance, many organizations are required to audit/log the activity of all or selected users of specific resources. Our current auditing implementation provides a way to specify selective logging by operation type or by acting user, which are fields in the audit log message. However, there is currently no way to log the actions of all users possessing a given role.
We should add the option to isolate and filter user activity logging based on which users possess a certain role. For example, I should be able to specify "audit log all actions taken by users with the userAdmin role on the admin database" or a list of roles such as "audit log all actions taken by users with the dbAdmin role on the foo database or the userAdmin role on the foo database or the readWrite role on the bar database."
Note that roles are defined on a database, i.e. role foo on database bar, and the user should specify a role in this manner. We may wish to provide the user with some sort of wildcard option, i.e. role foo on all databases.