'ActionTypes' are actions which may be performed on resources in the database. Before a user may perform an operation, the server will validate that it possesses a privilege which grants all relevant ActionTypes on every resource which might be affected by the operation. Privileges may be granted to users by assigning them to one of the 'builtin' roles, or by creating a custom role with the privilege and assigning them membership.

When MongoDB introduces new commands, and new ways to interact with resources, it may introduce new ActionTypes. They may be used immediately after upgrading any node which takes writes and stores user data, and adding them to custom roles. When they are added to custom roles, a role document on disk will contain the name of the new ActionType.

To prevent themselves from loading corrupted data, nodes will not instantiate privileges containing unrecognized ActionTypes. Note that privileges containing an unrecognized ActionType, and one or more recognized ActionType will not be loaded. Nodes may observe unrecognized ActionTypes when loading their authorization information out of system collections during startup, or during replication. This could result in users and roles not obtaining granted privileges when running in a mixed mode environment, or when downgrading after creating custom roles.

Nodes could ignore ActionTypes they didn't recognize, but this would imply that illegal/unknown ActionTypes could persist indefinitely in authorization data. It also implies that ActionTypes may never be retired.

Alternatively, we could prevent new ActionTypes from being added to custom roles until after a feature compatibility upgrade, and not allow downgrading until all new ActionTypes have been removed from custom roles.