Create a replicaset. Create a collection on the admin database. Create a role which inherits from other roles. Grant the role to a user. Create an index on the collection using the createIndex command. Connect to a secondary, and authenticate as the user. The user will have no privileges granted from transitively inherited roles. The secondary will include the following statement in its logs:

2018-05-03T14:21:50.795-0400 E ACCESS   [repl writer worker 1] Unsupported modification to roles collection in oplog; restart
this process to reenable user-defined roles; OplogOperationUnsupported: Unsupported oplog operation; Oplog entry: { op: "c", ns: "admin.$cmd", o: { createIndexes: "col", v: 2, key: { data: 1.0 }, name: "data_1" } }

The RoleGraph update procedure observes a command affecting the admin database which it doesn't understand. As a result, it disables role transitivity. It should be taught that createIndex on a collection other than system.roles is safe.