Currently we invalidate the user cache in every user and role management command, but the cache invalidation is then duplicated by the hooks in oplog application that also invalidate the cache. They are still currently necessary, however, so that when a mongos does a user or role modification it is viewable immediately via that mongos. Once we have a better story around cache invalidation in mongos, we may be able to change the commands to block until the process has updated its cache via the external notification system, and then we'll be able to remove the invalidation from the commands.