The recommended security role for monitoring a MongoDB deployment is clusterMonitor, which includes the minimum required privilege to perform all necessary commands/queries to facilitate monitoring and discovering the deployment topology by Cloud / Ops Manager.
There's one slight gap however for master/slave deployments – the role does not allow reading the local.sources collection on secondaries.
Ideally this reading would also be permitted, which is otherwise preventing display of "replication lag" from slave to master, as well as discovering master's hostname and port.