The MONGODB-X509 auth mechanism has support for specifying user authorizations via a x509 extension in the client certificate.
When managing a database where I want to control the user authorizations, but I want the user to be able to issue their own client certificates, it is desirable to be able to disable this feature.