See SERVER-81864 for more details. This ticket tracks the effort on the Tools side to make use of the API defined in the aforementioned Server ticket. When connecting to older Server versions that don't support this API, ideally the pre-TOOLS-3203 denylist approach can be used to ensure that collections such as config.system.* don't result in auth errors when attempting to dump/restore the config database. A custom user defined role is needed to read most config.system.* collections, so it's unlikely users will have this set beforehand.