per-collection/group auth
Allow per-collection and per-group authentication, also create a 'global' role that can perform its allowed actions on any collection. The result will be users that are limited to their group/collection and specified actions.