Access control list: configuring the "security" usergroup to only audit connections made by the "root_only" usergroup.

"access_control": [
      {
    "authorizer": "security",
    "permission": "audit",
    "require_different_ip": true,
    "require_different_username": true,
    "subject": {
      "group": "root_only",
      "selection": "only"
    }
  }