-- Idempotent update: introduce explicit global tenant-scope bypass permission. INSERT INTO `permissions` (`key`, `description`, `active`, `is_system`) VALUES ('tenant.scope.global', 'Can bypass tenant scope globally', 1, 1) ON DUPLICATE KEY UPDATE `description` = VALUES(`description`), `active` = VALUES(`active`), `is_system` = VALUES(`is_system`); INSERT INTO `role_permissions` (`role_id`, `permission_id`, `created`) SELECT r.id, p.id, NOW() FROM roles r JOIN permissions p ON p.`key` = 'tenant.scope.global' WHERE r.description IN ('Admin', 'Administrator') OR r.id = 1 ON DUPLICATE KEY UPDATE role_id = role_id;