How do you create new permissions in the admin?

how do I create a new permission and use it in the admin?
During development, adding new permissions is something you'd achieve with direct SQL inserts.
Let's assume we want to add a new permission with a permission root called   PAYMENT  and add it to our    FULL_ACCESS . The    FULL_ACCESS  role. By default, Broadleaf has a role called    FULL_ACCESS  with a role ID of  -2.
We would typically have several permutations of this permission (hence calling it a permission root, and not a permission) for different operations such as: 
READ_PAYMENT
UPDATE_PAYMENT
CREATE_PAYMENT
DELETE_PAYMENT
ALL_PAYMENT
However, for most purposes, we really only need to define two:   READ_PAYMENTand    ALL_PAYMENT 
ALL_PAYMENTallows full access to the resource, and   READ_PAYMENT should be self-explanatory.
We start by inserting the permissions into the   auth.BLC_USER_PERMISSION table 
INSERT INTO blc_user_permission (id,"name",last_updated) VALUES
('readPayment','READ_PAYMENT','2020-06-01 15:45:44.030')
('allPayment', 'ALL_PAYMENT', '2020-06-01 15:45:44.030');
Then, we add a scope. The scope should be the name of the permission root (   PAYMENT in this case): 
INSERT INTO blc_security_scope (id,"name","open") VALUES ('PAYMENT_SCOPE', 'PAYMENT', 'N');
Now, we'll add the    ALL_PAYMENT permission to the   FULL_ACCESS role: 
INSERT INTO blc_role_permission_xref (role_id,permission_id) VALUES ('-2', 'allPayment');
Finally, we'll add the permission scope and tie it to the security scope: 
INSERT INTO blc_permission_scope (id,"permission",is_permission_root,scope_id) VALUES ('paymentScope', 'PAYMENT', 'Y', 'PAYMENT_SCOPE');

Summary:

In short, the steps generally are:
1. Add the new permission(s)
2. Add the security scope for the permission
3. Assign the permission(s) to one or more roles
4. Add a permission scope and tie it to the security scope
Since we've added this permission manually, there's one more step. Typically, user roles and permissions are synced from the AdminUser service over to the Auth service. Since we're manually inserting into the Auth tables, we need to do the same for the equivalent AdminUser tables. There's less to do here since we only need to add the newly created permissions and add them to the FULL_ACCESS role. 
INSERT INTO adminuser.blc_admin_permission (id, name, tenant_id) values 
('readPayment','READ_PAYMENT', null)
('allPayment', 'ALL_PAYMENT', null);

INSERT INTO adminuser.blc_admin_role_admin_permission_xref (admin_role_id, admin_permission_id) values
('-2', 'allPayment');
Note: that you can also perform this process directly from the admin, then just export your changes as SQL inserts. Navigate to the tenant level admin, go to the security section, and select "Permissions" and add your permission. Then, select "Roles" add the newly created permissions to any applicable roles.