base.admin.access. A user that does not belong to a role with that permission will not be able to enter the admin area, regardless of any other permissions attached.
composer update, can be seen in the core class for that Package. For example with the Pages module, the list of permissions that must always exist can be seen in this file:
syncPermissionswill contain this list. If you create a package yourself, such as a plugin, be sure to include this so that there is no issues with missing permissions. Any route name defined with a reference to
adminwill, by default, be attached to all roles that have the aforementioned attached permission
base.admin.access. Roles without that permission will not have access by default to those permissions, but will for any routes that have no reference to
adminin it's name. Of course, any of this can be overridden within the admin UI.