How do ya'll handle a Role permission (in a SuiteApp) that should support subsidiaries, projects, custom segments?

Yikes. The only thing I can think of is to have two separate versions of your SuiteApp - OneWorld and non - but that doesn't seem like a practical or tenable solution.

we execute as Admin for this specific reason. I think we could write a script on install to update the role but executing as Admin is guaranteed there won’t be any issues. I created a support case for this forever ago and it was labeled an enhancement request

Yes, we've kicked around the idea of simply not introducing a custom role and have the client either use Administrator or create a role with a minimum set of permissions. Both solutions are not ideal.

we've landed on executing scripts as administrator after testing both ways over the years. however, the roles we publish within our bundles exist in their own bundle along with our integration record. updating that bundle in oneworld accounts resets selected subsidiary radials on the role record 😢 , so we rarely (if ever) push updates to the role bundle.

Gotcha ... so, until NetSuite addresses this, the cleanest way is to simply force SuiteApp customers to use their Administrator role.

Yes, you should be able to

roleRecord = record.load({
                            type: 'role',
                            id: roleId,
                            isDynamic: true,
                        });

then you can update the appropriate sublist that has the permission

Well then, a smart installation script might be in order

we use it to easily add permissions to our custom records via a suitelet interaction so our customers don’t have to guess and update which ones they actually need and can still use their current roles

That's nice to know, thanks @Matt Bernstein