diff --git a/.gitea/workflows/migrate-devel.yml b/.gitea/workflows/migrate-devel.yml
index 14825cd..6b55f31 100644
--- a/.gitea/workflows/migrate-devel.yml
+++ b/.gitea/workflows/migrate-devel.yml
@@ -1,5 +1,5 @@
 name: 'migrate-devel'
-on: {push: {branches: ['main']}}
+on: {push: {tags: ['devel@*']}}
 
 jobs:
   migrate-devel:
diff --git a/.gitea/workflows/migrate-stage.yml b/.gitea/workflows/migrate-stage.yml
index 44972d8..96b2ced 100644
--- a/.gitea/workflows/migrate-stage.yml
+++ b/.gitea/workflows/migrate-stage.yml
@@ -1,5 +1,5 @@
 name: 'migrate-stage'
-on: {push: {branches: ['main']}}
+on: {push: {tags: ['stage@*']}}
 
 jobs:
   migrate-stage:
@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: 'actions/checkout@v3'
         with: { fetch-depth: 0 }
-      - run: './scripts/migrate.sh --greenlight'
+      - run: './scripts/migrate.sh ${{ gitea.ref_name }} --greenlight'
         env:
           DOCKER_HOST: 'unix:///run/user/1001/docker.sock'
           POSTGRES_URI: '${{ secrets.POSTGRES_STAGE_URI }}'
diff --git a/schema/0100_usr.sql b/schema/0100_usr.sql
index 255b614..4749483 100644
--- a/schema/0100_usr.sql
+++ b/schema/0100_usr.sql
@@ -57,6 +57,12 @@ create trigger insert_usr_default_discrim
 before insert on public.usr
 for each row execute function public.do_insert_usr_default_discrim();
 
+create function public.usr_root()
+  returns public.usr
+  stable
+  language sql
+  as $$select * from public.usr where tag = public.usr_tag_of_string('root')$$;
+
 insert into public.usr
   (tag, password, email)
 values
diff --git a/schema/0101_acting_usr.sql b/schema/0101_acting_usr.sql
index e535900..0212e8f 100644
--- a/schema/0101_acting_usr.sql
+++ b/schema/0101_acting_usr.sql
@@ -18,10 +18,7 @@ declare
   acting_usr public.usr;
 begin
   if nullif(current_setting('dnim.usr_uid', true), '') is null then
-    select u.*
-    from public.usr u
-    where u.tag = public.usr_tag_of_string('root')
-    into acting_usr;
+    acting_usr := public.usr_root();
   else 
     select u.*
     from public.usr u
diff --git a/schema/0300_grp.sql b/schema/0300_grp.sql
index 36969f7..aea3220 100644
--- a/schema/0300_grp.sql
+++ b/schema/0300_grp.sql
@@ -10,6 +10,12 @@ create table public.grp
 insert into public.grp (tag)
 values (grp_tag_of_string('admins'));
 
+create function public.grp_admins()
+  returns public.grp
+  stable
+  language sql
+  as $$select * from public.grp where tag = public.grp_tag_of_string('admins')$$;
+
 create function public.do_grp_add_admins()
   returns trigger
   volatile
diff --git a/schema/0301_grp_usr.sql b/schema/0301_grp_usr.sql
index aa4d054..8383300 100644
--- a/schema/0301_grp_usr.sql
+++ b/schema/0301_grp_usr.sql
@@ -44,19 +44,8 @@ $$;
 create function public.grp_members_admins()
   returns setof public.usr
   stable
-  language plpgsql
-  as $$
-declare
-  gid int;
-begin
-  select g.id
-  from public.grp g
-  where g.tag = public.grp_tag_of_string('admins')
-  into gid;
-
-  return query select * from public.grp_members(gid);
-end;
-$$;
+  language sql
+  as $$select * from public.grp_members((public.grp_admins()).id)$$;
 
 create function public.grp_rm_member(from_grp int, rm_usr int)
   returns void
diff --git a/schema/0302_default_grps.sql b/schema/0302_default_grps.sql
index 2d45743..e292097 100644
--- a/schema/0302_default_grps.sql
+++ b/schema/0302_default_grps.sql
@@ -12,6 +12,12 @@ begin
 
   perform public.grp_add_member(to_grp => new_grp, add_usr => new.id);
 
+  update public.perm
+  set owner_user = public.usr_root()
+    , owner_group = public.grp_admins()
+  where path = '/groups/' || new_grp || '/members'
+     or path = '/groups/' || new_grp || '/tag';
+
   return null;
 end;
 $$;
diff --git a/schema/0400_perm.sql b/schema/0400_perm.sql
index b8935de..897864a 100644
--- a/schema/0400_perm.sql
+++ b/schema/0400_perm.sql
@@ -16,8 +16,8 @@ declare
   root int;
   admins int;
 begin
-  select * from public.usr where tag = usr_tag_of_string('root') into root;
-  select * from public.grp where tag = grp_tag_of_string('admins') into admins;
+  root := (public.usr_root()).id;
+  admins := (public.grp_admins()).id;
 
   insert into public.perm
     (path, owner_user, owner_group, owner_user_mode, owner_group_mode, everyone_mode)
@@ -33,7 +33,7 @@ create function do_insert_usr_perm() returns trigger language plpgsql as $$
 declare
   admins int;
 begin
-  select * from public.grp where tag = grp_tag_of_string('admins') into admins;
+  admins := public.grp_admins();
 
   insert into public.perm
     (path, owner_user, owner_group, owner_user_mode, owner_group_mode, everyone_mode)
@@ -41,6 +41,7 @@ begin
     ('/users/' || NEW.id || '/tag', NEW.id, admins, 'w', 'w', 'r')
   , ('/users/' || NEW.id || '/email', NEW.id, admins, 'w', 'w', '-')
   , ('/users/' || NEW.id || '/deleted', NEW.id, admins, 'w', 'w', '-')
+  , ('/users/' || NEW.id || '/password', NEW.id, admins, 'w', 'w', '-')
   ;
 
   return new;
diff --git a/scripts/diff.sh b/scripts/diff.sh
index be1ff55..521606d 100755
--- a/scripts/diff.sh
+++ b/scripts/diff.sh
@@ -28,8 +28,10 @@ if [[ ! -f "$migration" ]]; then
   
   echo "migrate from $rev => HEAD" 1>&2
 
-  migra --unsafe $base_url $head_url > "$migration" \
+  echo "BEGIN" > "$migration"
+  migra --unsafe $base_url $head_url >> "$migration" \
     || echo "migra exited with code $?. this is /probably/ fine" 1>&2
+  echo "COMMIT;" > "$migration"
 fi
 
 echo "$migration"
diff --git a/scripts/migrate.sh b/scripts/migrate.sh
index 6e26070..e0f9106 100755
--- a/scripts/migrate.sh
+++ b/scripts/migrate.sh
@@ -9,7 +9,7 @@ if [[ -n $(git status --porcelain) ]]; then
   exit 1;
 fi
 
-head=$(git show --format=format:%h -q)
+to_tag="$1"
 
 get_dnim_database_count="copy (select count(*) from pg_database where datname = 'dnim') to stdout with null as '';"
 dnim_database_count=$(psql "$POSTGRES_URI/postgres" -c "$get_dnim_database_count")
@@ -25,7 +25,7 @@ else
   last_revision=$(psql "$POSTGRES_URI/dnim" -c "$get_last_revision")
   migration_file=$(./scripts/diff.sh "$last_revision")
 
-  if [[ "$1" = "--greenlight" ]]; then
+  if [[ "$2" = "--greenlight" ]]; then
     psql "$POSTGRES_URI/dnim" -f "$migration_file"
   else
     echo "migration available at $migration_file"
@@ -34,6 +34,6 @@ else
   fi
 fi
 
-insert_migration="insert into migration (from_revision, to_revision, script) values ('$last_revision', '$head', \$migration\$$script\$migration\$);"
+insert_migration="insert into migration (from_revision, to_revision, script) values ('$last_revision', '$to_tag', \$migration\$$script\$migration\$);"
 psql "$POSTGRES_URI/dnim" -c "$insert_migration"
 echo "inserted migration"