While we don't have a PMAdmin user by default, you're correct in stating that blade.provision.* and blade.provision.alldevices effectively grants one admin permissions with relation to provisioning. The PM console however, behaves very similarly to the CM console in that an item created in one role is not viewable unless explicitly shared to another role. This is why you can see system packages in one role, but not another.
Can you provide a one-line official summary of Blade.provision.alldevices since this doesn't appear in the 'new in this release' document.
I've created ticket 7904 for this. I want to look into whether we have this documented someplace before I invent a description. :)
for everyone elses benefit:
Blade.provision.alldevices is a stand-alone permission (it's not part of blade.provision.*) that, when granted, makes the role where it's granted behave like it did prior to the 6.3 release (from a Provisioning perspective).
Additional RBAC features in 6.3 were designed to make the assignment of MAC addresses to particular roles the preferred "best practice" behavior. However, a customer may have an existing process they don't want to alter, or are upgrading from a previous release and want everything to work as it did before upgrade. This would then allow them to phase in the RBAC-managed MAC address approach over time.
Since previous releases let all roles see all devices in the PM Console, blade.provision.alldevices does the same thing. If your role has blade.provision.alldevices, you will see all discovered devices in the PM console regardless of which MAC addresses you have assigned to your role via RBAC.