You may be able to use the new 'ACL Policy' which will let you update the policy which updates the permissions on all objects the policy is associated with.
Otherwise, I think you must still use a script to ensure that you force the 'Replace'
I have difficulty to see how ACL policy can work with promotion and demotion of package?
ACL policy works I believe like this:
1- Apply the ACL policy to object
2- if I modify the policy automaticly the policy will be changed acroos all the object linked to it.
Doe sit mean that you will have to have RBAC level authorisation to do it? if yes, it will not be better to have always only RBAC role which can play into the RBAC area.
You must have Object.ModifyACLs on the objects to change the ACLs. Any role can be granted that permission. You would also need Modify permission on the ACL Policy itself.