migration_script.php

<?php


        $SiteAdminUsers = TableRegistry::get('SiteAdminUsers');
        $user = $SiteAdminUsers->newEntity();
        $user->site_id = $site->id;
        $user->login_id = 'test_site_admin';
        $user->password = 'test_site_admin';
        $user->enabled = true;
        $user->role = SiteAdminUser::ROLE_SUPER;
        $SiteAdminUsers->save($user);

SiteAdminUser.php

<?php
namespace App\Model\Entity;

use Cake\ORM\Entity;
use Cake\Auth\DefaultPasswordHasher;

/**
 * SiteAdminUser Entity.
 *
 * @property int $id
 * @property int $site_id
 * @property \App\Model\Entity\Site $site
 * @property string $login_id
 * @property string $password
 * @property bool $enabled
 * @property string $role
 * @property \Cake\I18n\Time $created
 * @property int $creator
 * @property \Cake\I18n\Time $modified
 * @property int $modifier
 */
class SiteAdminUser extends Entity
{

    const ROLE_GENERAL = 'general';
    const ROLE_SUPER = 'super';

    /**
     * Fields that can be mass assigned using newEntity() or patchEntity().
     *
     * Note that when '*' is set to true, this allows all unspecified fields to
     * be mass assigned. For security purposes, it is advised to set '*' to false
     * (or remove it), and explicitly make individual fields accessible as needed.
     *
     * @var array
     */
    protected $_accessible = [
        '*' => true,
        'id' => false,
    ];

    protected function _setPassword($password)
    {
        if (strlen($password) > 0) {
          return (new DefaultPasswordHasher)->hash($password);
        }
    }
}