What are the minimum required permissions for the database to run initial installs and upgrades for the Identity Manager suite?

Prerequisites for using IMAG Standalone or vApp with an external database 
==========================================================

============
= Overview =
============
1) The DBA should create new users and passwords (also known as "schemas" when using Oracle database) for each of the products that you intend to deploy:
   * Identity Manager
   * Identity Governance
   * Identity Portal
   These users should be DBO for first time startup after initial install OR upgrade, After the first restart the permissions can be pruned as described below

2) The DBA should provide the above credentials to the Identity Suite Virtual Appliance administrator - to be configured and verified in the External Database configuration screen.

3) During the Virtual Appliance solution deployment, the databases will be automatically populated with tables.

=====================================================================================================
========================================= Identity Portal ==========================================
=====================================================================================================
Oracle: 
-------
a. Create an Identity Portal database.
b. Create a user with CONNECT and RESOURCE privileges on the Identity Portal database.
c. Grant a quota to the tablespace of the Identity Portal database

MS SQL:
-------
a. Create an Identity Portal database.
b. Create a user with DBO privileges on the Identity Portal databsae.
c. After Install or upgrade, you can change these to data_reader, data_writer

=====================================================================================================
========================================= Identity Manager ==========================================
=====================================================================================================
Identity Manager uses 6 data sources:
1) Object Store 
2) Task Persistence 
3) Archive 
4) Auditing 
5) Snapshots (reporting) 
6) Workflow 
You may either create a single user/schema for all of the above data sources, or decide to split schemas according to sizing requirements (you may either split all data-sources, or some of them)

Oracle:
-------
a. Create an Identity Manager database.
b. Create a user with DBA privileges on the Identity Manager database.
c. The tables will be created automatically by Identity Manager upon first run
d. After the first run, you can revoke the DBA privilege and assign the following privileges instead:
   Create/alter/drop tables 
   Create/alter/drop view 
   Create/alter/drop INDEX 
   Create/replace/drop stored procedures 
   Create/replace/drop functions 
   Create/drop sequence 
   Create/replace/drop triggers 
   Create/replace/drop types 
   Insert/select/delete records 
   CREATE SESSION / connect to database

MS SQL:
-------
a. Create an Identity Manager database.
b. Create a user with DBO privileges on the Identity Manager database.
c. After Install or upgrade, you can change these to data_reader, data_writer

====================================================================================================
======================================= Identity Governance ========================================
====================================================================================================
MS SQL:
-------
a. Enable XA transactions on the database (see https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/upgrading/Post-Upgrade-Tasks.html )
b. Create a login user on the Identity Governance database server (you may create separate users for each of the below databases)
   The login user needs to have the following SQL server roles:
   db_owner
   BulkAdmin
   DDLAdmin

c. After Install or upgrade, you can change these to data_reader, data_writer
   
D. Create the following databases (you may change the names as you see fit)
   EUREKIFY_SDB
   TICKET_DB
   REPORT_DB
   WPDS

Oracle: 
-------
a. Create the following users with CONNECT and RESOURCE privileges on the Identity Governance database (you may change the names as you see fit):
   EUREKIFY_SDB
   TICKET_DB
   REPORT_DB
   WPDS
b. Grant a quota to the tablespace of the Identity Governance database
c. Grant XA permissions on the database to the WPDS user as by running the following statements (for full details, see: https://access.redhat.com/solutions/22274 Note: A RedHat login account may be required to access the solution):
     GRANT SELECT ON sys.dba_pending_transactions TO <WPDS_USER>;
     GRANT SELECT ON sys.pending_trans$ TO <WPDS_USER>;
     GRANT SELECT ON sys.dba_2pc_pending TO <WPDS_USER>;
     GRANT EXECUTE ON sys.dbms_system TO <WPDS_USER>;
     GRANT FORCE ANY TRANSACTION TO <WPDS_USER>;
   
   Note: if XA permissions are not granted, the IG application server log will log the following warnings periodically:
   WARN  [com.arjuna.ats.jta] (Periodic Recovery) ARJUNA016008: Local XARecoveryModule.xaRecovery - caught exception: java.lang.NullPointerException
   WARN  [com.arjuna.ats.jta] (Periodic Recovery) ARJUNA016027: Local XARecoveryModule.xaRecovery got XA exception XAException.XAER_RMERR: