Can a role be defined specifically to allow users to use GMU migrateOut and migrateIn for policies and folders?
The GMU has always had a requirement for the migration user to be a member of the Administrator role specifically in order for it to be used. Even creating a new custom role and granting that role all of the same individual privileges that the Administrator role has(i.e. - all privileges) will not work. There is an existing request in our development system to add functionality to the product to be able to create a custom role specifically for migration.
I did find the following somewhat related community thread that I thought I would bring to your attention. Perhaps this may help with meeting your internal security requirement.
Migration Account + GMU