I'd like to establish a common "migration" user for my environment. Are there a set of roles that a migration user can have, or will it need full admin to use GMU?
It is considered best practice to create/use a separate user for migrations only, and the user will need full admin privileges.
Since the GMU uses the REST Management Service and since you want a user just for the migrations it might be a good idea to only allow that user to authenticate against that service. This will ensure that no other user will be able to access the migrations through the REST Management Service (see picture above).
Retrieving data ...