It is considered best practice to create/use a separate user for migrations only, and the user will need full admin privileges.
Since the GMU uses the REST Management Service and since you want a user just for the migrations it might be a good idea to only allow that user to authenticate against that service. This will ensure that no other user will be able to access the migrations through the REST Management Service (see picture above).