[Apologies, this may be a google-driving-failure; sure I've seen this documented somewhere, but I can't find it. I'm seeking a reference I can pass to colleagues.]
I am addressing the scenario of deploying multiple Project/WAR Runtimes to an MFP server environment, that environment using an Oracle database.
We see the documented requirement:
Each configuration for a MobileFirst runtime environment must use a different runtime database or schema
And as for Oracle there is a one-one mapping from user to schema, in the WAR deployment instructions we see
For Oracle, the database user must be different.
The question here is about the privileges necessary for those Runtime users.
For the other schemas, used by the MFP server itself, there are table-creation scripts that are run during server-creation. Hence the DBAs can run those scripts, grant necessary privileges and at runtime the MFP servers users do not need capabilities such as table creation.
What privileges do these Runtime users need? I think they will at least need to create tables? Is there a point when it is safe to remove those privileges? That is, is there dynamic table creation?
The privileges the Runtime users need are listed in the documentation on the page that provide you manual installation steps for installing the Runtime
"Setting up your Oracle databases manually"
http://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.deploy.doc/admin/t_setting_up_your_oracle_database_manually.html?lang=en
Those privileges are : CREATE SESSION, CREATE SEQUENCE, CREATE TABLE
There is no dynamic table creation.
The same privileges are used when you install Runtimes using Ant tasks or with the Server Configuration Tool.
Basically, it is not a good idea to remove the CREATE TABLE privilege for the user after the Runtime installation because you may run into trouble when performing an upgrade to a new release in which one or more tables may have been added.