If it is the datastource user, then that account should have permissions to select/upddate/delete on all tables and read sequences on the webapi schema.
If it is the flyway user, it requires full permissions becuase that is the acount that creates/drops tables and creates sequences.
I mean this one in the CDM configuration depicted here. I think webapi_sa should be the same as the users you meant in the xml settings, is that right (in the database preparation part: ohdsi_admin_user and ohdsi_app_user are used. The ohdsi_app_user === webapi_sa here, right?
Ok: in the documentation you’re referencing, they are talking about setting up the CDM’s result schema. This database that holds the CDM and Results schema is completely distinct from the WebAPI database, so you can ignore the settings found in the .xml files because that is only used to talk to the WebAPI database. Sorry for my confusion, when you said ‘the webapi_sa’ account, i wasn’t understanding that you meant the service account (sa) that is used to talk to the CDM. I understand now.
So, for the privledges for the ‘webapi_sa’ account (the account webapi uses to connect to a CDM), the permissions were shown in the table from your screenshot:
CDM schema: Read Only
Vocabulary schema: Read Only (it is standard practice to have the CDM and Vocabulary schemas the same)
results schema: insert/delete/update/select
temp schema: full control (to create/update tables.)
It may be the case that since these guidelines were written, the results schema may need to have create/drop table permissions too, but I’m not sure. If you get errors staring up webAPI about ‘permission denied creating table’ on your Results schema, then you may have to adjust permissions of webapi_sa.