When you say full access, do you give DBA privileges for that user. In our case, we dont give DBA access to the user. Rather we give only ( select,insert,update,delete, references, alter, index) privileges on tables. For the sequences, we create synonyms and provide ( select,alter) privileges.
I'll base my answers on a MySQL database. I give all privileges (there are quire a number of them) to the user on the created database. The user also has GRANT privileges, which enables that user to also grant the same privileges to others. I haven't tried creating a user without GRANT privilege, nor have I attempted to determine the minimum number of privileges required for the software to work.
By the way, Portal uses Hibernate for its data access, so any posts or blogs that deal with security issues with Hibernate on Oracle should apply to Portal.