I haven't done it, but I don't imagine it being a very difficult trial and error process. I would create a role that has execute permission on scripts, write access to the reports server, and write access to each server you want them to be able to run os_config against. (I think a temp file gets created on the target host). Revoke any browse capabilities so this role can't access the server through the GUI or NSH, and then give it a shot. If anything you'll see some permission denied errors, and then just use those to figure out what sort of additional access you need to grant.