When scanning CIFS shares, does the scan need "write" credentials to reset the last access date, or is "read" credentials sufficient?
The last access date cannot be preserved on files which are write protected either by the read-only attribute or by a restrictive NTFS security permission: "Write Attributes". So yes the scan user must have the "write attributes" permission and the file must not have the read-only attribute set.
Resetting the last access date incurs additional overhead that may impact backup and archive performance. The last access date should be reset only if you are using another application, such as backup and archival application, that relies on accurate last access dates.
Specifically: How we reset the last access date depends on share and NTFS (folder) permissions. The more stringent of share permissions & NTFS permissions is applied. So if share permission is read only then the users cannot modify files in the folder even if the folder (NTFS) permissions allows you to do so. Similarly, if the folder (NTFS) permissions is readonly, the user cannot modify the file even if the share permissions grant change or full control.