You could always use something like Process Monitor to watch the executables that are part of the application. I can see you running into a few problems: First off, if the application has a lot of executables, you could be monitoring for a long time. Second, you’ll have to run through every function that the application performs against the file system to see how it interacts. Both could be incredibly time consuming.
Honestly, this is most likely a ‘take it back to the vendor’ kind of thing. My experience has been that if the vendor doesn’t publish recommended permissions, some will just tell you to give the user “Full Control” or even make them an Admin on the local box. But, it is entirely possible they do have a document and it is just hard to find.
If they give you an answer you don’t like, or that doesn’t jive with your organizations policies, don’t hesitate to [nicely] call out the vendor on it. You may also want to consider asking the question in some kind of public forum so there can be a community discussion if the configuration they recommend is insecure.
