What I have is a VCS-Expressway Core and a VCS Expressway Edge.  I am going through the document for MRA, or the remote access for the JABBER clients.  On the Core, I need to specify the Unity Connection server, and it is asking for a user/pass.  There is no explanation in the document as to what the perms/roles need to be for said user.  If I go to the VCS Unity Connection configuration guide it talks about setting up a SIP trunk for endpoints that are registered to the VCS Control, there is nothing I have found other than the MRA configuration guide for the Expressway Core configuration. 

I agree the naming of the products is confusing, especially when you are trying to learn.

Use the Unity Connection cluster application administrator ID. Expressway uses that ID to query the nodes and pull hostname information so it can add Unity Connection nodes to the HTTP allow list. Prior versions of Expressway did not include this automatic query and you had to modify the HTTP allow list manually. AFAIK that is all the Expressway to Unity Connection query does.

Yeah, figured Cisco wants the "god" account again. Horrible. I've never been a fan of the "we're not going to tell you what permissions are actually needed, just give me everything" approach.  But it is an easy way to do it.  Especially becomes a problem when you only have one "god" account and someone changes the password and random things start breaking.  Always create a separate account.

The issue you've described above isn't a technology problem. If you're concerned about the admin account password being reset randomly you should look new methods of managing the system. RBAC is available.

I don't think there's any documentation that explains what is the exact role that is required for the integration to CUCM, IM&P or CUC, I guess the assumption is that you'll use one user who has admin privileges. Bear in mind that CUC just provides a limited set of roles.

That is not entirely correct.
CUCM (and thus implicitly IM&P, as more recently they have been integrated) requires a user with AXL API access rights.
There is a standard Role for it, but not a Standard access group that is delimited to only this.
However you can do one group with only this role in it and add your limited CUCM end-user to only this group.

There is probably something similar for Unity as well, but unfortunately I have no unity/VCS/Expressway setup on hand right now to test this.
Looking at roles in Unity I would hazard a "remote administrator" role may be the one.

This user is really only used to query members of a cluster from the publisher. For CUCM & IM&P this is an AXL query, for Unity (if I'm not mistaken) it's based on the REST API.

Once the servers have been queried, this user is not actively used in day to day operations (you can delete it or change its password and services would keep to function as before, but if for any reason the servers would need to be refreshed again, that would fail of course)