Very restrictive. No normal user should be able to do a Nessus scan. You'll need to create some positions in the company that has the exclusive access to do the scanning.
Nessus needs complete access to every port and every machine, so if the scan is executed from the outside, the IP-number from which the scan is executed need to be opened in this way