An SEO consultant has asked (demanded) credentials to the web environment so he can do ... Whatever it is that they do.
I'm new to the company but an experienced Systems Engineer. I've just now been brought into this situation, but my reaction to giving him credentials is a pretty solid "No" unless he can provide a compelling reason, which is yet forthcoming. Before I was brought into this, he had been provided an archive of the relevant files, but he said that this was insufficient.
The (admittedly) little that I know about SEO tells me that he should be able to get everything that he wants should be able to be gathered from view source
or a copy of the files, and we would implement his changes in a production deploy after review.
Short answer: What Chris S said: See "Our security auditor is an idiot, how do I give him the information he wants?".
Long answer:
Some of what a "SEO Guy" needs to do might require server access -- for example, installing optimized mod_rewrite rules, adding custom 404 pages, creating friendly redirects (and/or optimizing existing 3xx redirects), etc.
None of this is something that you can't do for him, and none of it is black magic trade secrets (he's going to make these changes on your server, you could diff the config file later and see exactly what was done).
Because of that I personally don't see any need to give them access to make changes on the server (a read-only account sure, if you want, but no ability to affect changes without going through your company's approval process).
My advice:
Be proud of your No, for you are on the side of good, and righteousness, and stability of your environment.
Pretty straightforward: "It's a giant security risk, he can just as easily give us his changes to push live so we can audit them first, yadda yadda yadda.".
If you present solutions that still let the SEO guy get his job done while protecting your environment, and your higher-ups aren't insane, they will probably back you on this.
If it's a deal breaker for them let 'em walk. There are tons of SEO consultants out there...
If Management tells you to give him access anyway get that in writing. Issue a memo outlining the risks, and get someone above you to sign off on those risks (this is all about protecting you in the event this guy blows up your server).
You should also insist that the consultant sign something stating that they will be liable for any damages if they disrupt the stability of your environment (which is all about protecting the company).
He should only need credentials to make on-page related changes.
For an analysis, you're right he can just view source. He could run into an issue during the on page analysis and it could be helpful to login from the backend, but not necessary..