Secure Cluster doesn't scale for us. Our largest cluster is a 13-node CFS cluster with 40 users and 160 service groups (and growing). Because Secure Cluster defines access using (node,user,group), that gives us 83,200 possible security identifiers to have to manage. In reality, we would probably need to define about 2000 security identifiers for this cluster, but even that number is unmanageable.
We currently use halogin for accessing VCS from non-root accounts.
I did some testing using 'hares -action' and it looks very promising. It's not interactive, but it solves the basic problem of running a script as root on a remote cluster. Now I have some scripting to do. Thanks Mike for the idea of using agent action scripts.