To clarify, are you okay to allow them access to a local agent? The easiest method would be to install an agent on those machines with a policy that allows the local user to run tasks:
Does that help, or would they need to be restricted from running the agent as well?
We're agent-less on the servers they want to manage.
I might still suggest using the agent method for those machines, as it would be a little less involved (just open the GUI and click the task), but if you need to be agentless, you can follow this method:
From the console side, you scan as normal, but rather than schedule actual deployment you make sure to choose "Do not schedule execution" after choosing your Deployment Template. This would stage the deployment on the target, then executing the batch file as administrator as described in the above doc will run the execution of the patches.
Does that help? Is there anything else I can clarify?