What is the intention to do so?
Giving user access to Splunk CLI on a forwarder will not enable them to run a local search on it.
Further more you have to enable some config option to be able to remote connect to the Splunk management port which will open potential security risks.
But to answer your initial questions (just remember the potential security risks you're about to open):
what need to be installed in their local computers ?
To my surprise you only need an universal forwarder and can run a remote search using this command /opt/splunkforwarder/bin/splunk search 'index=_internal earliest=-1min|stats count by sourcetype' -uri 'https://TheRemoteServer:8089/'