The helpdesk chaps should only need the below server MSIs installed (or the 64bit equivalents):
- SEE Management Agent.msi
- SEE Help Desk.msi
As far as SQL permissions go, the below articles suggest you should be able to get away with db_reader only (though these were written for earlier versions of SEE):
http://www.symantec.com/docs/TECH159230
http://www.symantec.com/docs/TECH170084
#EDIT#
Oh yeah, don't forget, SEE11.0.1 added Administrator Roles to help manage what your admins can do too. More info can be found in the Policy Admin guide below:
http://www.symantec.com/docs/DOC8204