Any server where the user logs in as "administrator" can recover data from all servers!

This was unexpectedly reported by a consultant who asked us to backup his laptop tried to recover a file.

Where should I be looking? I don't have any wildcards but

nsradmin -> show -> print type:NSR usergroup 

is messy,

for the user groups should it not be user@server   ? rather that user=X, host=Y

Also I read this.

The following users have permission to recover any files on any client, regardless of the users who
are listed in the Remote Access attribute:
‘Root’ user on a UNIX host
Member of the ‘Administrators’ local group on a Windows host
Members of a ‘Application Administrator’ User group on the NetWorker Server
Members of a NetWorker Server User group that has the ‘Change Security Settings’ privilege

 Does this mean networker can only be installed where you have total control of the "admin/root" users on all servers?