Limit administrator privileges

Did you actually look in the nw19.11 security configuration guide, how to deal with user groups and privileges assigned with them?

https://dl.dell.com/content/manual39168603-dell-networker-19-11-security-configuration-guide.pdf?language=en-us

The thing is that NW is not that granular with regards to RBAC to only disallow the deletion of backup data. Even if it were, still a privilege like "Operate Devices and Jukeboxes" allows not only the moun/unmount of volumes but also to relabel them, which is a destructive kinda operation.

So yes, you can do setup an approach with a newly to be created User Group with specific privileges, deviating from the default Administrator User Group, but more often than not you are still handing out the keys to the kingdom (except maybe for certain settings, for example not being able to create new security related settings or be able to create new resources, like not granting access to the privileges "Change Security Settings". "Create Security Settings", "Delete Security Settings", "Change Application Settings", "Create Application Settings" and "Delete Application Settings". But still you'd then be able to delete backup data if you have "Operate Devices and Jukeboxes" allowing to relabel a volume).

That is however where - when using Dell Data Domain de-duplication appliances - immutability comes in and could be applied. As regardless of the permissions that you'd have within the backup tool, you could set an immutable period, for example for a week, so that one could not even delete data, while any data beyond the first week, would then be able to be deleted. So then accidental deletion or even a rogue admin could not even delete the data (at least not for the period to be set, where the most recent backups would normally be the most important as those are most likely to be used for restores).

for example the preconfigured Administrator User Groups has these privileges:
● Remote Access All Clients
● Configure NetWorker
● Operate NetWorker
● Monitor NetWorker
● Operate Devices and Jukeboxes
● Recover Local Data
● Recover Remote Data
● Backup Local Data
● Backup Remote Data
● Create Application Settings
● View Application Settings
● Change Application Settings
● Delete Application Settings
● Archive Data

That does not contain specific privileges that only arrange be allowed to delete data or change the retention. SO whatever you remove, then you also remove additional permissions, not resulting in exactly what you - or rather management - wants.

Something similar goes for certain module backups that they need fairly admin-like privileges. The same goes for a user that will need to be able to perform backup/restore activities when dealing with VMware image level backups using NW vproxy approach.