What’s the correct way to implement it so that it can still be automated? Credentials that can write new backups but not delete existing ones?