[SOLVED] Permission Role that allows backups but denies restores ?

[SRU]

Hello,
Fearing ransomware attacks, I am searching for a role that allows backups but denies restores or deleting of backups – such a role does not seem to exist.
It would be fine to use:

DatastoreBackup
"Can backup and restore owned backups"

and change the owner to another API token immediately after a successful backup has been performed.
This would reduce the access rights to the expected behavior because from that point in time the backup is no longer owned.
How would I do this?

 

[VictorSTS]

Datastore.backup permission does not allow backups to be deleted from PVE. The attack should get PBS root credentials (or other used with admin privileges) that allow snapshot/namespace/datastore deletion.

Which event are you trying to cover by not allowing PVE to restore backups?

 

[SRU]

Datastore.backup permission does not allow backups to be deleted from PVE. The attack should get PBS root credentials (or other used with admin privileges) that allow snapshot/namespace/datastore deletion.

Which event are you trying to cover by not allowing PVE to restore backups?

I basically wanted to implement the guidelines that azure publish and will re-think if that is sufficient.
Thanks, Stefan