This seems to be more of a policy question than a technical one. From a best practices standpoint, the rule of "least privilege" seems pretty straightforward. Users in certain divisions, business groups and organizations should only have rights to those shares. Beyond that, the ability to create, delete, modify and so forth, should be determined by business and regulatory policy. Is your business required to archive documents? Respond to inquiries or legal disclosures? If so, there should be an overall policy determined by management, not the IT group, to determine what can be deleted, by whom and under what circumstances. If I were in your shoes, this would trouble me greatly. I would certain discuss this with my management. At the very least, I would make a record of notifying management, and save it - just in case someone decides to hold me accountable.

This seems to be more of a policy question than a technical one. From a best practices standpoint, the rule of "least privilege" seems pretty straightforward. Users in certain divisions, business groups and organizations should only have rights to those shares. Beyond that, the ability to create, delete, modify and so forth, should be determined by business and regulatory policy. Is your business required to archive documents? Respond to inquiries or legal disclosures? If so, there should be an overall policy determined by management, not the IT group, to determine what can be deleted, by whom and under what circumstances. If I were in your shoes, this would trouble me greatly. I would certain discuss this with my management. At the very least, I would make a record of notifying management, and save it - just in case someone decides to hold me accountable.