For Amanda, you would use Unix/Linux standard user/group access security approaches.
Amanda should be running as it's own user -- amanda or amandabackup, or something like that. The person responsible for the Amanda backups could have that user account password. I'm assuming they don't have root, otherwise they have access to everything.
You could also make use of sudo. On some of my servers, my boss and I are the only ones with root. Everything else is controlled by sudo. If someone needs to do a particular function, we set up just what they need, and nothing else, using sudo. Some of that is controlled by groups. We have an lpadmin group, an smbadmin group, a webadmin group. The lpadmin group can `sudo cancel jobid`, for example.