easiest way is to put the users in to a new provisioning group with a new desktop policy and show the buttons for deletion and allow hard deletes
On the policy that everyone else uses, hide the delete buttons, make outlook do only soft deletes.
If you wanted to go above and beyond that, you can restrict deleteo2k.asp on the /EnterpriseVault directory to deny everyone but those few users
If you wanted to go above and beyond that, you could run an EVPM script to give everyone a Deny right on their archive by targeting everyone and then remove the deny for those few users also
https://www.linkedin.com/in/alex-allen-turl-07370146