Couldn't you have a service which checked you were allowed to delete something, then handed a deletion order back (essentially a signed xml blob) which would then get passed on to the actual deletion service (and here validated)? That way no issue with scalable architecture and no issue with hacks like this.