When you create, change or delete objects in a microflow this happens from the ‘system’ context and not the user's access rules. (unless you check the “Apply Entity Access” option in your microflow properties. This is why it's working fine when you're doing stuff in the microflow.
But it won't work when you directly try and delete or create objects from the client. Because in the latter case your access rules apply and your user probably doesn't have access to the object.
Here is some documentation on the general use of access rules.
https://docs.mendix.com/refguide/access-rules
And here in specific the Apply Entity Access option.
https://docs.mendix.com/refguide/microflow#5-security-properties