Replace create/delete with auto-generated microflows and deprecate allow/delete rights

A common vulnerability in Mendix apps is that users have the right to create and delete entities bypassing possible validations and business logic if a user with malicious intent calls those via the XAS API. 

The main use case for "Allow creating new objects" and "Allow deleting existing objects" to be set in access rules are the use of the default Create / Delete buttons for a quick setup. Once a developer replaces those buttons with more complex microflow logic, it is often forgotten to withdraw these rights again. Sometimes novel developers also tend to set these rights "just in case" or because they think it is also required if you create or delete in microflows.

Solution:

• If a developer selects a Create or Delete button, ask if microflows to Create and Delete an object should be autogenerated or an existing microflow should be used. Remove the functionality behind those buttons to call Create / Delete via XAS and call the selected (autogenerated) microflow instead. 
• Remove "create" and "delete" rights via XAS or at least make it "harder" to activate them (hiding, warnings, etc.) 

This idea relates to this post, but actually goes one step further by entirely replacing the create/delete buttons with microflows.