Check in SEAM's 2.0 for JpaPermissionStore(), Identity.hasPermission(), Identity.hasRole(), those doesnt use drools.
Im not sure if they appeared in such version or later.
seams's Identity.hasPermission() are with parameters and these parameters are like action , name which internally checks at security rules. This way we can't achieve since it involves rules.
I dont understand what you want.
What you describe in your post is a simple user / role / permission scneario.
What you mean with "This way we can't achieve since it involves rules"?
After all you have some sort of rules to follow to acomplish what you want.
Show/hide a "delete button" should be as simple as: