Question from a customer.
Not sure but if you will prohibit for specific users editting the databases on the database management system side possibly they will not be able to modify properties and remove lineitems as well.
Seems we had a problem looking like that.
You may try with setting readonly permission for application for such user (but I don't know if that will work).
Other way is setting lineitem as Shareable but this would can be changed by the user and then he/she can delete.
Last thing that comes to my mind is a nasty (in terms of performance) database approach.
To create trigger on update of LineItems table and if Deleted column value is set to 1 and user performing operation should not be able to delete, disregard it. But this trigger will slow any activity on lineitems (as it will be fired on every update).
A bit better (in terms of performance) is having a task/service that will check and undelete lineitems deleted by users without permissions. This will also increase database traffic but if done i.e. 1-2 times per day should not be noticeable.