Hi
there are various ways to achieve this ...
you can use the organization authorization to restrict the messages or partner function authorization object
CRM_ORD_LP
http://wiki.sdn.sap.com/wiki/display/SMAUTH/CRM_ORD_LP
for other related objects
http://wiki.sdn.sap.com/wiki/display/SMAUTH/Application+Incident+Management
hope this helps
Regards
Prakhar