Authorized users and sales orders

I have set up authorized users in the workforce of the CRM module. When I do this, it limits the customers they can see. It also removes customer information from dashboards that they are not authorized to see. Somehow, the CRM authorized users can still see every sales order in the company despite it being outside of their territory. Epicor's favorite response "it is by design". They said write a BPM and we will not help you with the BPM without charging you. Sorry for the rant.

Has anyone created a BPM to limit access to a sales order outside a sales rep territory or based on the user and the sales rep on the order.

Thank you.