CRM order Authorization Object - Allowed Organ. Units (CRM_ORD_OE)

The below Authorization is maintained in object CRM_ORD_OE for allowing CRM orders related to service organisation “O 50005276” only to be displayed in the WEB UI for a user.

The above setting in Authorization works fine when new CRM Orders are created with populating Service Org field (field is marked in the following screenshot).

However, the authorization does not work when an Order is created without specifying Service Organisation data (Orders created without Service Org data are displayed in the WebUI). Also, the existing CRM orders in database without Service Org data (CRMD_ORDER_INDEX-SERVICE_ORG field blank) also pass the Authorization check and are also not restricted (by org. “O 50005276”).

Is there any other configuration being missed to restrict CRM orders without Service Org data (and already existing orders without Service Org data)?