I feel this can be handled using authorisation check itself. Please consult the option with your functional and security consultant. Perhaps use of authority object M_BEST_BSA could do the trick.
However, with authority object, since the user might have 02 (change) authorisation it might become tricky. If the above doesnt work, you can use methods of BADI ME_PROCESS_PO_CUST to control the behaviour