Hi Ravi,
Yes, You are right. SOST is a administrator tcode and you could not restrict it via auth. objects/values. That's the reason we used SOSB & SOSG to restrict the SOST transaction.
836463 SOSB/SOSG: Displaying/hiding functions (if you are above 640 this note is already present)
If you want a user is only allowed to select send requests of certain users or groups, you can use transaction SOSG. This is same as SOST, but it performs authorization check in object S_OC_SOSG instead of S_OC_ROLE. Again if you want a user to be able to only select their own send requests then use SOSB.
So I prefer to use SOSG, where the authorization object S_OC_SOSG have three fields, which you can maintain as per your requirement.
CLASS User group in user master maintenance
USER User Name in User Master Record
SENDER Authorization for displaying send requests for particular
users/user groups.
Regards,
Rafikul