You may need to add explicit deny access records for the other roles.
Alternatively, I think you can achieve the functionality you are after using the object permissions. In the AdminUI, navigate to Configure > Roles and Permissions > [Role to configure] > ServiceReqTemplate.
You can set what records can be updated/viewed (expressions are supported).
To test, I made an entry to deny access to the 'Ordering' offering (using the RecId). It no longer appears for the Self Service User:
If I attempt to access a previously created 'Ordering' request, I am presented with an error (worth noting, this may or may not be preferred for your setup):
Hope this helps