A sub-service desk within our main Solarwinds Service Desk

Hey Steve,  you may have already gotten the direction needed for this!?  If not,  from what I see per your restrictions - you also need to add restriction at the assignee level in addition to the category and department level.  Restriction reference below is for one of my Role groups which reflects that role with restriction from reading and managing the HR category and HR group assignee incidents a- (and these restrictions should restrict the same automatically in the service catalog request as well - since all category and subcategories are built from within service desk setup to be used cross platform via portal and service catalog and regardless if a regular ticket or a service request, they all arrive in service desk platform as an "incident " per reporting.                                                                            I have built ticketing structure adding most departments for Finance, HR, Facilities, Quality Assurance and Talent Dev into our ITSM and can help you here as obviously I had to restrict HR incidents and restricted all departments to only able to see their own incidents, and have had to create additional roles for special permissions/restrictions such as a Super user role, as level below admin, and service agents are now a level below super user access due to our Service catalog being a validated process, whereas the service desk setup configuration is regulated per validation and risk assessment - Super Fun lol   Hopefully this is helpful, and assuming you've gotten what you need and have kept trucking onward- hope its at least resourceful for reference. 

Hey Steve,  you may have already gotten the direction needed for this!?  If not,  from what I see per your restrictions - you also need to add restriction at the assignee level in addition to the category and department level.  Restriction reference below is for one of my Role groups which reflects that role with restriction from reading and managing the HR category and HR group assignee incidents a- (and these restrictions should restrict the same automatically in the service catalog request as well - since all category and subcategories are built from within service desk setup to be used cross platform via portal and service catalog and regardless if a regular ticket or a service request, they all arrive in service desk platform as an "incident " per reporting.                                                                            I have built ticketing structure adding most departments for Finance, HR, Facilities, Quality Assurance and Talent Dev into our ITSM and can help you here as obviously I had to restrict HR incidents and restricted all departments to only able to see their own incidents, and have had to create additional roles for special permissions/restrictions such as a Super user role, as level below admin, and service agents are now a level below super user access due to our Service catalog being a validated process, whereas the service desk setup configuration is regulated per validation and risk assessment - Super Fun lol   Hopefully this is helpful, and assuming you've gotten what you need and have kept trucking onward- hope its at least resourceful for reference.