Unfortunately we cannot solve the problem using organization levels in auth.role.
If you need to only check the plant authorization for ck13n, you can modify standard program to insert the plant authorization check logic.
But I think that this method is not good.