Use Instance access on the order object. That's the normal way to do that. You can also use a XPath constraint on your datagrid but then your data isn't protected and others order can manually be retrieved. Furthermore it's hard to manage XPath constraints in big applications with many Order datagrids, so use Instance access if possible.
You can add an Xpath constraint to the order datagrid e.g. [PizzaMario.Order_Customer = '[%CurrentUser%]'] , now the customer can only view the orders that belong to himself.
Using only Xpath isn't secure enough, the best way is to use Instance Access.
To accomplish this, you must set your Instance Access, which you adjust in the Security part of your module, like Herbert explained. Add your metaobject (e.g. "Order"). In case you want the administrator have access to all orders, put the Administrator role under Allowed roles. At last, set a finch for the relation in the "Associations to System.User" field.