But the system administrator wants the same control. block users using the ip address
Well that isn't going to work because unless you create static IP assignments within the scope for each client you don't know what IP a user has.
And if you create static IP assignments for all clients then why use DHCP at all.
Unless you can groups users who are allowed the same access into a vlan/IP subnet in which case you could limit control based on IP subnet but if you want to do it on a per user basis then using the IP address just isn't going to work.
So, if you have to move to DHCP, you need some way of authenticating users based on their credentials as opposed to their IP address.
The ASA does support AAA authentication so that a user has to authenticate to the firewall before they get access to the internet but only for a limited set of protocols.
That may be a solution if you only need the common applications users require and if you have a AAA server in your network.
I have never used it so I can't say how easy it is to setup or how well it works.
Jon