you do not have crypto acl for remote access vpn; you have split-tunnel acl
if you are trying to configure anyconnect client (cisco ipsec vpn client is already out of support) and you need different department users to have access to different applications, here is what you can do:
1. use an authentication server like LDAP and make different groups for different users on the server
2. then to whichever group the user authenticates to, assign a group-policy using ldap attribute map
3. create a NOACCESS policy so that the users who are not authenticated are not allowed to connect
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
you can configure split-tunneling for different departments in different group-policies so that the different user groups can access only certain networks
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html