If you authenticate and authorise the users against LDAP or RADIUS, depending on which AD group the user is a member of, you would assign them to a specific ASA group-policy. The group-policies could be configured differently with or without split-tunneling configured.