This configurations apply on client VPN, my inquiry is regarding clientless VPN 

@Egytax users are not assigned an IP address when using clientless VPN, traffic is proxied by the ASA. If you want to assign an IP address to the VPN client they will need to use the AnyConnect client. Here are 2 examples for the ASA:

https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#toc-hId-1549097668

FYI, Clientless VPN has been depreciated on newer ASA versions.

the VPN clientless no assign IP for ASA (local pool or via DHCP) 
so you have only public IP of clientless which I think is  change from time to time.
I have idea for solution using group-lock 
if the user is local save in ASA then we can lock it to specific tunnel, then we use vpn filter to permit or deny traffic to INside. 
check this solution. 

The users are saved on Active Directory and the authorization is done through ISE