You have 3 buildings all different SSIDs and you do not want roaming.
You first need to goto your configuration and AP configuration and create a group for each building.
Create your SSIDs for each AP group with the appropriate authentication information (radius).
- If you want to give more granular access per building (departments/users/groups) you can create specific "server groups" in the Security/Authentication/Server Goup. And then you can pull the filter ID from your radius server based on AD group membership and apply a role based on just about anything. Pay close attention to order as it is first come first serve....
Once you have your authentication scenarios down, thow a single testing AP into your selected groups for testing (this is done through the Configuration/AP Installation. Here you can setup provisioning settings on a per AP basis, where you can change the AP group the device belongs.
This is a very "high level" explaination, but should get you started. Obviously test in a small controlled environment before going live with such a major change.
-Dan