Hi,
First of all are you using any external authentication server ? if yes, and if you are using servers like CPPM, NPS, we can configure something called SDR ( Server derived role), when any user authenticated based on his user group ( example) server will return a role to the controller and controller will map that role to that user.
Ex : Dept 1--Allow all, Dept 2 --Allow all except Radio.
Role 1 -- Allow all, Role 2--No Radio, allow all policies
Now when a user from dept 1 login, server will return a role called Role1 and user will be allowed access as per the Role 1 policy, similarly when a user from Dept 2 login, server will return Role2 and user will be allowed access the network as per the Role 2.
Hope got some more clarity, if not please feel free come back.