Hi Ken,
If you want to control what group the user is able to connect and which one is not, you would need to use group-lock, which will restrict the user to a specific tunnel group/group policy, this will be achieved based on the user credentials and the class value attributes received back from an external server (such as radius, ldap or even internal server) Say if the user belongs to the group standard users you place a value that matches only the standard users group policy, when the user connects and chooses ITgroup, the asa will read the class value that the user receives back from the authentication server and after it reads that the group policy that he recieves is standard users it will check that it does not match the selected tunnel group/group policy and will fail the authentication.
You can also control what group the user connnects to by giving them the specific group url. Yet this can be bypassed.