Below is my setup with VPN.
1. Cisco ASA5525-X running 6.6.1 code with AnyConnect Essentials license
2. Internet Authentication Service(IAS) running on windows 2008 server with active directiory
3. 100+ VPN users. I can divide them in 5 categories. Admins, Employees, Vendors(each vendor with different access), Customers(each customer with different access)
Some people say best approach is DAP, while some say group policies. However I have yet to come across an example config that shows how you can really limit the access via group membership on AD or any other methods.