The only restricting you can do is with ACS. With ACS, you can restrict certain LMS users to only being able to access certain devices. This is done by creating NDGs within ACS, then attaching the ACS users to those NDGs for LMS roles.
However, you cannot limit access to a specific VLAN or interface on a switch (without using something like VRFs on the device). LMS + ACS will only give you device-level access.