Segmenting your network into VLANs (virtual LAN’s; the term used for a “group” on a LAN) can allow you to limit access to certain services by what port they physically plug into, but that’s not going to be granular and is more just a first level of seperation if you really need that security.
What is more common is using an identity system and restricting access by having people identify themselves. This is what happens when you start up your Windows boxes and it asks you for a username/password. If you’re in a Workgroup, each computer acts as its own identity system requiring you to explicitly have each person defined on each computer seperately.
By introducing an identity authority such as Active Directory, your computers trust a central authority (like a Domain Controller) to identify people. Most applications (resources) are aware of systems like Active Directory and allow you to place user’s accounts into specifc groups to have access to it, but you will have to talk to who manages your resources to determine if they support it or not.
AD will probably do what you are looking for, but without a little more details we can’t say for certain.