dynamic ACL for remote vendors

I am trying to learn about setting up ACLs for remote users. We have multiple vendors who remote in to connect to PLCs or remote machines and I want to restrict their logon to only that machine.

I am a bit confused about where to place the ACL. We authenticate against AD, so I think I read that I need to put the ACL in an AD attribute. Is this the direction I should read up on? I have this https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-1-0/apm_config_resources.html147209 In what attribute do I place the ACL?