How to prevent static ip address users with exceptions?

Some IP address have more privelegies, than other. So I want prevent users from change his IP addresses with hands. But not all.
For examle I have address pools:
WIFI - one security level,
VPN - second security level
Local - third security level

If users from Local pool, change address to WIFI or VPN pools they can get access to some restricted resources.

If each address pool is associated to only one interface then a user who changed their address to the other IP subnet would not be able to reach their gateway so they would have no access. If these addresses are bridged together then you may have to do your security matching based upon MAC address.