Let's think of servers as networks. Connect 3 of your networks to the switch, divide by 3 VLANs. One trunk port with access to 3 vlans and is included in the router. On the router, make the connected port a trunk, make 3 virtual interfaces under each vlan, then create 3 IP ACLs in which you allocate subnets (allowed) for each virtual VLAN interface, then create an aaa attribute list for each username, dedicated IP address or IP pool addresses to issue (you can create separately via ip local pool), not forgetting to specify that attribute type inacl IP_ACL and so on.
The idea is that each user has dedicated credentials, by which he will receive IP from one pool for each network. Therefore, he will not have access to the other two subnets at the network level.

If authorization is based on a local database, then in username vasya attributes you assign the necessary ACL to each.