I don't know what you really need, in my customers case there are departments all over there biggest location and there is no limit to witch switch they connect to, it depends on there end-system-group. So a client of end-system "A" will always be authenticated to the same vlan unequal to witch switch they are connected, execpt the switch is in a different location (where we have a different vlan infrastructure).
I would recommend you to create a excel sheet where you define witch user groups (end-system-groups) are allowed to move between location and to witch vlan they should be authenticated.
Per vlan you need one rule matrix entry, that is not depending on a zone management. Zone's can be add additionally to each rule matrix entry. You only have to create and define the zones and users / groups the should be able to manage and add this to the rule-matrix entry where they are authenticated.
Are you having different "managers" for clients within the same vlan? Then I would understand what you mean, but if different "managers" have to admit different vlan's this is really easy.
If you need more details please contact me directly. 🙂