Binding Workflows to specified Help-Desk Sites


i got the following Setup:

1 Domain connection

2 different userscopes identified via ad group membership

different Workflows for the different userscopes 

I want to set up 2 different Self-Service-Sites. One Site should be able to do all the Workflows build in both userscopes. the other Self-Service-Site should only be able to use the Workflows of one userscope, the other one should not be able to be used in this Self-Service-Site.

Any Idea how to build this Setup?

p.s. one group of users does have a 2fa token and one does not. only the one group with 2fa token should be able to use the Workflows through the Internet (one of the Self-Service-Sites) and the other should not. On the other hand, both Groups should be able to use the Workflows via LAN (second Self-Service-Site).