Ah good ole security. Everyone's favorite thing! While we don't use IC as our SIS I still think concepts in security are similar even though each situation is different. I think the security architecture is probably different for everyone. I'm sure you've probably read the documentation but I would point you to these articles below. I know when I was setting up ours I read all of this info several times. We ended up using a combination of most the outlined possibilities which is probably not a good idea..ha.
We use AD and I do have the principals/ap's groups in Tableau as well as other dashboard specific groups. For us we try to use SQL Impersonation whenever possible which uses row level in the database (user to school site views) and AD groups for security to the dashboard in Tableau.
Without seeing your setup, it sounds like based on your groups in IC ("Tableau group in IC") you might be able to use dynamic User Filter as outlined in the last link I provided. As long as you have a user (principal) to campus/location/school site defined you could filter data to just their site.
I hope this helps some as security can be confusing.