You can of course do all the logic in the templates but this is not the way to do it.
IMHO the best way would be to set up user groups according to departments and give them specific rights. I would use object states to distinguish between Departments and Sections. The only problem is with user/register which should be tweaked so user can choose user group where he wants (by default user group is defined in ini per siteaccess).
Doing it this way you will have clear and easy management of user rights through administration interface. You can easy expand policies and manage Departments and Sections.