I don’t know if it’s best practice, but I’ve been using roles to manage a similar setup. Creating a role for each department and using that to scope access, etc. has been working well in our environment.
https://admin-docs.zammad.org/en/latest/manage/roles/index.html