"man sshd_config" will show you the settings you need to change in the sshd config file (typically /etc/ssh/sshd_config).
AllowUsers lets you specify which users should be allowed to ssh. That should take care of your first requirement.
AllowGroups lets you specify which groups should be allowed to log in. That would take care of your second requirement, except that it will conflict with your first requirement.
I think the simplest way around this contradiction is to run two ssh daemons - one on the usual port 22, with sftp disabled, that has your desired AllowUsers setting, and the other on another port number, that only allows sftp, and that one has your desired AllowGroups setting.
Of course, that's a pain to run two daemons, it turns out sshd supports another choice. Read up on the "Match" option, like the examples here. You can set up a "Match" block to match by either user or group. When the user or group are matched, new configuration options get turned on for that session. This is a little tricky, but it looks like the "ForceCommand" setting in the "Match" block, possibly along with "ChrootDirectory", can be used to redirect a particular group to a special in-process sftp server.
If you're going to use the "Match" option, make sure to test all the possible scenarios to make sure you're really limiting users the way you intend to. The two daemon option is much safer if you can't afford any mistakes (i.e. if it would be a disaster if the wrong users got access to the command line or the SFTP server).
