access policy to check for AD group membership based on URI

The variable "session.server.landinguri" will contain the first URI that triggered the access policy, and will not change each time you visit a new URI, so if you requested /home then /login, the first one will be your landing URI, the one that caused the creation of an APM session.

You shoud use another method to apply rules selectively depending on the requested URI, for example per request policy: Adding a URL branching rule (f5.com) 

You can attach layer 7 acl so after the access policy evaluation is done then the users that do not have ad group will be blocked for some url.

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_resources.html

https://my.f5.com/manage/s/article/K08200035

You can also see the link below as if you do not decrypt the traffic FQDN domains or SSL SNI  with irule/local traffic policy can be used or Per request policy that will check each request:

https://community.f5.com/t5/technical-forum/l7-https-acl-with-apm-ssl-vpn-not-working/td-p/207920

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-6-0/4.html

Edit:

You can also use the per-request policy to trigger an irule that will get the session group membership and if the users do not have the group but are trying to reach the destination fqdn/sni or url if you are decrypting the traffic and this not a VPN APM implementation (for VPN /Portal you will need layered VS https://my.f5.com/manage/s/article/K03113285 ) and to block users if they do not have the group.

https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/apm/apm_policy_agent_irule-event.html

Hi dcarterjr,

So i think the first step please try to login and then you go to overview session and click session variable to see about expression that match landinguri

have you looked at ACL's?
You can create one and set it on authorisation.