Hi Patrick,
APM can easily handle authorization in addition to accounting. The easiest way to limit access to the VIP would be to create different groups on your AD server; one for each team with different levels of access. Then, in your VPE, add an AD query, and configure your VPE to make decisions based on the results of the query. i.e., if a user is a member of a particular group, they can be allowed through, denied, or receive a specific message, etc.
Your iRule solution looks like it would work fine, but it might be more difficult to maintain rather than just directly changing your access policy. F5 has a guide on implementing AD queries if you're interested. At the end of the day it might just come down to whatever is easiest for you.
Best of luck,
Austin