Problems comparing memberof variable

Hi,

We have APM provisioning and trying use a iRule to discard the conection if session.ldap.last.attr.memberOf variable contains a certain value. This is the iRule:

when ACCESS_POLICY_COMPLETED {
set aux 0
if{[ACCESS::session data get "session.ldap.last.attr.memberOf"] contains "TEST" } {
$aux = 1
}
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
            "/URI_A/*" {
                        pool /Common/P-URI_A                                
                        }
            "/URI_B/*" {
                        pool /Common/P-URI_B
                        }
            "/URI_C/*" {
                        pool /Common/P-URI_C
                        }
            "/URI_D/*" {
                        pool /Common/P-URI_D
                        }
            "/URI_E/*" {
                        if{($aux == 0)}{
                        discard
                        }
                        }
            default {
                        pool /Common/P-URI_DEFAULT
                        }
            }
}

The if{[ACCESS::session data get "session.ldap.last.attr.memberOf"] contains "TEST" } Inside to ACCESS_POLICY_COMPLETED event report this error:

Feb 15 11:37:36 slot3/DEVICENAME err tmm1[30518]: 01220001:3: TCL error: /Common/IRULE_TEST  - invalid command name "if{| CN=XXXX,OU=XXXX,OU=XXXX,OU=XXXX,OU=XXXX,DC=XXXX,DC=XXXXX,DC=XXXX | CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX |

We have several doubts:

What event is running before?(HTTP_REQUEST or ACCESS_POLICY_COMPLETED) Why does not the "if" work? by the type of variable?

Thanks!!