so, after disabling the `allow_all` I'm having issues... this user is allowed in the `deepcore-bastion` rule, but he's getting denied:
[root @ ldap01] ~ $ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com --service ssh --------------------- Access granted: False --------------------- Not matched rules: admins_allow_all Not matched rules: allow_systemd-user Not matched rules: cpaac-bastion Not matched rules: darc_admins_hbac Not matched rules: deepcore-bastion Not matched rules: shared-services-hbac