[Freeipa-users] sftp HBAC

Try to make this simple. Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a server. Have the "Via Service" set to "sshd". The user can ssh into the server no issue. I want to limit this user to only being able to sftp into this server (no direct ssh). If I swap the "Via Service" from the sshd service to sftp that user is now denied. They cannot access the server via sftp or ssh. I would expect it to deny ssh access but allow sftp. I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de... but that didn't seem to work. Can you point me to the instructions on how to make the HBAC work with a particular service (e.g. sftp)?