[Freeipa-users] IPA filters not working

Hello, I have setup a bastion host with an IPA client in order to control access to the bastion host by groups. I have users in different groups, but I just got word that people outside the group / HBAC rule can access and login with their IPA credentials. Everything seems okay with the configuration. I have uninstalled and re-installed the client, generating a new SSSD config file, yet the user still accessing the bastion host. Thoughts?