from: ipa hbacrule-find
```
$ ipa hbacrule-find
--------------------
7 HBAC rules matched
--------------------
Rule name: admins_allow_all
Host category: all
Service category: all
Enabled: True
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: True
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run user@.service to create a system user session
Enabled: True
Rule name: cpaac-bastion
Service category: all
Description: Allow users to ssh into cpaac bastion
Enabled: True
Rule name: darc_admins_hbac
Service category: all
Enabled: True
Rule name: deepcore-bastion
Enabled: True
Rule name: shared-services-hbac
Service category: all
Description: HBAC for access to the shared-services host server group servers
Enabled: True
----------------------------
Number of entries returned 7
----------------------------
```
for the test user:
```
$ ipa hbactest --user vi031827 --host cpaac-bastion --service ssh
--------------------
Access granted: True
--------------------
Matched rules: admins_allow_all
Matched rules: allow_all
Not matched rules: allow_systemd-user
Not matched rules: cpaac-bastion
Not matched rules: darc_admins_hbac
Not matched rules: deepcore-bastion
Not matched rules: shared-services-hbac
```
even though that user is not part of the `cpaac-bastion` rule, he is still getting access
that's the one I don't get.