====== Regras HBAC ======
**Regra que dá acesso a todos hosts e serviços ao grupo linuxadm.**
[root@sp-spo-ipa:~]# ipa hbacrule-add --hostcat=all --servicecat=all --desc='linux admins all access' linuxadm_hbac
-------------------------------
Added HBAC rule "linuxadm_hbac"
-------------------------------
Rule name: linuxadm_hbac
Host category: all
Service category: all
Description: linux admins all access
Enabled: TRUE
[root@sp-spo-ipa:~]# ipa hbacrule-add-user --groups=linuxadm linuxadm_hbac
Rule name: linuxadm_hbac
Host category: all
Service category: all
Description: linux admins all access
Enabled: TRUE
User Groups: linuxadm
-------------------------
Number of members added 1
-------------------------
**Desabilitando a regra geral que dá acesso a todos os usuários.**
[root@sp-spo-ipa:~]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------
[root@sp-spo-ipa:~]# ipa hbactest --user=gean.martins --host=sp-spo-ipa.juntotelecom.com.br --service=ssh
--------------------
Access granted: True
--------------------
Matched rules: linuxadm_hbac
Not matched rules: allow_systemd-user
[root@sp-spo-ipa:~]# ipa hbactest --user=gean.martins --host=sp-spo-ipa.juntotelecom.com.br --service=ssh --rules=linuxadm_hbac
--------------------
Access granted: True
--------------------
Matched rules: linuxadm_hbac
[root@sp-spo-ipa:~]# ipa hbacrule-show linuxadm_hbac
Rule name: linuxadm_hbac
Host category: all
Service category: all
Description: linux admins all access
Enabled: TRUE
User Groups: linuxadm
[root@sp-spo-ipa:~]# ipa hbacrule-show linuxadm_hbac --all --raw
dn: ipaUniqueID=f7f2ba90-9525-11ea-b53c-000c29ad9330,cn=hbac,dc=juntotelecom,dc=com,dc=br
cn: linuxadm_hbac
hostcategory: all
servicecategory: all
description: linux admins all access
ipaenabledflag: TRUE
memberuser: cn=linuxadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
accessRuleType: allow
ipaUniqueID: f7f2ba90-9525-11ea-b53c-000c29ad9330
objectClass: ipaassociation
objectClass: ipahbacrule