freeipa/install/share/default-hbac.ldif

# default HBAC policy that grants permission to all services
dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
changetype: add
objectclass: ipaassociation
objectclass: ipahbacrule
cn: allow_all
accessruletype: allow
usercategory: all
hostcategory: all
servicecategory: all
ipaenabledflag: TRUE
description: Allow all users to access any host from any host
ipauniqueid: autogenerate

# default HBAC policy for pam_systemd
dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
changetype: add
objectclass: ipaassociation
objectclass: ipahbacrule
cn: allow_systemd-user
accessruletype: allow
usercategory: all
hostcategory: all
servicecategory: systemd-user
ipaenabledflag: TRUE
description: Allow pam_systemd to run user@.service to create a system user session
ipauniqueid: autogenerate