diff --git a/README-hbacrule.md b/README-hbacrule.md
index d14692f9735cd95476122a0683b8b5a40b6338ed..a1b69877da2bb66e6b6ca54404258c8023ba060b 100644
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -138,9 +138,9 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of hbacrule name strings. | yes
`description` | The hbacrule description string. | no
-`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
-`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
-`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
+`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hbacrule. | no
`hostgroup` | List of host group name strings assigned to this hbacrule. | no
diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py
index fd0ce238c15af5c63291b7a1ee2a7e439c5aa9e6..a0187fa0afe67b4ccc374aa6dbe9e1f562655265 100644
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
@@ -49,17 +49,17 @@ options:
description: User category the rule applies to
required: false
aliases: ["usercat"]
- choices: ["all"]
+ choices: ["all", ""]
hostcategory:
description: Host category the rule applies to
required: false
aliases: ["hostcat"]
- choices: ["all"]
+ choices: ["all", ""]
servicecategory:
description: Service category the rule applies to
required: false
aliases: ["servicecat"]
- choices: ["all"]
+ choices: ["all", ""]
nomembers:
description: Suppress processing of membership attributes
required: false
@@ -208,11 +208,11 @@ def main():
# present
description=dict(type="str", default=None),
usercategory=dict(type="str", default=None,
- aliases=["usercat"], choices=["all"]),
+ aliases=["usercat"], choices=["all", ""]),
hostcategory=dict(type="str", default=None,
- aliases=["hostcat"], choices=["all"]),
+ aliases=["hostcat"], choices=["all", ""]),
servicecategory=dict(type="str", default=None,
- aliases=["servicecat"], choices=["all"]),
+ aliases=["servicecat"], choices=["all", ""]),
nomembers=dict(required=False, type='bool', default=None),
host=dict(required=False, type='list', default=None),
hostgroup=dict(required=False, type='list', default=None),
diff --git a/tests/hbacrule/test_hbacrule_categories.yml b/tests/hbacrule/test_hbacrule_categories.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5f1934bc8cb2a62b40de5b0c887d1ac4c3627628
--- /dev/null
+++ b/tests/hbacrule/test_hbacrule_categories.yml
@@ -0,0 +1,117 @@
+---
+- name: Test HBAC rule user category
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+
+ - name: Ensure HBAC rules are absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - testrule
+ state: absent
+
+ - name: Ensure HBAC rule is present, with usercategory 'all'
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ usercategory: all
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule is present, with usercategory 'all', again.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ usercategory: all
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure HBAC rule is present, with no usercategory.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ usercategory: ""
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule is present, with no usercategory, again.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ usercategory: ""
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure HBAC rule is present, with hostcategory 'all'
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ hostcategory: all
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule is present, with hostcategory 'all', again.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ hostcategory: all
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure HBAC rule is present, with no hostcategory.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ hostcategory: ""
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule is present, with no hostcategory, again.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ hostcategory: ""
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure HBAC rule is present, with servicecategory 'all'
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ servicecategory: all
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule is present, with servicecategory 'all', again.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ servicecategory: all
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure HBAC rule is present, with no servicecategory.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ servicecategory: ""
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule is present, with no servicecategory, again.
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule
+ servicecategory: ""
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure HBAC rules are absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - testrule
+ state: absent