Description of problem:
Customer would like to add AD users to HBAC rules through Web UI.

So far, while IPA users can be added to HBAC rules in Web UI, but not for AD users.

For AD users, IPA external groups need to be created to hold those AD users,
then IPA POSIX groups need to be created to hold those IPA external groups.
Then the IPA POSIX groups can be added to HBAC rules.
Customer finds the above workaround tedious.

Having this feature will make customer's life easier

Version-Release number of selected component (if applicable):
Customer uses RHEL7, which does not have this feature.

How reproducible:
Always

Steps to Reproduce:
Basically the steps in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/hbac-configure-domain#hbac-rules-ui

1. In web UI, select Policy → Host-Based Access Control → HBAC Rules
2. Click Add to start adding a new rule.
3. Enter a name for the rule, and click Add and Edit to go directly to the HBAC rule configuration page.
4. In the Who area, specify an AD user as a target user.

Actual results:
AD users cannot be added in WebUI

Expected results:
AD users should be able to be added in WebUI

Additional info:

While I am aware that the reason that we cannot add AD users directly because they don't necessary have POSIX attributes. Just hope we can automatically create corresponding IPA external groups.