rule
Use rule to create an access control rule.
Use undo rule to remove an access control rule.
Syntax
rule [ id ] { deny | permit } group-name
undo rule id
Default
No access control rules exist.
Views
Certificate-based access control policy view
Predefined user roles
network-admin
mdc-admin
Parameters
id: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallest unused ID in this range.
deny: Denies the certificates that match the associated attribute group.
permit: Permits the certificates that match the associated attribute group.
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
When you create an access control rule, you can associate it with a nonexistent certificate attribute group.
The system determines that a certificate matches an access control rule when either of the following conditions exists:
The associated certificate attribute group does not exist.
The associated certificate attribute group does not contain any attribute rules.
The certificate matches all attribute rules in the associated certificate attribute group.
You can configure multiple access control rules for an access control policy. A certificate matches the rules one by one, starting with the rule with the smallest ID. When a match is found, the match process stops, and the system performs the access control action defined in the access control rule.
Examples
# Create rule 1 to permit all certificates that match certificate attribute group mygroup.
<Sysname> system-view [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup
Related commands
attribute
display pki certificate access-control-policy
pki certificate attribute-group