Use rule to create an access control rule.

Use undo rule to remove an access control rule.


rule [ id ] { deny | permit } group-name

undo rule id


No access control rules exist.


Certificate-based access control policy view

Predefined user roles




id: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallest unused ID in this range.

deny: Denies the certificates that match the associated attribute group.

permit: Permits the certificates that match the associated attribute group.

group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

When you create an access control rule, you can associate it with a nonexistent certificate attribute group.

The system determines that a certificate matches an access control rule when either of the following conditions exists:

You can configure multiple access control rules for an access control policy. A certificate matches the rules one by one, starting with the rule with the smallest ID. When a match is found, the match process stops, and the system performs the access control action defined in the access control rule.


# Create rule 1 to permit all certificates that match certificate attribute group mygroup.

<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup

Related commands


display pki certificate access-control-policy

pki certificate attribute-group