Predefined user roles
network-admin
Parameters
id: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallest
unused ID in this range.
deny: Denies the certificates that match the associated attribute group.
permit: Permits the certificates that match the associated attribute group.
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31
characters.
Usage guidelines
When you create an access control rule, you can associate it with a nonexistent certificate attribute
group.
The system determines that a certificate matches an access control rule when either of the following
conditions exists:
•
The associated certificate attribute group does not exist.
•
The associated certificate attribute group does not contain any attribute rules.
•
The certificate matches all attribute rules in the associated certificate attribute group.
You can configure multiple access control rules for an access control policy. A certificate matches the
rules one by one, starting with the rule with the smallest ID. When a match is found, the match
process stops, and the system performs the access control action defined in the access control rule.
Examples
# Create rule 1 to permit all certificates that match certificate attribute group mygroup.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup
Related commands
attribute
display pki certificate access-control-policy
pki certificate attribute-group
source
Use source to specify the source IP address for PKI protocol packets.
Use undo source to restore the default.
Syntax
source { ip | ipv6 } { ip-address | interface interface-type interface-number }
undo source
Default
The source IP address of PKI protocol packets is the IP address of their outgoing interface.
Views
PKI domain view
504