504Predefined user rolesnetwork-adminParametersid: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallestunused ID in this range.deny: Denies the certificates that match the associated attribute group.permit: Permits the certificates that match the associated attribute group.group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31characters.Usage guidelinesWhen you create an access control rule, you can associate it with a nonexistent certificate attributegroup.The system determines that a certificate matches an access control rule when either of the followingconditions exists:• The associated certificate attribute group does not exist.• The associated certificate attribute group does not contain any attribute rules.• The certificate matches all attribute rules in the associated certificate attribute group.You can configure multiple access control rules for an access control policy. A certificate matches therules one by one, starting with the rule with the smallest ID. When a match is found, the matchprocess stops, and the system performs the access control action defined in the access control rule.Examples# Create rule 1 to permit all certificates that match certificate attribute group mygroup. system-view[Sysname] pki certificate access-control-policy mypolicy[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroupRelated commandsattributedisplay pki certificate access-control-policypki certificate attribute-groupsourceUse source to specify the source IP address for PKI protocol packets.Use undo source to restore the default.Syntaxsource { ip | ipv6 } { ip-address | interface interface-type interface-number }undo sourceDefaultThe source IP address of PKI protocol packets is the IP address of their outgoing interface.ViewsPKI domain view