Configuring Policy Rules for a SubsystemChapter 18 Setting Up Policies 589Note that the policy processor applies only the enabled policy rules, in the order inwhich they are configured, before determining the final outcome. Each rule theprocessor executes returns a PolicyResult object. Three return values arepossible:• PolicyResult.REJECTED (indicates that the request failed the rule)• PolicyResult.DEFERRED (indicates that the request requires agent approval)• PolicyResult.ACCEPTED (indicates that the request passed the rule)After all the policy rules are applied, the processor determines the status of therequest (in this order):1. If the request failed any policy rule (that is, if any of the policy rules returned aPolicyResult.REJECTED value), the processor rejects the request. The rulethat rejected the request sets appropriate error messages on the request.2. If at least one of the policy rules requires agent approval for the request (that is,if any of the policy rules returned a PolicyResult.DEFERRED value), theprocessor stores the request in the request queue for agent approval.3. If the request passes all the policy rules (that is, all policy rules returned aPolicyResult.ACCEPTED value), the request gets serviced—for example thecertificate is issued or renewed.Configuring Policy Rules for a SubsystemYou can configure the main subsystems of Certificate Management System(CMS)—the Certificate Manager, Registration Manager, and Data RecoveryManager—to apply certain organizational policies on end entities’ certificateenrollment, renewal, and revocation requests before servicing them. This sectionexplains how to configure a subsystem to evaluate end-entity requests based on aset of policy rules.The steps are as follows:• Step 1. Before You Begin• Step 2. Modify Existing Policy Rules• Step 3. Delete Unwanted Policy Rules• Step 4. Add New Policy Rules• Step 5. Reorder Policy Rules