Introduction to Policy482 Netscape Certificate Management System Administrator’s Guide • June 2003• Revocation policies• Key-archival policies• Key-recovery policiesTo facilitate this classification, CMS supports a parent interface for a generic policyrule and other operation-specific interfaces that extend the parent interface. Checkthe CMS SDK.Policy ProcessorEach subsystem—the Certificate Manager, Registration Manager, or Data RecoveryManager—has its own policy processor. Each processor subjects an incomingrequest to the applicable policy rules for that subsystem.When a subsystem starts up, its policy processor reads the current policyconfigurations from the configuration file, initializes them, and classifies thembased on their type (see “Types of Policy Rules” on page 481). Then, when thesubsystem receives an authenticated request, its request processor invokes thepolicy processor to apply policies on that request. The policy processor applies therules on the request based on the request type. The policy processor also filters therules based on predicates (see “Using Predicates in Policy Rules” on page 483).Note that the policy processor applies only the enabled policy rules, in the order inwhich they are configured, before determining the final outcome. Each rule theprocessor executes returns a PolicyResult object. Three return values arepossible:• PolicyResult.REJECTED (indicates that the request failed the rule)• PolicyResult.DEFERRED (indicates that the request requires agent approval)• PolicyResult.ACCEPTED (indicates that the request passed the rule)After all the policy rules are applied, the processor determines the status of therequest (in this order):1. If the request failed any policy rule (that is, if any of the policy rules returned aPolicyResult.REJECTED value), the processor rejects the request. The rulethat rejected the request sets appropriate error messages on the request.2. If at least one of the policy rules requires agent approval for the request (that is,if any of the policy rules returned a PolicyResult.DEFERRED value), theprocessor stores the request in the request queue for agent approval.