Defining and Prioritizing Password Policies
Password policies can be created to serve different users or groups. If two password policies exist, one policy must be selected as default. The default policy does not support RBAC or ABAC, thus the default policy is for users and groups that do not match any custom policy. Users or groups are required to adhere to the highest prioritized custom policy for which their roles and / or directory service attributes match.
In many implementation use cases, the default policy is configured to match the minimum directory service password complexity requirements. For example, it may be decided that all users in the administrator (admins) role are required to have more complex password criteria than all other users. This configuration could appear as follows:
 |
In this example, admins are assumed to be "staff employees", however, the admin password policy is of higher priority than the staff password policy.
 |
Thus, all users in the admin's role are required to adhere to the password syntax defined in the Admin PWD Policy.
Staff members not in the admin's role are required to adhere to the password syntax defined in the Staff PWD Policy.
Finally, any user that is neither a member of the admin's role nor a staff employee ((employeeType!=Staff)) is required to adhere to the password syntax defined in the Default Password Policy.