If a credential type is allowed by the account policy but not allowed for a user group by the Credentials policy, VIP correctly honors the Credentials policy. A user in that group cannot register that credential type.

However, if a credential type is not allowed by the account policy but allowed for a user group by the Credentials policy, VIP does not honor the Credentials policy. A user in that group is unable to register that credential type, even though the Credentials policy allows it.

This is working as intended.

There is no workaround for this issue.