This is to provide more detail on how the SiteMinder Basic Password Policy works with "Priority" setting.
Release : 12.8.x
user1 is standard user and generic password policy (passpolicy1) would apply.
passpolicy1 enforce minimum password length to be 6.
manager1 is a standard user(passpolicy1) too but also part of a group where more strict password policy is required (passpolicy2)
passpolicy2 enforce minimum password length to be 12 and special characters must be part of the password.
When a password policy is applied, 1 password policy with highest priority would apply and end even though there are more password policies that may be applicable.
In the above use case, when user1 login with "User must change password" then only passpolicy1 would match so that will be applied.
When manager1 login with "User must change password", both passpolicy1 and passpolicy2 are applicable but only 1 will be applied which is the policy having the higher priority.
Higher Priority means the Password Policy Priority has "Evaluation Priority" set with higher numeric value (range from 0 ~ 999).
If you have evaluation priority set to 999, that is the highest.
It is a requirement that you set the Priority if you will have a condition where multiple password policies will be applicable.
For 'manager1' user, if the passpolicy1 has higher evaluation priority then passpolicy1 will be applied, if passpolicy2 has higher value then passpolicy2 will be applied.
If only 1 password policy is to be applied then you just need to ensure that password policy has the right evaluation priority.
However, there may be a use case where more than 1 password policy must actually apply.
In that case, you must ensure the more strict password policy is having the highest evaluation priority, in this case it would be the passpolicy2.
So passpolicy2 is set with evaluation priority of 100 and passpolicy1 is set with evaluation priority of 50.
And passpolicy2 and passpolicy1 must be compatible.
For example, if passpolicy1 says password must be using numbers only and if passpolicy2 says password must be letters only, this is not going to work and user will not be able to pass the 2 password policies as they will be in "AND" condition.
At the Password Policy Priority Section, you need to check "Apply Lower Priority Password Policies"
This tells Policy Server to also process the next highest priority password policy that is applicable.
Policy Server will continue to evaluate the next password policy as long as those password policies have this checked and all will be in the AND condition.
As the first password policy is the most strict one, all the subsequent password policies will be passed seamlessly.
If there are more strict password policy at later stage, the password change will not be able to complete successfully and user will not be able to login.