[midPoint] Midpoint 4.9, 4 Custom security policy not wirking for reset password fro UI on Account form in Resource. Attribute - credentials/password/value.
Али Саад
gerardo.saad at gmail.com
Wed Feb 4 02:04:40 CET 2026
Dear midPoint developers, hello.
We are configuring a **resource-specific password policy** for account
passwords and would like to clarify expected UI behavior.
### Context
We have:
* a custom **ValuePolicy** defining password complexity,
* a custom **SecurityPolicy** referencing this ValuePolicy,
* the SecurityPolicy linked at **objectType(account)** level via
`securityPolicyRef` in `schemaHandling`.
Password **generation during provisioning works correctly** and uses the
custom ValuePolicy as expected.
However, during **UI password reset / change on resource accounts**, the UI
still appears to evaluate a different (default) password policy.
We would like to confirm whether this behavior is expected or if there are
known limitations.
---
### Custom ValuePolicy (used for password complexity)
```xml
<valuePolicy
oid="11111111-2222-3333-4444-555555555555"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>My Custom Password Policy</name>
<stringPolicy>
<limitations>
<minLength>16</minLength>
<maxLength>60</maxLength>
<limit>
<minOccurs>1</minOccurs>
<characterClass>
<value>abcdefghijklmnopqrstuvwxyz</value>
</characterClass>
</limit>
<limit>
<minOccurs>1</minOccurs>
<characterClass>
<value>ABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
</characterClass>
</limit>
<limit>
<minOccurs>1</minOccurs>
<characterClass>
<value>0123456789</value>
</characterClass>
</limit>
<limit>
<minOccurs>1</minOccurs>
<characterClass>
<value>,.<>/?;:'""[]{}\\|~!@#$%^&*()_+=-</value>
</characterClass>
</limit>
</limitations>
</stringPolicy>
</valuePolicy>
```
---
### Custom SecurityPolicy (referencing the ValuePolicy)
```xml
<securityPolicy
oid="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>My Custom Password Security Policy</name>
<credentials>
<password>
<valuePolicyRef oid="11111111-2222-3333-4444-555555555555"/>
</password>
</credentials>
</securityPolicy>
```
---
### Resource schemaHandling (account objectType)
The SecurityPolicy is explicitly referenced at the account objectType level:
```xml
<schemaHandling>
<objectType>
<kind>account</kind>
<default>true</default>
<delineation>
<objectClass>ri:mycustomAccount</objectClass>
</delineation>
<credentials>
<password>
<outbound>
<strength>weak</strength>
<expression>
<generate>
<mode>policy</mode>
<valuePolicyRef
oid="11111111-2222-3333-4444-555555555555"/>
</generate>
</expression>
</outbound>
</password>
</credentials>
<securityPolicyRef
oid="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
type="c:SecurityPolicyType"/>
</objectType>
</schemaHandling>
```
---
### Observed behavior
* Password generation during provisioning uses the custom ValuePolicy
correctly.
* When **resetting / changing the password in the UI for a resource
account**, the UI validation indicators (length, uniqueness, strength)
appear to be based on a **different (default) password policy**, not the
one defined above.
---
### Question
Is UI password validation expected to always honor the **objectType-level
`securityPolicyRef`** for resource accounts?
Or are there known limitations related to:
* UI validation scope,
* caching,
* or UI binding to global / default security policies?
Any clarification would be greatly appreciated.
Thank you for your time and for midPoint.
Best regards,
Ali Saad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260204/376a419b/attachment.htm>
More information about the midPoint
mailing list