<div dir="ltr"><p>Dear midPoint developers, hello.<br><br>We are configuring a **resource-specific password policy** for account passwords and would like to clarify expected UI behavior.<br><br>### Context<br><br>We have:<br><br>* a custom **ValuePolicy** defining password complexity,<br>* a custom **SecurityPolicy** referencing this ValuePolicy,<br>* the SecurityPolicy linked at **objectType(account)** level via `securityPolicyRef` in `schemaHandling`.<br><br>Password **generation during provisioning works correctly** and uses the custom ValuePolicy as expected.<br>However, during **UI password reset / change on resource accounts**, the UI still appears to evaluate a different (default) password policy.<br><br>We would like to confirm whether this behavior is expected or if there are known limitations.<br><br>---<br><br>### Custom ValuePolicy (used for password complexity)<br><br>```xml<br><valuePolicy<br>        oid="11111111-2222-3333-4444-555555555555"<br>        xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"><br><br>    <name>My Custom Password Policy</name><br><br>    <stringPolicy><br>        <limitations><br><br>            <minLength>16</minLength><br>            <maxLength>60</maxLength><br><br>            <limit><br>                <minOccurs>1</minOccurs><br>                <characterClass><br>                    <value>abcdefghijklmnopqrstuvwxyz</value><br>                </characterClass><br>            </limit><br><br>            <limit><br>                <minOccurs>1</minOccurs><br>                <characterClass><br>                    <value>ABCDEFGHIJKLMNOPQRSTUVWXYZ</value><br>                </characterClass><br>            </limit><br><br>            <limit><br>                <minOccurs>1</minOccurs><br>                <characterClass><br>                    <value>0123456789</value><br>                </characterClass><br>            </limit><br><br>            <limit><br>                <minOccurs>1</minOccurs><br>                <characterClass><br>                    <value>,.&lt;&gt;/?;:'"&quot;[]{}\\|~!@#$%^&amp;*()_+=-</value><br>                </characterClass><br>            </limit><br><br>        </limitations><br>    </stringPolicy><br><br></valuePolicy><br>```<br><br>---<br><br>### Custom SecurityPolicy (referencing the ValuePolicy)<br><br>```xml<br><securityPolicy<br>        oid="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"<br>        xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"><br><br>    <name>My Custom Password Security Policy</name><br><br>    <credentials><br>        <password><br>            <valuePolicyRef oid="11111111-2222-3333-4444-555555555555"/><br>        </password><br>    </credentials><br><br></securityPolicy><br>```<br><br>---<br><br>### Resource schemaHandling (account objectType)<br><br>The SecurityPolicy is explicitly referenced at the account objectType level:<br><br>```xml<br><schemaHandling><br>    <objectType><br>        <kind>account</kind><br>        <default>true</default><br><br>        <delineation><br>            <objectClass>ri:mycustomAccount</objectClass><br>        </delineation><br><br>        <credentials><br>            <password><br>                <outbound><br>                    <strength>weak</strength><br>                    <expression><br>                        <generate><br>                            <mode>policy</mode><br>                            <valuePolicyRef oid="11111111-2222-3333-4444-555555555555"/><br>                        </generate><br>                    </expression><br>                </outbound><br>            </password><br>        </credentials><br><br>        <securityPolicyRef<br>            oid="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"<br>            type="c:SecurityPolicyType"/><br>    </objectType><br></schemaHandling><br>```<br><br>---<br><br>### Observed behavior<br><br>* Password generation during provisioning uses the custom ValuePolicy correctly.<br>* When **resetting / changing the password in the UI for a resource account**, the UI validation indicators (length, uniqueness, strength) appear to be based on a **different (default) password policy**, not the one defined above.<br><br>---<br><br>### Question<br><br>Is UI password validation expected to always honor the **objectType-level `securityPolicyRef`** for resource accounts?<br><br>Or are there known limitations related to:<br><br>* UI validation scope,<br>* caching,<br>* or UI binding to global / default security policies?<br><br>Any clarification would be greatly appreciated.<br><br>Thank you for your time and for midPoint.<br><br>Best regards,<br>Ali Saad<br></p></div>