In Oracle Identity Manager, password policies are evaluated in the following scenarios:
When users register themselves to Oracle Identity Manager to perform certain tasks in Identity Self Service or Oracle Identity System Administration.
When users reset their password using the Forgot Password? link.
When users change their enterprise password or target system account password from the Change Password section of the My Information page.
When an administrator sets or changes the password of a user manually.
The following is the order in which a user's effective password policy is evaluated:
The password policy (if available) set for the user's home organization is applicable for the user.
If no password policy is set for the user's home organization, then the policy of the organization at the next level in the organization hierarchy of the user's home organization is picked. This procedure of identifying an organization at the next level in the hierarchy of the user's home organization continues until an organization associated with a password policy is determined. This password policy is applicable to the user.
If none of the organizations in the hierarchy has password policies set, then the password policy attached to the Top organization is applicable. If no password policy is attached to the Top organization, then the default password policy of the XellerateUsers resource is applicable.