This article describes several cases in which a user can receive a password policy.
Here are several use-cases outlining how password policies are applied in Liferay Portal.
When a user and all organizations that the user is a member of don't have a password policy, then the default policy is given to the user.
If the user has no password policy but an organization the user is a member of does have a password policy, then the organization's password policy is given to the user.
If a user is a member of multiple organizations with more than one of those organizations having a password policy, then the first such organization found by Liferay will impose its password policy on the user.
If the user has been assigned a password policy and an organization the user is a member of has a password policy, then the user's password policy is applied.
Password policies are not inherited among parent and child organizations due to performance concerns. Child organizations are assigned the default password policy rather than the password policy of parent organizations.