--- title: Which password policy applies description: The operational attribute, pwdPolicySubentry, identifies an account's password policy. The default global access control instructions grant no access to this operational attribute. The following example grants access to a group of administrators: component: pingds version: 8.1 page_id: pingds:security-guide:pwp-application canonical_url: https://docs.pingidentity.com/pingds/8.1/security-guide/pwp-application.html revdate: 2025-10-22T14:42:39Z keywords: ["Features", "LDAP", "Security", "Setup & Configuration"] --- # Which password policy applies The operational attribute, `pwdPolicySubentry`, identifies an account's password policy. The default global access control instructions grant no access to this operational attribute. The following example grants access to a group of administrators: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "pwdPolicySubentry||ds-pwp-password-policy-dn") (version 3.0;acl "Allow Administrators to manage user's password policy"; allow (all) (groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com");) EOF $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(uid=bjensen)" \ pwdPolicySubentry ``` > **Collapse: Show output** > > ``` > dn: uid=bjensen,ou=People,dc=example,dc=com > pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config > ``` For more information about the password policy for an account, try the `ds-pwp-state-json` virtual attribute. For details, refer to the [LDAP example](../ldap-guide/passwords-and-accounts.html#ldap-read-pwp-state) or the [HTTP example](../rest-guide/action-rest.html#read-pwp-state).