Global security policy specifies via password policy the minimum password length 6 and some complexity.
Organization Executive has assigned another security policy with a weakier password - 5 minimum and weaker complexity.
User is assigned to Executive organization.
I try to change user's password to 5 characters.
GUI request ends with a yellow warning that the password does not satisfy the password policy - it complains e.g. for the 6 characters, which means it's using the global policy at least for the account passwords.
This worked with 3.8.