Please use the link: http://help.sap.com/saphelp_nw73/helpdata/en/49/386a11c657200be10000000a42189c/frameset.htm
Also please note that such policy is actually provided by the system where user base resides. If the user ids are in LDAP / ABAP, the policy in that system will be effective in most cases. Making the portal UME policy more stringent might be helpful to override the policy of user base.
Also in the link:
http://help.sap.com/saphelp_nw70/helpdata/en/7f/c52442ad9f5133e10000000a155106/content.htm
"If the data source has defined its own security policy, there is no standard interface to pass on any error messages from the data source to the UME user in the same level of detail and in the correct language. The user only receives a generic error message."
Thanks