Hi Davo, thanks for your reply.
Yep, the fundamental flaw you mentioned I discovered about 30 minutes after writing the original post. This will be tricky, but here's the thought: perhaps I could detect what their highest current role is and assign password policy according to that as a workaround?