When the sudo plugin host is joined to the policy group via the pmjoin_plugin command, an ssh key (pmpol_key) is created in the pmclient user's .ssh directory and the public key is then appended to the pmpolicy user's .ssh/authorized_keys file on the primary policy server. This gives the pmclient user read only access to checkout a local copy of the policy from the repository via ssh+svn.
In normal Privilege Manager for Sudo operation, the policy will be evaluated on the policy server. But if the plugin host cannot contact the policy server whatever reason, the local copy of the policy is used to perform an "offline" policy evaluation.
The pmpluginloadcheck daemon on the plugin host will periodically check to make sure that the local copy of the policy is up-to-date. If necessary, pmpluginloadcheck will initiate a policy checkout as the pmclient user to update the local copy.
The join password is also used for the pmclient's initial password when the user is created, but since the policy transfer is done using an ssh key, changing pmclient's password will not affect the transfer.