{"product_id":10110,"v_id":10110,"product_name":"Metastorm e-Work® 6.6","certification_status":"Not Certified","certification_date":"2006-10-24T00:10:00Z","tech_type":"Miscellaneous","vendor_id":{"name":"OpenText (formerly Metastorm, Inc.)","website":"www.opentext.com"},"vendor_poc":"Kevin Haugh","vendor_phone":"443-703-1809","vendor_email":"khaugh@opentext.com","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"<p>The Target of Evaluation (TOE) is Metastorm e-Work 6.6.1.</p>\r\n<p>The TOE can control access to objects called forms and folders. Forms are used to define business process information in objects. Folders are collections of forms that represent logical constructs of business process model maps and diagrams. Combinations of forms and folders represent business processes (procedures) that the TOE can provide users interfaces with in order to view and manage.</p>\r\n<p>Non-administrative users access the TOE using a web browser in the IT environment to access the TOE HTTP network protocol interface. Users are required to provide a user name and password before a session with the TOE can be established.</p>\r\n<p>Administrative users access the TOE using e-Work Engine administrator console component Windows application graphical user interface (GUI) interfaces. Administrators are required to provide a user name and password before a session with the TOE can be established.</p>\r\n<p>The TOE in its intended environment can be described in terms of the following components:</p>\r\n<ul>\r\n<li>e-Work Web Extensions.ISAPI (web server plug-in) subsystem -Internet Server API (ISAPI) server library for Microsoft Internet Information Services web server that handles end user HTTP requests to e-Work Engine component, supports processing of e-Work data using web browsers. </li>\r\n<li>e-Work Engine subsystem - Server application that evaluates and processes e-Work transaction requests from end users. Processes Business Process Management (BPM) logic defined by administrators and used by end users to perform work flow management functions. </li>\r\n<li>e-Work Engine administrator console subsystem - Provides graphical user interface (GUI) Windows application interfaces to manage the e-Work Engine component. Includes the following subcomponents:      \r\n<ul>\r\n<li>System Administrator application- Provides interfaces to start/stop e-Work Engine component, to configure authentication mechanisms. Accessed using Windows Microsoft Management Console (MMC) interfaces. </li>\r\n<li>e-Work Designer application- Provides interfaces to create and modify existing procedures and their components (forms, folders). Accessed using Windows application interfaces. </li>\r\n<li>Services Manager application- Provides interfaces to manage existing procedures (e.g. making a procedure available to users) and their components (forms, folders). Accessed using Windows Microsoft Management Console (MMC) interfaces. </li>\r\n<li>Users and Roles application- Provides interfaces to manage users and user attributes. Accessed using Windows application interfaces. </li>\r\n<li>Administrator Forms application- Provides interfaces to manage user session timeout. </li>\r\n</ul>\r\n<ul>\r\n<li>Operating system - Provides runtime environment for e-Work Engine component and e-Work Engine administrator console component (as well as database, web server, and web browser components). </li>\r\n<li>Database - Stores e-Work Engine component and e-Work Engine administrator console component configuration data. </li>\r\n<li>Web server - Provides runtime environment for e-Work Web Extensions.ISAPI component. </li>\r\n<li>Web browser - Provides web-based client interface to access e-Work Engine component services using the e-Work Web Extensions.ISAPI component. </li>\r\n</ul>\r\n</li>\r\n</ul>","evaluation_configuration":null,"security_evaluation_summary":"<p>The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Metastorm e-Work 6.6.1 TOE was judged is described in the Common Criteria for Information Technology Security Evaluation, Version 2.2, Revision 256, January 2004 and International Interpretations effective on 1July 2005. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 2.2, Revision 256, January 2004. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL2 family of assurance requirements. The product, when configured as specified in the Metastorm e-Work Release 6.6 Installation Prerequisites, April 2005 document and Metastorm e-Work Release 6.6 Installation Guide, April 2005, satisfies all of the security functional requirements stated in the Metastorm e-Work 6.6.1 Security Target, Version 1.0. One Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in August 2006. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-06-0046, dated 26 October 2006) prepared by CCEVS.</p>","environmental_strengths":"<p>The TOE is an IT enabled Business Process Management (BPM) software product supported on Windows 2003, 2000, and XP. BPM is the process of viewing and managing the information, activities, and instructions required to automate a business process which is called a procedure. The main component of a procedure is one or more maps. Maps are diagrams or process model logical constructs that depict business processes such as a manager approving a staff member&acirc;&euro;&trade;s form for a travel request form, for example. Metastorm e-Work 6.6.1 TOE supports the following five security functions:</p>\r\n<p><strong>User data protection</strong><br /> The TOE has the ability to restrict access to forms and folders to authorized users. Users have to be assigned to a role, and Access Control Lists (ACLs) containing user and/or role identifiers are used to make access control decisions for a given object.</p>\r\n<p><strong>Identification and authentication</strong><br /> The TOE defines users in terms of security attributes that include user name, password, and role. The IT environment is relied on to authenticate administrators. The TOE offers no TSF-mediated functions until the user is identified and authenticated.</p>\r\n<p><strong>Security management</strong><br /> The TOE provides administrators with Windows application graphical user interface (GUI) interfaces to create and manage process flows, and to manage the security functions of the TOE. The TOE maintains both administrator and user roles.</p>\r\n<p><strong>Protection of the TSF</strong><br /> The TOE restricts access to both its administrative and non-administrative interfaces. When a user, without the necessary role, requests communication with the TOE access is denied. Users cannot proceed to use their TOE role until they have supplied a user name and password that corresponds to the TOE access list</p>\r\n<p><strong>TOE access</strong><br /> The TOE can terminate inactive interactive user sessions. The TOE relies on a timestamp provided by the operating system in the IT environment in order to determine if a session has become inactive.</p>\r\n<!-- InstanceEndEditable -->","features":[]}