The Target of Evaluation (TOE) is Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1) from Oracle Primavera, hereinafter referred to as Primavera.
\r\nPrimavera is a project management product that is implemented using client/server architecture with a centralized project database. Primavera can be used to manage projects, resources, and methodologies. Resources can represent either people or materials, depending on how the project is defined. Methodologies are templates for defining new projects and can be used to codify an organization’s best practices.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1) TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL4 assurance requirements package. The product satisfies all of the security functional requirements stated in the Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1) Security Target, when configured as specified in the Primavera P6 Administrator’s Guide, Primavera P6 Integration API Administrator’s Guide, and Evaluated Configuration for Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1).
\r\nA validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in July 2009. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10182-2009), prepared by CCEVS
","environmental_strengths":"Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1) provides a moderate to high level of independently assured security in a conventional TOE and is suitable for a relatively benign environment with good physical access security and competent administrators.
\r\nPrimavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1) supports the following security functions:
\r\nPrimavera implements three separate access control policies—one controls access to projects, another controls access to resources, and the third controls access to methodology objects. Access control decisions are made differently for each type of object.
\r\nPrimavera defines users in terms of security attributes comprised of user identity and global profiles, which contain authorizations corresponding to functions a role may perform. Primavera requires users to be identified before they can gain access to its capabilities. In the evaluated configuration, authentication of claimed identities is performed by an LDAP server in the IT environment.
\r\nPrimavera provides administrative users with the ability to manage access controls on projects, resources, and methodologies, and the security attributes associated with users. Administrative capabilities are granted by the privileges allocated to a user via a global profile associated with the user.
\r\n