\r\n The TOE is a product suite for business process management (BPM), or creating, executing, and optimizing business processes. It enables collaboration, business, and information technology (IT) to automate and optimize business processes. The TOE provides security functions that control user access to business process definitions and active instances of those processes. Users may be granted or denied access based on their organization affiliation, assigned group, assigned role, assigned groups, or identity, which is verified by the TOE. The components of the TOE are: The BEA AquaLogic BPM Studio provides the environment for both designing and developing a process. It has an external interface that can be used by business analysts, business architects, and developers. The BEA AquaLogic BPM Process Execution Engine orchestrates all processes and their resources—people, organizations, applications, and systems—managing proper sequence, enforcing business rules, and auditing each step to ensure process execution, escalation, and exception management. The BEA AquaLogic BPM WorkSpace provides the external interface through which a participant interacts with the Process Execution Engine. The BEA AquaLogic BPM Process Administrator is the console that provides the external interface that enables administrative management of, organizational information: participants, roles, groups, permissions, categories), engines: add, remove, start, stop, general configuration information: connectivity information to external databases and systems, and publish, Deployment, and undeployment of projects. The BEA AquaLogic BPM Archive Viewer (Archive Viewer) is a web application that provides the external interface that provides IT administrators and business users with historical activity data for business processes that had previously run in the Process Execution Engine. The BEA AquaLogic BPM Log Viewer (Log Viewer) provides the external interface that enables administrators to read information logged by the Process Execution Engine. The BEA AquaLogic BPM Admin Center (Admin Center): provides the external interface designed to help administer a BEA AquaLogic BPM implementation. The primary focus of Admin Center is to setup and configure the BEA AquaLogic BPM installations.
\r\n
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the BEA AquaLogic BPM Suite Version 6.0 MP4 (Build 95902) TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL4 augmented with ALC_FLR.1 family of assurance requirements. The product, when configured as specified in the Common Criteria Configuration Notice for BEA AquaLogic BPM Suite 6.0.4, ALBPM Product Installation Guide, Version 6.0 AquaLogic BPM Enterprise Configuration Guide BEA WebLogic Edition, and AquaLogic BPM Enterprise Configuration Guide Standalone Edition, Version 6.0, satisfies all of the security functional requirements stated in the BEA AquaLogic BPM Suite Version 6.0 MP4 (Build 95902) Security Target, Version 1.0. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in April 2009. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10266-2009, dated 4 May 2009) prepared by CCEVS.
","environmental_strengths":"The TOE is a commercial product whose users require a low to moderate level of independently assured security. BEA AquaLogic BPM Suite Version 6.0 MP4 (Build 95902) is targeted at a relatively benign environment with good physical access security and competent administrators. Within such environments, it is assumed that attackers will have little attack potential. The security environment also assumes that the TOE components are physically protected.
\r\nBEA AquaLogic BPM Suite Version 6.0 MP4 (Build 95902) supports the following five security functions:
\r\nSecurity Audit
\r\nThe TOE identifies user actions on activity instances that are relevant to the security. The TOE provides the capability to generate and record audit event for these security-relevant actions. It provides a capability for authorized applications to access the trail of audit events.
\r\nUser Data Protection
\r\nThe TOE provides the capability for an organization to restrict access to business-process activity instances in accordance with the organization’s policy. Access controls for a business-process activity instances are specified in its associated business process (abstract) model. This model is realized in the TOE via an administrator-controlled operation, and a business process instance is an instantiation of this realized model. The restrictions on a process instance are based on the organizational unit, group, and roles of the participant requesting access as well as the organizational unit and roles associated with the process activity instance being accessed.
\r\nIdentification and Authentication
\r\nThe TOE requires identification and authentication of each user before providing services to the Process Administrator, Admin Center, Archive Viewer, WorkSpace Administrator, and WorkSpace. In the case of Studio, the TOE relies on the underlying operating system for the authentication mechanisms to confirm the identity of the developer before providing services. The TOE maintains a list of attributes associated with the administrators, developers and participants that include user name, password, organizational unit, group, roles, categories within each role, and permissions. Although BEA AquaLogic BPM Suite can be configured to host services for anonymous users and single sign-on, these capabilities are not enabled in the evaluated configuration.
\r\nSecurity Management
\r\nThe TOE provides administrators with capabilities to manage the security functions of the TOE. In addition to the audit functions described above, A BEA AquaLogic BPM administrator can configure the TOE, define business processes, and define organizational information including process participants. Authorized users can manage their own authentication data.
\r\nProtection of the TSF
\r\nThe TOE includes features to ensure that a user cannot circumvent the security functions of the TOE. In addition, it prevents tampering and interference with the security functions. The TOE also protects data that is transmitted between TOE components.
","features":[]}