VALIDATION REPORT Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1)
Heavy clients (PM, MM) running on:
Windows XP SP3
Windows Vista SP1
T i m e s h e e t s c l i e n t r u n n i n g J R E 1 . 5 . 0 _ 1 5 a n d I n t e r n e t E x p l o r e r 7
The evaluation team devised a test subset based on coverage of the security functions described in the ST. The test environment described above was used with team generated test procedures and team analysis to determine the expected results.
The evaluation team performed the following additional functional tests:
Aggregation of Project Privileges—Section 6.1.1 of the ST states that if a user is assigned, via multiple OBS assignments, to multiple nodes in the EPS hierarchy, an assignment at a lower node aggregates all of the user’s permissions from higher nodes in the hierarchy. The evaluation team confirmed the TOE behaves as described in the ST
Global Profile—the TOE documentation indicates a user must be assigned a global profile. The test demonstrated that it is not possible to create a user in either Project Management or Methodology Management without assigning the user a global profile
Security Management—the evaluation team exercised security management capabilities of the TOE using only the operational guidance documentation for guidance. The evaluation team confirmed the security management functions are invoked and behave as described in the guidance documentation.
Security Attribute Management—the evaluation team confirmed the restrictions on which roles can manage the security attributes used to enforce the TOE’s access control policies behave as specified in the ST.
The evaluation team conducted an open source search for vulnerabilities in the TOE or in components of the operational environment the TOE is reliant on for its security functionality. The evaluation team did not discover any open source vulnerabilities relating to the TOE. The evaluation team determined, through analysis of vulnerability descriptions and consideration of the intended environment and method of use of the TOE, that vulnerabilities reported in components in the operational environment have either had fixes published by the responsible vendor, or are not relevant to the TOE in its evaluated configuration.
In addition to the open source search, the evaluation team devised a set of penetration tests based on a focused search of the evaluation evidence. The evaluation team performed the following penetration tests on the TOE in the test environment:
Port Scan—the evaluation team used a commercial vulnerability scanner to examine open ports on the server machine in the test environment, both before and after the P6 Web Access Application server and the Group Server were initialized. The evaluation team determined the TOE components did not open up any additional ports.
Login Bypass—the evaluation team determined the TOE does not permit users accessing it via the Web Access client to gain access without first identifying and authenticating themselves.
LDAP Configuration—the evaluation team confirmed that when LDAP is configured for authentication, attempting to add a user that is not found in the LDAP store will