VALIDATION REPORT Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1)
result in an error message and the user will not be added. In addition, the evaluation team confirmed the P6 Web Application Server must be configured for the same authentication mode (LDAP in the evaluated configuration) as the Project Management client.
Separation of Project and Methodology Management User Spaces—the evaluation team confirmed the TOE maintains separate user spaces for Project Management and Methodology Management databases and applications.
SSL Protection—the evaluation team confirmed, using a commercial network analysis tool, that the TOE supports configuration of SSL in the IT environment to provide protection of TSF data communicated between separate TOE components.
Heavy Client Module Integrity—the developer, in their design evidence, described various mechanisms that have been implemented to protect the integrity of the Project Management and Methodology Management client applications. The evaluation team confirmed the mechanisms operated as described.
User Privileges Granting and Revocation—the evaluation team determined that changes to the privileges granted to users (which are made using the heavy client applications) are propagated to the user even when the user is currently logged on, though it is not possible to delete a user that has an active session.
The evaluation team, during the course of the evaluation and testing, also observed the measures the developer has taken to address potential cross-site scripting and SQL injection vulnerabilities in the TOE.
The evaluated version of the TOE is Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1).
Primavera is a project management product that is implemented using client/server architecture with a centralized project database. Primavera can be used to manage projects, resources, and methodologies. Resources can represent either people or materials, depending on how the project is defined. Methodologies are templates for defining new projects and can be used to codify an organization’s best practices.
Results of the Evaluation
The evaluation was conducted based upon version 3.1 of the CC and the CEM. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation team assigned a Pass, Fail, or Inconclusive verdict to each work unit of each assurance component. For Fail or Inconclusive work unit verdicts, the evaluation team advised the developer of issues requiring resolution or clarification within the evaluation evidence. In this way, the evaluation team assigned an overall Pass verdict to the assurance component only when all of the work units for that component had been assigned a Pass verdict.
The validation team agreed with the conclusion of the evaluation team, and recommended to CCEVS management that an EAL4 certificate rating be issued for Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1).