VALIDATION REPORT Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1)
The evaluation of the Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1)1 product from Oracle Primavera was performed by Science Applications International Corporation (SAIC) Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, United States of America and was completed in July 2009. The evaluation was conducted in accordance with the requirements of the Common Criteria and Common Methodology for IT Security Evaluation (CEM), version 3.1. The evaluation was consistent with National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site (www.niap.ccevs.org).
The SAIC evaluation team determined that the product is Common Criteria Part 2 Conformant and Common Criteria Part 3 Conformant, and that the Evaluation Assurance Level (EAL) for the product is EAL 4. The information in this Validation Report is largely derived from the Evaluation Technical Report (ETR) and associated test reports produced by the SAIC evaluation team. This Validation Report is not an endorsement of the Target of Evaluation by any agency of the U.S. government, and no warranty is either expressed or implied.
Primavera is a project management product that is implemented using client/server architecture with a centralized project database. Primavera can be used to manage projects, resources, and methodologies. Resources can represent either people or materials, depending on how the project is defined. Methodologies are templates for defining new projects and can be used to codify an organization’s best practices.
Primavera provides multiple methods for connecting to and accessing the data (i.e., projects, resources, methodologies) under its control: Windows-based heavy clients; browser-based Web clients; and an API. The evaluated configuration requires an LDAP server in the operational environment to support user identification and authentication. Details of supported components in the operational environment are in Section 5.
Primavera is dependent on the correct operation of the various components in its operational environment, which are not included within the scope of the evaluation. It should also be noted that the access control policies implemented by Primavera are enforced only on access attempts made through the Primavera’s interfaces. Primavera does not and cannot control attempts to access data directly (e.g., via the underlying database system or operating system).
Primavera P6 Version 6.2.1, when configured as specified in the guidance documentation, satisfies all of the security functional requirements stated in the Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1) Security Target.
Hereinafter generally referred to as Primavera P6 Version 6.2.1, or just Primavera.