VALIDATION REPORT Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1)
Science Applications International Corporation: Anthony J. Apted Katie Sykes
National Information Assurance Partnership CCEVS
Jandria Alexander, The Aerospace Corporation Scott Shorter, Orion Security Solutions, Inc.
1.2 Interpretations Not applicable.
1.3 Threats The ST identifies the following threats that the TOE is intended to counter.
An unauthorized user, process, or external IT entity may masquerade as an authorized user to gain access to the TOE.
A malicious user or process may cause configuration data to be inappropriately accessed (viewed, modified or deleted).
An authorized user may gain unauthorized access (view, modify, delete) to user data through the TOE.
The evaluated product is Primavera® (Version 6.2.1).
P6™ Enterprise Project Portfolio Management
The TOE enforces the following security policies as described in the ST.
Note: Much of the description of the Primavera security policy has been extracted and reworked from the Primavera® P6™ Enterprise Project Portfolio Management (Version 6.2.1) ST and Final ETR.
User Data Protection
Primavera implements three separate access control policies—one controls access to projects, another controls access to resources, and the third controls access to methodology objects. Access control decisions are made differently for each type of object.
Identification and Authentication
Primavera defines users in terms of security attributes comprising user identity and global profile, which contain authorizations corresponding to functions a role may perform. Primavera requires