Prerequisites
- A Polarion project with threat and countermeasure work item types defined in Administration
- The six STRIDE threat categories defined as a Polarion enumeration (Administration > Enumerations) — see Step 2
- Two rating enumerations for threat severity and likelihood, defined in Administration > Enumerations
- A sheet configuration attached to your LiveDoc document — the sheet configuration file (
risksheet.json). See Find Configuration Files - Familiarity with the STRIDE methodology
How configuration data is sourced
Risksheet does not store data separately. Threats, countermeasures, and link relationships are standard Polarion work items, subject to Polarion authorization and fully traceable through Polarion’s audit infrastructure. Rating scales and enumeration values live in Polarion’s central administration, not in the sheet configuration:- Rating scales (severity, likelihood) are Polarion enumerations defined in Administration > Enumerations. A custom field on the threat work item type binds to the enumeration. A column then uses
type: rating:<enumId>withbindings: <fieldId>— the server loads enum values automatically. - Categorical enums (STRIDE categories, status values) follow the same pattern but use
type: enum:<enumId>(ortype: multiEnum:<enumId>for multi-select).
Define threat data types
Configure the The
dataTypes section to use threat-specific work item types. STRIDE analysis uses a threat work item as the main risk row and countermeasures as downstream tasks:type and role values must match the work item types and link roles defined in your Polarion project. Both dataTypes.risk and dataTypes.task accept name (display name in toolbar/menus) and zoomColumn (zoom navigation target). Additional optional task properties include document (restrict tasks to a LiveDoc path), query (extra Lucene filter), projects (multi-project array, v23.7.0+), createInCurrentDocument, and createInDocument (v24.8.1+).Create the STRIDE category enumeration in Polarion
The six STRIDE categories are managed as a Polarion enumeration. In Polarion, open Administration > Enumerations, create an enumeration (for example,
Bind a custom field on your threat work item type (for example,
strideCategory), and add the six values:| STRIDE Category | Threat Type | Security Property Violated |
|---|---|---|
| Spoofing | Identity | Authentication |
| Tampering | Data integrity | Integrity |
| Repudiation | Non-repudiation | Non-repudiation |
| Information Disclosure | Confidentiality | Confidentiality |
| Denial of Service | Availability | Availability |
| Elevation of Privilege | Authorization | Authorization |
strideCategory) to this enumeration. The sheet configuration references it through a column type of enum:strideCategory.Reference rating scales
Create two enumerations in Administration > Enumerations — one for severity, one for likelihood — and bind custom fields (
threatSeverity, threatLikelihood) on the threat work item type to them. Reference them through column types type: rating:threatSeverity and type: rating:threatLikelihood.Risk Priority Number (RPN) thresholds and severity/likelihood scale points are deployment-specific. Adapt them to the cybersecurity standard your team follows (for example, the qualitative scales used in ISO/SAE 21434 TARA).Configure STRIDE columns
Set up the column layout to capture threat details, STRIDE classification, risk assessment, and countermeasures:Each column uses
bindings (plural) to point at the Polarion field ID. Linked-task fields use the task.<fieldId> pattern.Add visual levels
The Every level entry requires
levels array creates a visual hierarchy through cell merging — consecutive rows that share the same value in a controlColumn get their cells merged vertically. For STRIDE, you typically group threats by asset and STRIDE category:name (display name in the zoom navigation menu), controlColumn (grouping key for cell merging), and zoomColumn (target column for zoom navigation).Add the threat risk formula
Define a named JavaScript function in the The column with 
formulas section that calculates threat risk from severity and likelihood:formula: threatRisk invokes this function for each row.Apply conditional formatting
Add a cell decorator and matching styles to color-code threat risk levels. Cell decorators must use The decorator is referenced from the column via
toggleClass (not inline styles) because the grid reuses cell DOM nodes across rows:cellRenderer: threatRiskDecorator. Style values must be wrapped in {...} braces. Thresholds (4 and 9) are illustrative — set bands that match your organization’s risk acceptance criteria.The STRIDE sheet uses the same engine as FMEA and HARA. Before deploying, confirm the threat and countermeasure work item types, the
mitigates_threat link role, and the STRIDE/severity/likelihood enumerations exist in your Polarion administration.Verification
After saving the sheet configuration:- Open Risksheet inside the configured LiveDoc document.
- Create a new threat row — confirm the STRIDE category dropdown lists all six categories from the Polarion enumeration.
- Select severity and likelihood — confirm the risk level formula calculates automatically.
- Add a countermeasure — confirm it appears as a downstream task with the configured link role and that the
nameyou set fordataTypes.taskappears in the toolbar. - Confirm conditional formatting highlights risk levels with the configured color bands.
- Group consecutive rows by asset and STRIDE category — confirm the level definitions merge cells correctly.
See Also
- Set Up Risk Matrices — risk matrix configuration patterns
- Configure Downstream Tasks — countermeasure task setup
- Configure Enum Columns — enum column configuration
- Apply Conditional Formatting — cell decorator patterns
- Configure FMEA Workflows — alternative safety risk methodology
- TARA Configuration Example — complete annotated ISO/SAE 21434 TARA configuration with feasibility scoring, verdict matrix, and workflow views