Skip to main content

What You Will Achieve

By the end of this tutorial you will have a fully configured TARA project with:
  • 8 work item types (taraRecord, cybersecurityGoal, systemElement, threatScenario, stakeholder, riskControl, sysReq, testCase)
  • 5 TARA-specific link roles (hasThreatScenario, hasStakeholder, hasCybersecurityGoal, derivesRequirement, mitigates)
  • 1 Risksheet template (TARATemplate) with 22 columns, 7 views, and 3 formulas
  • Dashboard pages: Project Home, Risks Home, TARA Report, Cybersecurity Case
  • Shared catalogs for Threat Scenarios and Stakeholders
  • Document workflow for risk specification approval

Prerequisites

RequirementDetails
Polarion ALMVersion 2304 or later
Nextedy RisksheetLicensed and installed on the server
User roleProject administrator
Solution packageTARA solution archive (.zip) from Nextedy

Steps

Step 1: Create a New Polarion Project

  1. Open Polarion Administration and select Create Project.
  2. Enter a project name (e.g., “TARA Demo”) and set the tracker prefix (e.g., TR).
  3. Assign a project lead and set the project color.
  4. Save the project.
If you are adding TARA to an existing project, skip to Step 2. The solution adds new work item types and configurations without overwriting existing ones.

Step 2: Import the Solution Package

  1. Obtain the TARA solution package from Nextedy.
  2. In Polarion Administration, navigate to Repository and import the solution SVN structure into your project.
  3. The import installs:
    • Work item type definitions in .polarion/tracker/fields/
    • Custom field configurations for taraRecord, cybersecurityGoal, systemElement, and riskControl
    • Enumeration files for all TARA-specific enums (CIAx properties, impact levels, feasibility factors, treatment choices)
    • Link role definitions with type constraints
    • Form layouts for each work item type
    • The TARATemplate risksheet configuration in modules/RiskTemplates/TARATemplate/
    • Dashboard wiki pages in .polarion/pages/
    • Document workflow for riskSpecification type

Step 3: Verify Work Item Types

Open the project tracker and confirm all 8 types appear in the type selector:
TypePurpose
systemElementComponents in the vehicle architecture
taraRecordIndividual risk assessment records
threatScenarioNamed threat scenarios (catalog items)
stakeholderAffected entities (catalog items)
riskControlCountermeasures that mitigate threats
cybersecurityGoalHigh-level protection objectives with CAL
sysReqCybersecurity and system requirements
testCaseVerification test cases

Step 4: Verify the Risksheet Template

  1. Navigate to Risksheets in the sidebar.
  2. Confirm that TARATemplate appears in the template list.
  3. Open the template and verify that 7 views are listed: Overview, 1. Identify Threats, 2. Assess Feasibility, 3. Risk Assessment, 4. Risk Treatment, 5. Req & Verification, Full View.

Step 5: Verify Dashboards

Open each dashboard page and confirm it loads without errors:
DashboardNavigation Path
Project HomeProject sidebar > Home
Risks HomeWiki > Risks > Home
TARA ReportWiki > Risks > TARA Report
Cybersecurity CaseWiki > Risks > Cybersecurity Case
Dashboards display live statistics. Before any TARA records or system elements exist, all counts will show zero. This is expected.

Step 6: Set Up Initial Catalogs

  1. Open the Stakeholder Catalog document at Risks/StakeholderCatalog. Add stakeholder work items representing entities affected by cybersecurity threats (e.g., Vehicle Occupants, Road Users, Vehicle Owner, Service Technician).
  2. Open the Threat Scenario Catalog at Risks/ThreatScenarioCatalog. Add threatScenario work items for common threats relevant to your system.

Step 7: Create the System Element Hierarchy

  1. Open the SYSTEM-ELEMENTS document in the _default space.
  2. Add systemElement work items with the elementType custom field set to system, subsystem, or component.
  3. Use the parent link role to establish the hierarchy.
The TARA Demo project ships with a sample hierarchy for a Connected Electric Vehicle with ADAS. Review it as a reference for structuring your own system architecture.

Next Steps