HP Quality Center 10 from a Test Managers

Perspective
03/02/2009 by Serge Baumberger
The new Version 10 of the HP Quality Center (QC) is now available. Yet what are the actual
advantages of the new QC compared to its predecessor from a Test Managers perspective?
Below, I will take a look at some of the new features and changes, and I will answer the question
whether one should even make the switch.

The Most Significant Changes

The new QC Version 10 has seen a series of changes, of which the most significant ones are:

Version control

Baselining

Integrated dashboard

Shared libraries

Cross Project Customization

Version Control
Finally, QC has been provided with a fully integrated version control. In past versions, one had
to make do with third-party integration, which generally stumbled rather than ran. The version
control, if desired, must first be activated for every individual project via the SiteAdmin. Once
this is done, all entities falling under the version control become Version 1. QC entities include
requirements, tests, test resources, and business components. If one wishes to add a test step to a
test case for example, one is automatically requested to check this test case. As soon as there is
more than one version of an entity, one can compare various versions against each other or
retrieve an older version.
Summary: The whole thing is intuitive and easy to operate. But whats the use of having eight
versions of a requirement, when one doesnt know which software release a version belongs to?
Baselining

Along with version control comes baselining, which is intended to answer the question above.
Using the new Management module that replaces the Releases introduced in 9.x one gets to
the baseline function via the Libraries tab. This enables one to obtain a summary of a complete
testing release and retrieve it if necessary. In this way, a test set can be pinned to a baseline in the
test lab. In other words, as of now, the manual copying of entire trees into the test plan module is
a thing of the past. At last, test managers will be able to properly organize software that has
multiple parallel releases (in production, current release, future release).
Summary: Setting up the baseline works very well. While creating it, a log keeps one updated on
what is currently taking place. However, setting up baselines probably needs to be done during
off-peak hours since it can take a while for larger QC projects.
Integrated Dashboard
Equally interesting for test managers is the new integrated dashboard that can be found on the
left-hand navigation bar where the Management module is, too. The special feature of the new
dashboard does not pertain to the graphics, which are not particularly appealing, but the CrossProject functionality. It is now finally possible, when working on a QC project, to get an
overview of all of ones ongoing projects. These dashboards are freely configurable and can be
designated to be personal favorites or publicly accessible. Special Excel reports also enable
direct access to the database via SQL. The generated reports can then be graphically processed at
the same time by means of VBScript.

Summary: The new dashboard module is quickly customized and achieves its purpose in
ongoing projects. What is missing is a sensible way of printing content for a given project
meeting, for example.
Shared Libraries
Libraries, which are located in the Management module, can be re-used and distributed with
Version 10. A library represents a collection of entities in a QC project, including their
relationships to each other. When dealing with many similar projects, it offers the advantage of
not having to repeatedly create entities. Libraries can be imported from project A into project B,
compared against each other, or even synchronized. A library also allows one to collect the same
entities as in versioning. Defects are not included, but they can be shared with the new HP
Quality Center Synchronizer manually among several QC projects. As mentioned, the
advantages really only present themselves when one has many and/or large-scale projects. I
suppose that is why this functionality is available only in the QC Premier Edition (also available
are the Standard and Enterprise editions).
Summary: It remains to be seen whether this function will actually be used in real-world
applications. In my opinion, it makes perfect sense to be able to take over pre-defined assets
from another project so that one doesnt have to keep re-inventing the wheel.

Cross Project Customization

And now heres the last big change: Cross Project Customization. Many organizations have
defined standards, such as a uniform defect status field or a standardized priority scale, for their
software quality-related areas. However, these fields and lists were often changed or even deleted
by QC project administrators. Some companies have even gone to great lengths in using their
own programming to define a template that can be distributed to all QC projects, thereby
establishing a uniform standard.
For all those who want to spare themselves this time and effort or do not wish to keep an inhouse programmed interface going, there is a solution. Site Administrator now provides a way to
link projects with a template. If the template is changed, the delta can then be passed on later at
the right point in time. This function has been awaited not only by test managers who like to
have the same configuration in all their projects, but especially also by the respective operators
of QC installations, namely the system administrators. Cross Project Customization is also only
available in the Premier Edition.
Summary: This change is awesome! Finally, testing organizations or Test Factory managers are
able to implement a certain basic standard in their projects. Once this is accomplished, nothing
can get in the way of standardized, across-the-board reporting.

Is an Upgrade Worth It?

The new Version 10 is an absolute milestone not only for tests managers. It also makes life easier
for testers, Test Factory managers, as well as QC system administrators. The new functions have
been anticipated for quite some time and have been implemented in the new product in a wellconceived manner.
However, there are still questions about how stable the new version is (my tests ran flawlessly)
and how simple a migration of a larger installation might be. If these questions receive favorable
responses, one should absolutely consider switching over to the new version!
ShareThis
Sphere: Related Content
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response,
or trackback from your own site.

30 Responses

1
Go2Group:
03/03/2009 at 5:24 pm

This is a great review, Serge!

Weve done our own review as it relates to remote API calls in HP QC 10 and are excited
about the results, specifically with our own product, the JaM Plugin. We initially started
supporting TestDirector back in the day, then progressed to QC 9 after HP picked up
Mercury.
Thanks for the perspective!

2
Serge Baumberger:
04/03/2009 at 8:43 am

Thx alot for your response. I try to keep up the good quality of my blogs
regards,
serge

3
Lynn:
05/13/2009 at 7:21 pm

Serge, whats your assesment on the reporting features? Coming from QC 8.2 and will be
upgrading to 10, Im curious. 8.2 is not the most friendly as far as reporting goes.
Thanks,
Lynn

4
Avi Kavas:
05/18/2009 at 9:43 pm

Hi Serge,
I found this review pretty interesting, especially considering the fact that Ive been
involved designing some of the features reviewed here
I would like to add some comments that could hopefully provide you with more
information.

1. Version Control.
Regarding But whats the use of having eight versions of a requirement, when one
doesnt know which software release a version belongs to?
=>We recommend that you capture baseline in every significant milestone of your release
(requirement signoff, every significant development phase, product release, etc).
When you view the history page for each versioned entity (tests for example) you can all
see the baselines related for this version. When applying meaningful baseline names, you
easily associate versions to releases.
Example:
Version 1 | Baseline: Release 1.0
Version 2
Version 3 | Baseline: Release 1.1
Version 4 | Baseline: Release 2
2. Integrated Dashboard
Summary: The new dashboard module is quickly customized and achieves its purpose in
ongoing projects. What is missing is a sensible way of printing content for a given project
meeting, for example.
=> In patch 2 of QC 10.0 we have added the ability to export a page to PDF format so it
can be easily printed or distributed by e-mail.
Thanks,
Avi
Quality Center R&D

5
Serge Baumberger:
05/20/2009 at 2:55 pm

Hi Avi,
thx alot for your comments to my blog, I appreciate your input.
QC 10.0 is really awesome its very good, that you and HP could react that fast and
have already SP 2 out, which fixes and improves alot!
I like especially the Dashboard PDF-Printing ability.
best regards,
Serge

 6
Serge Baumberger:
05/20/2009 at 2:59 pm
Lynn:
05/13/2009 at 7:21 pm
Serge, whats your assesment on the reporting features? Coming from QC
8.2 and will be upgrading to 10, Im curious. 8.2 is not the most
friendly as far as reporting goes.
Thanks,Lynn

The improvement from reporting coming from QC 8.2 to 10.0 is huge. Especially the
Dashboard and the Excel-Reporting function is a must have when it comes to reporting.
With Excel-Reporting eg. you can even include your sql statements and vb-design code
and save this as a template if you like. You can report almost everything you like, its fast,
looks nice and you can still change it afterwards in excel if you need to .
br,
serge

7
Anuradha:
05/27/2009 at 6:33 am

Hi Serge,
I would like to know if I can customize the COM components or code of QC to develop
my own customized reports. For example, my company needs reports in a specific
format. can I do this?
Thanks,
Anuradha

8
shalini:
06/01/2009 at 7:25 am

Hi Avi/Serge,
Test Management is already available in HP QC9.2.
Now my client wants to upgrade the HP QC9.2 to HP QC10. Any impacts due to
migration of the data to QC10?

 9
Marc Robertson:
06/01/2009 at 9:53 pm

Does the version control functionality include branching to allow for parallel
development? For example, suppose you have Feature A in version 1.1( no one ever buys
1.0 ) of your software, and have a test written for that. You start working on 1.2, creating
a branch in your source code repository for the source code, and need to change the tests
to match the new functionality. Then, you decide that the feature could be improved with
a fairly simple change you can get out the door quickly, while continuing the more
extensive changes planned for version 1.2. So, you create a branch for version 1.1.1, and
need to modify the tests for that. I guess Im trying to understand why you wouldnt put
the test scripts in the appropriate branch in your source code repository. Keeping the tests
in a separate repository would seem to make it more complicated to connect source code
version with test version.

10
Mark Ford:
06/02/2009 at 10:22 pm

The QC 10.0 version control functionality is limited in that only one version can be
checked out at a time. You could branch by creating a copy of a test but thats not really
all that helpful as you cannot compare the two after updates are made.
You can however create branches using the baseline import functionality. Take a baseline
of the folder containing the version 1.1 tests and then import that baseline back into the
SAME project into a different folder for your interim version 1.1.1. The version 1.1
version tests can now be updated for 1.2 independently from the version 1.1.1 tests.
When finished with the version 1.1.1 tests you can take another baseline and compare it
back to the original to see everything that changed. You can then retrofit these changes
back into the version 1.2 tests.

11
Mark Ford:
06/03/2009 at 5:50 pm

I think its worth mentioning that the Business Component (BPT) module in QC 10.0 also
benefited from significant improvements:

* Canned reports & graphs are now available for the BPT module
* Create collections of BPT components in a fixed sequence that perform a specific task
(flows)
* Can convert manual tests to BPT components
* Can add user defined fields and workflow code to BPT module
* Can copy components and BPT tests from one project to another
* Prompts for parameter promotion when BPT component is assigned to test
* More Used By dependency views (resources and application area)
* Dynamic dates can be used to represent time relative to the current date
* Cross filtering and send mail options

12
Farid:
06/04/2009 at 2:02 am

Hi Avi,
=> In patch 2 of QC 10.0 we have added the ability to export a page to PDF format so it
can be easily printed or distributed by e-mail.
I have installed patch 2 and I cannot see any option to export as PDF. Where do I find
that?
Thanks,
Farid

13
Farid:
06/04/2009 at 2:18 am

Hi Avi,
I think it was a bit hasty post!
Got it It is Dashboard > Export
Thanks,
Farid

14

Avi Kavas:
06/17/2009 at 7:30 pm

I would like to comment to Shalinis post,

Hi Avi/Serge,
Test Management is already available in HP QC9.2.
Now my client wants to upgrade the HP QC9.2 to HP QC10. Any impacts due to
migration of the data to QC10?
I dont anticipate any noticable impact of data migration to QC 10.0. Is there any specific
aspect you are concerned about?
Thanks,
Avi

15
Amit Kumar:
06/23/2009 at 9:56 am

Hi Avi,
I found version control a bit confusing
Lets say a project X is under version control, now I create a new folder in Test Plan tab
calling it New Req, now when I add a new folder test cases and test case test one
under this folder it is checked out with version 1, now the moment I check in its version
changes to 2.
Dont you think its version should be 1 as its first instance of that test case being created
and later when any update is done the version should be changed to 2.
Thanks
Amit

16
James:
07/06/2009 at 9:11 pm

Hi Serge,
nice summary you written.answers alot of of our questions.

we are upgrading from QC9.2 to QC10 and was wondering if you have had any issues
with the installany tips or tricks or holes to avoid?
we had issues with upgrading to 9.2 so we want to be a little more proactive for the UG to
10.
if there is a separate link for this please direct me.
thanks,
James

17
German Garcia:
08/08/2009 at 12:55 am

Hi all,
I had the chance to assist a webinar of this latest version. I have to say that is awesome.
Besides version control, baselines, integrated dashboards, common shared libraries, you
have to mention that now HP thinks not only in very big enterprises but also in small
companies (lets say 20) that doesnt need to stablish a very huge tool; I see this positive
because of QC costs. I can recall that now there are available about 3 versions (Come on
QC guys, help me out on exact names).
Regards,
German.

18
Ram:
01/12/2010 at 1:27 pm

Hi,
When I tried to integrate my QTP 9.5 scripts to QC 10.0 and while trying to run the
scripts im getting error saying The QuickTest Remote Agent is either not installed on the
host you specified,or a version earlier than 10.00 is installed.To run this test,Quicktest
Professional 10.00 must be installed on the host computer.. Please let me know what is
the solution as Im not finding QTP 10.00 either.

19

Chris Capasso:
01/25/2010 at 8:34 pm

To All,
I heard there was some issue running 9.5 QTP scripts in the 10.0 QC. Has anyone tried or
encounter such a problem?
Thanks,
Chris

20
Thomas Lattner:
02/10/2010 at 3:03 pm

Thanks a lot, this is really what a test manager needs to know at first.
I tried to use your Tweet-Button, which attempts to send a retweet, but it said the url is
wrong. :-/

21
Thorsten:
02/23/2010 at 10:22 am

Hi all,
is electronic signature now available as it is required in the GMP related pharma
industrie?
BR/Thorsten

22
Dan Taylor:
03/02/2010 at 11:51 pm

I have not used qc and I can do the funky chicken. with that said how does one enter in a
blog in qc?

23

Olga:
03/10/2010 at 8:00 pm

Hi All,
Does anyone have training information on the use of HP QC 10.0 (Release mgmt,
requirements, & testing)? or is HP the only traning provider?
Thanks,
Olga

24
Umesh Nayak:
03/19/2010 at 3:40 am

Dear Serge,
Good explanation with helpful information about Quality Center.
Appreciate a lot ! Thanks for good work !
Regards
Umesh.

25
pravat:
04/12/2010 at 4:32 am

Hi Avi,
lets continue with amit kumar discussion,
lets say a project X is under version control, now I create a new folder in Test Plan tab
calling it New Req, now when I add a new folder test cases and test case test one
under this folder it is checked out with version 1,
I have a question here regarding the QC 10.0 version control system and that is as to
how we go about maintaining the complete Test cases approval process in the test lab.
An example of the test approval process is listed as below:
1. Tester 1 writes some test cases in test plan tab
2. Tester 2 reviews the test cases and finds some comments/inputs to be added.
3. Tester 1 again incorporates these review comments in QC and finally it goes next level
for review and approval.
Here, is there a way out to track these test cases review comments along with their
respective versions and the complete test case approval process.
if there is a link or document for this please direct me.

Thanks
Pravat

26
Nithin Kuriakose:
05/11/2010 at 6:59 am

Ive just been investigating and playing on the version 10 starter edition from HP. From
what I have seen, it runs seamlesly and the installation/customization is also pretty
straight forward. This version has actually taken off a pile of pending works from QC
admin section and caters widely to the testing community for all facets.
Your article is equally briliant, Serge. Thanks for putting this up.
Regards,
Nithin

27
Stephen:
06/29/2010 at 9:01 pm

Here is a question on verson control. How do I get rid of obsolete versions? If every time
a test is modified a new version is created, you are going to very quickly create a lot of
versions. Now I know that there is no delta management of versions, every change results
in a complete copy of the test as the new version.
So how much space is gonig to be consummed for this?
How, when I reach version 20 of a test do I get rid of versions 1-10?
I will not advise using version control until HP can publish a solution for that.

28
Ragu:
08/30/2010 at 7:57 pm

How to execute the previous version of a test case in the TEST LAB?

29
Georges Lauture:
09/28/2010 at 7:39 pm

I have a question on Mark Fords post from 06/02/2009 at 10:22 pm about parallel
development.
Just to recap
- Version 1.1, which is being updated for the version 1.2.
- Version 1.1.1, which was imported from 1.1 and modified for the parallel
development/testing.
- Youre finished with version 1.1.1 tests and take a baseline
- You retrofit your changes back into version 1.2 tests.
Here is my question
1. What do you do with the actual tests in Test Plan that were imported (i.e. 1.1.1)? If you
delete them, all run history is lost.

30
Mike:
10/06/2010 at 7:22 pm

Heres a feature I would like.tell me which developer is the most productive and least
productive (i.e. who fixed the most bugs, the fastest etc.). QC has this info in the DB as
defects move from assigned to fixed but no way to get the info out
Just Integrated all answars
=>In addition to the normal test director features, QC has a
Dashboard for reporting metrics.
=>Business Process Testing is a new feature that has been
incorporated in QC 9.0. This would have additional charges
when purchasing the package.
=>Also, in the latest version of QC 9.2, Release Management
is also an important module.
Technology
TD: C++, IIS, COM
QC: Back-end is Java based, runs on application server
Operating systems
TD: Microsoft Windows
QC: Ms Windows, Red Hat Linux and Solaris
Clustering
TD: single server only
QC: Full clustering support
Database Connectivity

TD: Requires Database client installation, ADO interface

QC: Does not require database client installation. Direct
access to
database server using a JDBC type 4 driver
Repository
TD: Domain repository (TD_Dir)
QC: Repository divided into to sub-directories. QC
directory for default and user defined domains. SA directory
for site administrator data.
Virtual directory
TD: Virtual directory name is tdbin
QC: Quality center server virtual directory name is qcbin.
Site administrator server virtual directory name is sabin.
Supported databases
TD: Microsoft Access, Microsoft SQL, Oracle, Sybase
QC: Microsoft SQL, Oracle
Site Administrator Data (domains, projects and users)
TD: Data stored in the doms.mdb file
QC: Data stored in the site administrator schema on a
database server
Common settings
TD: Data stored in the file system
QC: Data stored in the database
User authentication
TD: Windows authentication
QC: LDAP authentication
====================================================================
Mercury Quality Center 9.0 is an integrated solution
composed of market leading products including:

Mercury TestDirector for Quality Center 9.0the

market-leading quality management solution

Mercury Quick Test Professional 9.0the most widely used

functional test automation product

Mercury Business Process Testing 9.0the innovative

solution for designing and testing digitized business processes
Mercury Quality Center provides automated software testing
and quality assurance across a wide range of IT and
application environments. It combines an integrated suite of
role-based applications, a business dashboard, and an open,
scalable, and extensible foundationall designed to optimize
and automate key quality activities, including test
management, requirements, and defects tracking; functional

testing and regression testing; and business process design

validation.
Release 9.0 of Mercury Quality Center includes a wide range
of enhancements that improve the functionality and usability
of the solution. These enhancements include:
Integration for Better Testing

Enhanced Requirements Module for capturing application

feature definitions to make test planning and execution more
accurate

Integration into Microsoft Visual Studio Team System for

developer/QA collaboration around defect management and
resolution

Zero-client browser-based manual testing through Business

Process Testing to reduce test creation time by as much as
50 percent by using re-usable test components
Distributed Manual Test Management

Advanced data-driving functionality for testing multiple

data conditions

Automatically generated manual test planning documents

through the Business Process Testing Document Generator

A bridge to automation through easy conversion of manual

tests created in Mercury Business Process Testing to
Mercurys automated testing solutions
SOA and Web Services Testing

Automatic WSDL Method Scanning, making it possible to

create data-driven WSDL tests without scripting

Abstract, English-like interface for manipulation of Web

services checkpoints

Integration with Business Process Testing for the creation

of re-usable test definitions across the enterprise

Integrated Auto-Documentation for compliant test-plan

document generation.
Change and Impact Management

Integration with SAP Solution Manager, which includes the

propagation of business process definitions and changes to
corresponding testing assets

The ability to leverage SAP design elements in the test

creation process.

The ability to identify test cases that will need to be

re-run due to proposed changes in the SAP application
(Change Impact Testing)

Quality Center 10 Patch Level 7

Tuesday, November 24th, 2009

HP has released a new patch for Quality Center 10.0. Patch 7 is now downloadable from their
support website here (requires login).
This patch fixes one security issue. Also, it now provides official support for Internet Explorer 8.
Posted in Quality Center | 1 Comment
Vulnerability in Quality Center part 2
Thursday, May 14th, 2009

Following a Vulnerability that was discovered previously, HP has patched the issue on Quality
Center 9.2. However, Quality Center 10.0 is still affected by this issue even if you apply the
patch level 2.
We investigated further and found out that the way they patched the security issue is not really
clever. Let me explain.
The issue is that the workflow scripts are copied onto your local drive and are being used by
Quality Center in order to execute the workflow event functions whenever they occur. The issue
was that those script could be amended manually allowing a user to change the behaviour of the
project (and through some clever API calls gain priviledges).
The patch issued by HP solves the issue by doing the following check:
If the file size has changed, a new copy is downloaded from the server. When overwritting the
file, if the access is not permitted, abort the connection to the project and report an error.
This solution has a major drawback: if the file size does not change, the issue still exists.
It means that all the versions of Quality Center are still vulnerable to such an attack.
As far as we are aware, HP has not provided any patch for it.
Find attached a Visual Studio 2005 project attributechange (password is exposit) which
contains the source code and the compiled executable to demonstrate the issue.
In order to use this example tool, open a VBS file from the cache folder, amend it ensuring you
dont exceed or diminish the size of the original file then save it.

Please note that this extended vulnerability works only if the workflow file contains some
VBScript statements. A file of size 0 cannot be changed and is consequently protected by the
patch introduced in Quality Center 9.2.
Addition 24 Nov 2009
Quality Center patch level 4 now fixes this security issue. It is consequently advised that
customers upgrade to this release.
Posted in Quality Center | No Comments
Vulnerability in Quality Center
Monday, February 23rd, 2009

Find below the details of a vulnerability in the HP Quality Center product (formely Mercury
Quality Center). It is referenced as CVE-2007-5289 (VU#898865).
To solve this issue, it is advised to upgrade to version 9.2 of Quality Center and apply the latest
patch.
Note that Quality Center 10.0 is vulnerable to this issue.

Introduction
Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP
when they took over Mercury Interactive last year.
The front-end of the application is composed of COM components that plug into the web
browser. Quality Center provides a customization capability (called workflow) which allow the
administrator to modify the default behavior. This workflow is driven by VBScript functions that
are called whenever a particular event occurs on the client front-end.
In order to optimize the interaction speed of the application, a cache folder is created on the
client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to
a Quality Center project, 2 folders are created within the cache folder. One of these folders
contain a copy of the workflow scripts used to customize the application. Indeed, those files are
required on the client machine because the workflow is execute on the client, not on the server.
There exists 1 VBScript workflow file per feature. Those are:

Login/Logout (common.tds)

Defects module (defects.tds)

Manual Test Execution (manrun.tds)

Test Requirements module (req.tds)

Test Lab module (testlab.tds)

Test Plan module (testplan.tds)

The customization feature of Quality Center is often used for:

Controlling password compliance (no blank password, more than 8 letters,

etc.)

Chained lists (when a value is selected in a field, another field gets updated
with a list relevant to that value)

Automatic updates to some QC components (Test, Test Set, Defect objects,

hidden fields)

Hidding information depending on the users group (used when a project is

shared with different vendors)

Others

The workflow is often driven by using the OTA (Open Test Architecture), the Quality Center
API. This API allows the manipulation of any QC object (e.g. Subject folder, Test/Defect objects,
Fields, etc.). It also allows the direct manipulation of the database used by Quality Center.

Issue
When a user connects to Quality Center, the cache folder is automatically updated with the latest
VBScript workflow files. Those files are then read by the QC front-end only once for the whole
session. They are then used by the application whenever the associated events are raised.
There are 2 main points that make this workflow highly vulnerable:
1. Those files are written in plain text;
2. Marking those files as read-only (through the file properties) will prevent
Quality Center from overwriting them.

If a user modifies this file and then mark it as read-only, he can execute arbitrary code. As the
OTA API allows access to the database, he can also modify the data stored in the database as
follows:

Quality Center 10.0 Patch 1 or below (Tested)

Severity High: user has higher capability than defined by their profile

Quality Center 9.2 (Unconfirmed)

Severity High: user has higher capability than defined by their profile;
Patch 14 contains the fix, earlier patches is unknown

Quality Center 9.0 Patch < 17

- Severity Highly Critical: a user (even with a Viewer profile) can amend the
data rendering it useless. He will also have higher capability than defined by
their profile

Quality Center 8.2 / 8.0 (Unconfirmed)

Severity Highly Critical: a user (even with a Viewer profile) can amend the
data rendering it useless. He will also have higher capability than defined by
their profile

TestDirector (Any Version)

TestDirector is the former name of Quality Center
Potentially the same issues as for Quality Center 9.0 Patch < 17

Please note that HP has released a patch that fixes this issue, please contact HP support for
further details.

Example
This really short example shows how a user can simply change the content of all the defects to
some meaningless values:
Please, do not try the following example as it will permanently damage you Quality Center data.
Sub Defects_Bug_MoveTo
Set objCommand = TDConnection.Command
objCommand.CommandText = "UPDATE BUG SET BG_SUMMARY='Useless',
BG_DESCRIPTION='Useless'"
objCommand.Execute
End Sub

Notes
You can find your patch level by login into a Quality Center project, selecting the menu option
Help > About HP Quality Center Software and clicking the Additional Information button.
Patches for Quality Center are available at http://support.openview.hp.com/selfsolve/patches
(login required).
Posted in Quality Center | 8 Comments

QC Project Management version 2.00

Thursday, November 15th, 2007

A new version of QC Project Management has been released today.

The existing features have been improved especially regarding performance. Also, you will find
some new handy functionalities such as:

Email preview: now when preparing an email for mailing the Quality Center
users, you can preview and send a test email;

Export: you can now export the list of Quality Center users to an Excel
spreadsheet;

Import: instead of manually adding new users, you can use an Excel
spreadsheet and import the users automatically;

Groups: to avoid having to use the Quality Center customization after

creating users, you can now assign users to groups directly from the QC
Project Management application;

Locks removal: if a resource gets locked, you can now remove it without the
help of the Site Administrator.

Not yet a user, download a 10 days evaluation license from here.

Please note that this new release replaces the QC User Management v1.x application.
Posted in Quality Center | 1 Comment
Quality Center security issue
Thursday, October 25th, 2007

A severe security issue in Quality Center has been discovered by Exposit Limited. This issue
can be used to corrupt Quality Center data or gain project administrator privileges.
The problem has been discovered in version 9.0 of Quality Center and it affects all the releases
up to public patch 16. The issue also exists in version 9.2 up to latest public patch 3. We havent
tested earlier releases of the product but we strongly believe that they are affected by the same
issue.
Customers using Quality Center 9.0 or below are advised to upgrade to at least Quality Center
9.0 patch 16 in order to minimize the impact of this issue. Patch 16 and patch 18 limit the effect
of the defect.

Customers using Quality Center 9.2 are also at risk of data corruption and should wait for a patch
from HP Customer Support.
The issue has been reported to security instances under reference CVE-2007-5289 and
vulnerability disclosure is being coordinated with the vendor (HP).
We will keep you updated as soon as a patch becomes available.
Posted in Quality Center | 1 Comment
OTA, an API for extending Quality Center
Monday, April 23rd, 2007

Last week, I provided consultancy regarding QuickTest Professional and the WebServices add-in
(more about this add-in next week!). At some point, the customer came to me and asked for
advice regarding access to the Quality Center (QC) database. What was interesting about this
query is that I discovered that the customer was not aware about the Open Test Architecture
(OTA).
So, today, I want to give you insight about what is the OTA and give you a short example
showing what you can achieve with it.
First of all, the OTA is:
1. An integration API that allows the integration of any third-party tool within
Quality Center;
2. A manipulation API that permits the interaction with the Quality Center
application without having to use the GUI frontend.

We will not talk about the integration API so if you are interested in learning more, log on your
QC server then select Help > Documentation and read the OTA Guide.

Architecture
The QC Client/Server architecture is a 3-tier architecture (web server, application server and
database server). The figure below shows the interaction between the components. They consist
of:

Client application: the QC GUI front-end that you use when accessing Quality
Center through your browser. Or any other application that communicates
with QC using the API;

Web server: the QC communication between the client and the server are
performed using the HTTP protocol;

Application server: by default, the JBOSS application server is installed with

Quality Center. the QC application is built using Java and requires a J2EE
application server. The J2EE platform is particularly well designed for
client/server applications over the Internet

Quality Center application: developed to be executed on a J2EE application

server;

Database Server: the database that holds the Quality Center information.

Quality Center API

The manipulation API is called Quality Center API and allows the interaction with Quality
Center. It also allows you to interact with the database through the API making the interactions
more secure. Also, it avoids your DBA (DataBase Administrator) having to provide an access to
the database server(s) hosting the Quality Center database(s).
The API has only 1 entry point which is the TDConnection object. From this object, you can
access a lot of Quality Center functionalities. The API functions are accessible through VBScript
and any COM aware programming languages. It means that you can use this API as a
standalone .VBS application, a macro in an Excel file, a script in QuickTest Professional or any
other application where you would like to integrate such functionalities.
As an example, we are going to download all the defects that are stored on a Quality Center
project using the Excel application.
The steps involve:
1. Connect to the project
2. Run a query to retrieve a list of defects
3. Store the result in an Excel worksheet
1. Connect to the project

Each project stored in a Quality Center server is identified by its pair Domain/Project and a
project is accessible only if the user belongs to this project. The connection to a server can be
done by using only 4 lines of code:

Dim QCConnection
Return the TDConnection object.
Set QCConnection = CreateObject(TDApiOle80.TDConnection)
QCConnection.InitConnectionEx http:///qcbin
QCConnection.login <username>, <password>
DEFAULT = Domain, QualityCenter_Demo = Project
QCConnection.Connect DEFAULT, QualityCenter_Demo
2. Execute a query

To execute a query in Quality Center, you have several options available.

The first one is to use the Command object. This object can run SQL queries for any Quality
Center table. However, you need to be aware of what table to query and make sure you know
what you do because you can mess up Quality Center. Also, this Command object can be used
only if you are part of the TDAdmin group in this project.
The second one is to use a Factory object. The factory object returns objects that are part of the
API, restricting the user from making mistakes. This is the method well be using in this article.
To access the defects, we are using the BugFactory:

Dim BugFactory, BugList

Set BugFactory = QCConnection.BugFactory
Set BugList = BugFactory.NewList() Get a list of all the
defects.
3. Store the result in an Excel worksheet.

We assume that you are running this script from a VBS file. Consequently, we have to open
Excel first, then store the data in an Excel worksheet:

Dim Bug, Excel, Sheet

Set Excel = CreateObject(Excel.Application) Open Excel
Excel.WorkBooks.Add() Add a new workbook

 Get the first worksheet.

Set Sheet = Excel.ActiveSheet
Dim Bug, Row
Row = 1
Iterate through all the
For Each Bug In BugList
Save a specified set of
Sheet.Cells(Row, 1).Value
Sheet.Cells(Row, 2).Value
Sheet.Cells(Row, 3).Value
Sheet.Cells(Row, 4).Value
Sheet.Cells(Row, 5).Value
Sheet.Cells(Row, 6).Value
Row = Row + 1
Next

defects.
fields.
= Bug.Field(BG_BUG_ID)
= Bug.Summary
= Bug.DetectedBy
= Bug.Priority
= Bug.Status
= Bug.AssignedTo

Save the newly created workbook and close Excel.

Excel.ActiveWorkbook.SaveAs(c:\QualityCenter_Demo_DEFECTS.xls)
Excel.Quit

Summary
Today, you have seen how to use the QC API to perform a simple task such as retrieving a list of
defects. Bear in mind that you can do much more than that.
Find here a more complete example of the script described in this article.
Posted in Integration, Quality Center | 92 Comments
Password checking
Thursday, April 5th, 2007

This week, I will make a short article regarding how to ensure the user has set a password long
enough.
As you know, there is no password checking in Quality Center, and even a blank password is still
considered as a valid password. If you have already installed the Quality Center Demo project,
you are aware that the default users alice_qc, cecil_qc and al. all have a blank password.
If you have some system administration background, you also certainly know that this is bad
practice (very bad, to be exact).

So, now, the question is How to check a users password? Good question and I will answer that
in the next paragraphs.
If you remember from last week, the workflow provides a set of event functions where you can
control the behavior of Quality Center. The one that interest us today is Project_CanLogin.
Indeed, this function has the following prototype:

Function Project_CanLogin(DomainName, ProjectName, UserName)

where:

DomainName: Name of the domain the user is trying to log in

ProjectName: Name of the project the user is trying to log in

UserName: Name of the user who is trying to log in

and more importantly, this function returns a boolean value that indicates if
you accept or not this user. False, for stay away from my project

Now, we can deny access to a user but we still cannot check his password. But this can be
quickly resolved. There is an object called TDConnection (nearly the same as in the OTA
API) that has an interesting property called Password.
If you try to do the following in Project_CanLogin then you will see your password:

MsgBox TDConnection.Password
We now have all the building blocks for solving the issue:

Function Project_CanLogin(DomainName, ProjectName, UserName)

First Check the password.
If TDConnection.Password = Then
MsgBox Your user id does not have any password defined.
Please contact the project administrator., 0, Error
Project_CanLogin = False
Else
Project_CanLogin = True
End If
End Function

OK, not too bad but maybe we can go a little bit further. Now, we can even enforce a length of
minimum 8 characters and force the user to change his or her password if the size is incorrect.
The full script is below:

Function Project_CanLogin(DomainName, ProjectName, UserName)

First Check the password.
If TDConnection.Password = Then
MsgBox Your user id does not have any password defined.
Please contact the project administrator., 0, Error
Project_CanLogin = False
Exit Function
ElseIf Len(TDConnection.Password) < 8 Then
MsgBox Your password length is too short. You have to change
your password now and log in again., 0, Error
Project_PasswordChange UserName
Project_CanLogin = False
Exit Function
End If
Project_CanLogin = True
End Function
Sub Project_PasswordChange(UserName)
OldPassword = InputBox(Type in your old password:, Password
Change)
Select Case OldPassword
Case
MsgBox You will not be allowed to log into this project.
Exit Sub
End Select
NewPassword1 = InputBox(Type a new password with 8 or more
characters:, Password Change)
Select Case NewPassword1
Case
MsgBox You will not be allowed to log into this project.
Exit Sub
Case Else
If Len(NewPassword1) < 8 Then
MsgBox Your password is too short, please type a longer
password., 0, Error

Project_PasswordChange UserName
Exit Sub
End If
End Select
NewPassword2 = InputBox(Retype your new password:, Password
Change)
If NewPassword1 = NewPassword2 Then
On Error Resume Next
TDConnection.ChangePassword OldPassword, NewPassword1
If Err.Number <> 0 Then
MsgBox Your password was not changed: & vbNewLine &
Err.Description, 0, Error
Else
MsgBox Your password has been successfully changed, 0,
Information
End If
On Error GoTo 0
Else
MsgBox Password is invalid., 0, Error
End If
End Sub
Thats it for today. One last remark: anything you define in the workflow only applies to 1
project. So, if you want to impose this rule to all your projects, you have to copy this code in all
the workflows.
Posted in Quality Center | 5 Comments
Defining user permissions (part 2 of 2)
Wednesday, March 28th, 2007

This is the second and last part of this item.

Set Up Project Users
This customization module defines the list of users who are allowed to log into the project. Each
user can be part of 1 or more group. Consequently, the user inherits the permissions from the
groups he or she is part of. Imagine that a group A has access only to Defect Type 1 and a group
B has access only to Defect Type 2 then any user who is part of group A & B will have access to
both Defect Types (i.e. 1 and 2).

By default, when a user is created, it belongs to the Viewer group. This group has no
modification permission but can see everything. If you want to restrict visibility access to some
users, then it is advisable to disable the Viewer group. This will avoid having users part of the
Viewer group.
To disable this group, you need to add a chunk of script in the workflow:

Function Project_CanLogin(DomainName, ProjectName, UserName)

If User.IsInGroup(Viewer) Then
MsgBox Your security settings are incorrectly defined,
access to the project is forbidden. & vbNewLine & _
Please, contact your project administrator!
Project_CanLogin = False
Else
Project_CanLogin = True
End If
End Function
Customize Module Access
In this part, you can separate groups which have access to the Defect module only and groups
which have access to all the modules. When working with third party, you may want them to be
able to log defects but not to see your tests, tests results and requirements.
Set Up Workflow
When setting up the workflow, you can use some automated script generator. There is one for
customizing the display when adding a new defect and another when editing an existing defect.
Both do work the same way.
With the script generator, you can customize a) the fields that will appear, b) the order which
they will appear, and c) on which page they will appear (page = tab). And this customization can
be done on a group basis.
Personaly, I dont like using this feature as it generates hundreds of lines of script when you have
projects with a lot of fields and groups. Instead, I write my own code using the Script Editor.
Script Editor
The Script Editor is the place where you have the freedom of modifying the behavior of Quality
Center in several occasions. We have already seen that we can forbid users to log into the project.

In the Script Editor, the different events that might occur are splitted according to the Quality
Center module they relate which gives 6 sections:

Common script: a few events that go nowhere else

Requirements module script

Test Plan module script

Test Lab module script

Manual Runner script

Defects module script

For each section (except common script), you will find similarities. Whenever you see
<ModuleName>, you will need to replace it with the name of the module (Defects, ManualRun,
TestLab, TestPlan and Requirements). The <Object> should also be replaced by the object type
of the module (e.g. Bug for the Defect module). The following events exist:

<ModuleName>_ActionCanExecute: this event is raised when an action is

performed in a module. Please note that not all actions raise this event. For
instance, when you press Run in a Test Set, the event is raised with an
actionName equal to act_run. However, if you change the Test Set
Properties, no event will be raised.

<ModuleName>_EnterModule: Raised when a user moves to the module

<ModuleName> (like moving from the Requirements to the Defect module)

<ModuleName>_ExitModule: Raised when a user moves away from the

module <ModuleName>

<ModuleName>_<Object>_New: Raised when a new <Object> is created

<ModuleName>_<Object>_MoveTo: Raised when an existing <Object> is

selected

<ModuleName>_<Object>_FieldCanChange: Raised when a field value is

about to be changed

<ModuleName>_<Object>_FieldChange: Raised after a field value has been

changed

<ModuleName>_<Object>_CanPost: Raised before a new <Object> is posted

<ModuleName>_<Object>_CanDelete: Raised when an <Object> is about to

be deleted

<ModuleName>_<Object>_AfterPost: Raised after a new <Object> has been

posted

There are other events which are specific to each module.

Some events expect a boolean return value that determines if the change is accepted or not. For
instance, the Defect_Bug_FieldCanChange event will validate the change only if it returns true.
Otherwise, the user change is cancelled and the previous value is restored. This is useful for
imposing a specific workflow:

Function Defects_Bug_FieldCanChange(FieldName, NewValue)

If FieldName = BG_STATUS Then
OldValue = Bug_Fields.Field(BG_STATUS).Value
If OldValue = New And NewValue = Open Then
Defects_Bug_FieldCanChange = True
ElseIf OldValue = Closed And NewValue = Open Then
Defects_Bug_FieldCanChange = True
Else
Any other transition is denied.
Defects_Bug_FieldCanChange = False
End If
Else
Defects_Bug_FieldCanChange = True
End If
End Function
Posted in Quality Center | 3 Comments
Defining user permissions (part 1 of 2)
Wednesday, March 21st, 2007

This article describes the permissions functionalities that exists in Quality Center.
The first thing you have to be aware when customizing a Quality Center project is that
permission settings are not defined in a single location but are spread in different parts of the
customization sections. You might wonder why such a decision has been made? Even though, the
location of these settings have some reasonable sense, I believe this complexifies the tasks of
securing access to the project data.
Anyway, this is how it is so lets start examining these settings.

All the security settings are defined in the Customization (accessible through Tools >
Customize).
The different sections where you can affect users permissions are:

Set Up Project Users

Set Up Groups

Customize Module Access

Set Up Workflow

Script Generator Add Defect Field Customization

Script Generator Defect Details Field Customization

Script Editor

Lets first start with setting up the Group.

Set Up Groups
On a fresh project, there are always 5 default groups that are already defined:

Developer

Project Manager

QATester

TDAdmin

Viewer

These groups cannot be customized and cannot be removed from the project. In order to tailor
the group permissions to your project, you need to create new groups. With these new groups,
you will be able to customize their settings. When creating a new group, you need to indicate
from which group you want to duplicate the initial settings. This can be useful especially if your
new group has similar settings from another group.
Once created, you can amend its settings by selecting Change permissions. This will bring a new
window divided into tabs for each Quality Center module:

Requirements

Business Components (optional)

Test Plan

Test Lab

Defects

Administration (customization module permissions)

For each module you will find similar settings where you can allow (if checked) or disable
(unchecked) permissions for different aspects of the module.
There are usually 3 actions Add/Modify/Delete which gives you control on a group basis.
For the Delete action, you can specify that only the owner can delete the object (Can be deleted
by owner only checkbox).
For the Modify action, you can even define finer rules. For each field, you can restrict
modification permissions to the owner only (Can be modified by owner only checkbox) and,
for fields defined by lists, you can specify transition rules (i.e. define a transition workflow).
This last point is particularly interesting for workflow based transitions such as Status where the
designer wants the user to follow a predefined path (for instance, a defect Status cannot be set as
Fixed unless the testing team has validated it beforehand by setting its Status as Validated).
For the Test Plan, Test Lab and Defect tabs, you may have noticed a Data-Hiding Filter link.
These are extra security settings and will bring another window with further customization
settings.
First, you can set filtering conditions. By defining a filter, you limit the visibility scope a group
has. As an example, imagine you have different teams who are accessing a QC project:

Team 1: this team have access to some confidential technology and

consequently is not accessible to everyone.

Team 2: these are the outsourced testers who can log defects

To separate the defects that are confidential from the one that are not, a field called
Confidentiality Grade has been created and this field contains 2 values 1-High and 2-Low.
If you are defining a user group for the Team 2 then you set a fiter for the Confidentiality
Grade field with 2-Low as the filter. By doing this, any user that is only part of this group will
not see any defect with grade 1-High.

Secondly, you can also hide fields from the user. This prevents a user from seeing values he
shouldnt.
to be continued

Responses to Defining user permissions (part 1 of 2)

1. praveen Says:
February 1st, 2008 at 9:25 am

Very Very Excellent workI learned much with your blog. One question Is there any
possibility to getting the SMS to the mobile when any qtp script fails while running from
the QCThanks in advance
2. Sensbachtal Says:
March 17th, 2008 at 11:33 am

Just wanted to say Hello to everyone.

Much to read and learn here, Im sure I will enjoy !
3. Kishore Says:
September 9th, 2008 at 1:02 pm

Blog has very excellent info

while going through the blog i have question test plan / Test lab,
i have 2 projects in qc say proj A and Proj B.
Proj A has some test plans and test sets if proj B wants use those test plans /test sets in
proj A. how is it possible?
is there any way i can link the test plans / test sets to proj B and execute them in proj B
test lab.?
Regards,
kishore.
4. Sabareesh Says:
December 20th, 2008 at 4:54 am

Hi,
I really want to appriciate and say that ur blog is really gud
I have learnt a lot about the user Permission and the Features in the QC wrt to the User
Permission
I really expect some more articles on
1. Client side and server side QC Installation

2. Some Coding on the User Permissions and Projects

3. QC Database installation(Sorry I dont know whether my Question is correct) but about
the work involved between QC and database liking
Can u help me on those areas
Thanks & Regards,
Sabareesh
5. Devendar Reddy Says:
January 21st, 2009 at 9:41 am

hi,
i have changed the script in workflow as CanCustomize = False.
now i am not able to enter into customize page. can you please help me how to rectify
this issue.
Thanks in advance
Devendar Reddy
6. admin Says:
January 21st, 2009 at 12:13 pm

Hi Devendar,
If you made a mistake in the workflow that prevents you from accessing the
customization or login into the project, the solution is to modify the file stored on the
server.
To do this, connect to the Quality Center server (usually remotely), then find your Quality
Center repository folder. A default installation would place it in \repository and navigate
to the relevant folder. An example would be:
C:\Program Files\Mercury\Quality Center\repository\qc\\\scripts
In this folder, you will find files with the extension .tds which contains the workflow
customization for the various modules.
Hope this helps,
Valery
7. admin Says:
January 21st, 2009 at 12:20 pm

Hi Devendar,

If you made a mistake in the workflow that prevents you from accessing the
customization or login into the project, the solution is to modify the file stored on the
server.
To do this, connect to the Quality Center server (usually remotely), then find your Quality
Center repository folder. A default installation would place it in <QC
installation>\repository and navigate to the relevant folder. An example would be:
C:\Program Files\Mercury\Quality Center\repository\qc\<Domain>\<Project>\scripts
In this folder, you will find files with the extension .tds which contains the workflow
customization for the various modules.
Hope this helps,
Valery
8. Gyanendra Says:
April 1st, 2009 at 6:25 am

Dear All,
I want to know where I have to write script in QC.
Is it Script Editer or QC API.
Where i have to launch it .
Can any body send me QC9.0 license file.
My file has corrupted.
Regards
Gyanendra
9. Angie Says:
May 13th, 2009 at 11:50 pm

Question: Where in QC can I change the default vbscript that keeps the bug_status to
New when a new bug is entered? Id like to change that to Initial. Would you happen to
have a script for that
10. pannu Says:
August 15th, 2009 at 12:41 pm

Hi,
This site is really help ful.I know a bit of API ..
But the deatils and the depth of the content provided here is amazing..Thanx a lot
AlsoI need a favour..
I want to download the report from QC to Ecel.
Say ,
The report of the execution done in particular project for partuclar test set.

Is there any way to download the report from the Test Lab.
Can you guide me if it is there.
Thanks in advance..
11. Schott Says:
February 18th, 2010 at 9:33 am

Hi,
Ive a new question? How to create folder testPlan? Can u help me?
Thanks.
Best Regards,
Schott
12. Raju Says:
March 17th, 2010 at 2:06 pm

Hi
Very excellent information
I need the information, to import defects from Quality Center to Excel using macros.
Need code , for filtering defects based on Initiave using macros
Thanks
13. Leslie Says:
March 31st, 2010 at 5:53 pm

I like all your items. I was looking to see if you had any code for when you export excel
document, that you could export a drop menu with it?
14. Pete Says:
April 15th, 2010 at 6:01 pm

Hi ,
I tired your password script in the common area of the workflow and it didnt work for
me when I try to login without a password, it still let login into QC.
Thanks
15. Nagaraju Says:
May 11th, 2010 at 8:11 am

Hi

I want to get each test step status under Test Lab > Folder > Test Set > Test Steps
i.e, i want to import all teststeps from Test Lab, with their status using Macros code
e.g, if a testset consits of 10 steps and with different status(norun, incomplete, pass, failed
), Want to get the desc, stepno, expected , actual, staus of all the ten steps
Please any one of you provide the Macros code to get the required fields data
16. Mahesh Says:
May 24th, 2010 at 5:55 am

Hi,
Is there any way to find the size occupied by a folder in the project repository in Test
Lab?
Regards,
Mahesh.
17. Vijay Says:
August 30th, 2010 at 7:23 am

Hi I would like to generate summary report using the OTA API. Help needed urgently.