DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 2/25/2026 has been placed of record in the file.
Claims 1, 3, 4, 11, 13, 14, and 20 have been amended.
Claims 1-20 are pending.
The applicant’s arguments with respect to claims 1-20 have been considered but are moot in view of the following new grounds of rejection.
Response to Amendment
Claims have been amended to further define the structure of the privilege graph. The amendment proves a change in scope to the independent claims as the independent claims now explicitly state that the privilege graph is organized such that a traversal passes through one or more attribute nodes, etc. However, none of the amended claims show a patentable distinction over the prior art as evidenced by the following new grounds of rejection.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy et al. (U.S. Patent Application Publication Number 2020/0280564), hereinafter referred to as Badawy, in view of Grisby (U.S. Patent Number 10,733,055), in view of Bargury et al. (U.S. Patent Application Publication Number 2021/0243190), hereinafter referred to as Bargury, further in view of Chui et al. (U.S. Patent Application Publication Number 2015/0370824), hereinafter referred to as Chui.
Badawy disclosed techniques for identity management utilizing network identity graphs. In an analogous art, Grisby disclosed techniques for graph transformations. Also in an analogous art, Bargury disclosed techniques for graph-based resource permission management. Also in an analogous art, Chui disclosed techniques for using a role graph to indicate the utilization of privileges. All of these systems are directed toward the management of graphs and subgraphs.
Regarding claim 1, Badawy discloses a method for generating a privilege graph representing data access authorizations, the method comprising: extracting identity information for a plurality of users from a plurality of identity environments and privilege information from a plurality of data environments (paragraph 65, identity management data includes identities and entitlements); forming subgraphs for the identity environments and the data environments from the identity information and the privilege information (paragraph 68, identities subgraph and entitlement subgraph); translating the subgraphs into a canonical schema (paragraph 53, translation to graph format); and after translating the subgraphs, combining the subgraphs into the privilege graph (paragraph 70, stored identity graph).
Badawy does not explicitly state the translating from one or more different schemas used by the subgraphs, including relabeling a node in the subgraphs to a canonical node label in the canonical schema that represents an attribute differently from a node label representing the attribute in the one or more different schemas. However, translating graphs in such a fashion was well known in the art as evidenced by Grisby. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Badawy by adding the ability for the translating from one or more different schemas used by the subgraphs, including relabeling a node in the subgraphs to a canonical node label in the canonical schema that represents an attribute differently from a node label representing the attribute in the one or more different schemas as provided by Grisby (see column 13, lines 15-23, subgraph transformed based on transformation rule, and column 2, line 62 through column 3, line 10, attributes represented in different fashion after transformation). One of ordinary skill in the art would have recognized the benefit that managing subgraphs in this way would assist in processing graph-to-graph transformations (see Grisby, column 1, lines 20-35).
The combination of Badawy and Grisby does not explicitly state wherein the privilege graph includes leaf nodes representing respective ones of the plurality of data environments, wherein the privilege graph includes parent nodes of the leaf nodes that represent privileges one or more users have with respect to the plurality of data environments, and wherein one or more ancestor nodes of the parent nodes represent the one or more users. However, utilizing such a graph structure was well known in the art as evidenced by Bargury. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Badawy and Grisby by adding the ability that the privilege graph includes leaf nodes representing respective ones of the plurality of data environments, wherein the privilege graph includes parent nodes of the leaf nodes that represent privileges one or more users have with respect to the plurality of data environments, and wherein one or more ancestor nodes of the parent nodes represent the one or more users as provided by Bargury (see paragraph 38, graph has nodes for user account, permissions, and resources). One of ordinary skill in the art would have recognized the benefit that managing permissions in this way would assist in protecting resources from security risks such as data leakage and data loss (see Bargury, paragraph 15).
The combination of Badawy, Grisby, and Bargury does not explicitly state wherein the privilege graph is organized such that a traversal from a node representing one or more users to one of the parent nodes passes through one or more attribute nodes that represent respective user attributes indicated in the identity information. However, using role graphs in such a fashion was well known in the art as evidenced by Chui. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Badawy, Grisby, and Bargury by adding the ability that the privilege graph is organized such that a traversal from a node representing one or more users to one of the parent nodes passes through one or more attribute nodes that represent respective user attributes indicated in the identity information as provided by Chui (see paragraph 61, grant path includes roles). One of ordinary skill in the art would have recognized the benefit that implementing role graphs in this way would assist in providing privilege information for users and applications (see Chui, paragraph 4).
Regarding claim 2, the combination of Badawy, Grisby, Bargury, and Chui discloses displaying the privilege graph to an administrator authorized to view the privilege graph (Badawy, paragraph 70, visual representation of the graph).
Regarding claim 3, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein forming the subgraphs comprises: creating a user node for a user of the plurality of users and sequentially connecting the user node to one or more subgraph attribute nodes that each represent an attribute of the user indicated in the identity information (Badawy, paragraph 113, connected nodes have properties that define attributes of relationship).
Regarding claim 4, the combination of Badawy, Grisby, Bargury, and Chui discloses upon reaching a last attribute node of the one or more subgraph attribute nodes, connecting the last attribute node to a privileges node representing one or more of the privileges; and connecting the privileges node to one or more of the leaf nodes representing authorized data environments of the plurality of data environments that the user is authorized to access (Badawy, paragraph 118, identity node connected to entitlement node).
Regarding claim 5, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the one or more of the leaf nodes each represent data or a feature that the user is authorized to access (Badawy, paragraph 33, entitlement is ability to access, and Bargury, paragraph 38, resources).
Regarding claim 6, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the attribute comprises a role referred to differently by the canonical node label and the node label (Badawy, paragraph 65, role).
Regarding claim 7, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein combining the subgraphs comprises: for an attribute represented by attribute nodes in multiple subgraphs, identifying a common attribute node and migrating connections with the attribute nodes to the common attribute node (Badawy, paragraph 85, clusters identities into peer groups).
Regarding claim 8, the combination of Badawy, Grisby, Bargury, and Chui discloses identifying replicated connections with the common attribute node; and deduplicating the replicated connections (Badawy, paragraph 85, clustering based on similarity).
Regarding claim 9, the combination of Badawy, Grisby, Bargury, and Chui discloses identifying a change to the privilege information; and updating the privilege graph based on the change (Badawy, paragraph 96, changes to entitlement, and paragraph 98, updating affected identities and entitlements).
Regarding claim 10, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein updating the privilege graph comprises: adding or removing a connection between nodes in the privilege graph (Badawy, paragraph 98, adds nodes corresponding to new identities or entitlements).
Regarding claim 11, Badawy discloses an apparatus comprising: one or more computer readable storage media; a processing system operatively coupled with the one or more computer readable storage media; and program instructions stored on the one or more computer readable storage media that, when read and executed by the processing system, direct the processing system to: extract identity information for a plurality of users from a plurality of identity environments and privilege information from a plurality of data environments (paragraph 65, identity management data includes identities and entitlements); form subgraphs for the identity environments and the data environments from the identity information and the privilege information (paragraph 68, identities subgraph and entitlement subgraph); translate the subgraphs into a canonical schema (paragraph 53, translation to graph format); and after translating the subgraphs, combine the subgraphs into the privilege graph (paragraph 70, stored identity graph).
Badawy does not explicitly state the translating from one or more different schemas used by the subgraphs, including relabeling a node in the subgraphs to a canonical node label in the canonical schema that represents an attribute differently from a node label representing the attribute in the one or more different schemas. However, translating graphs in such a fashion was well known in the art as evidenced by Grisby. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Badawy by adding the ability for the translating from one or more different schemas used by the subgraphs, including relabeling a node in the subgraphs to a canonical node label in the canonical schema that represents an attribute differently from a node label representing the attribute in the one or more different schemas as provided by Grisby (see column 13, lines 15-23, subgraph transformed based on transformation rule, and column 2, line 62 through column 3, line 10, attributes represented in different fashion after transformation). One of ordinary skill in the art would have recognized the benefit that managing subgraphs in this way would assist in processing graph-to-graph transformations (see Grisby, column 1, lines 20-35).
The combination of Badawy and Grisby does not explicitly state wherein the privilege graph includes leaf nodes representing respective ones of the plurality of data environments, wherein the privilege graph includes parent nodes of the leaf nodes that represent privileges one or more users have with respect to the plurality of data environments, and wherein one or more ancestor nodes of the parent nodes represent the one or more users. However, utilizing such a graph structure was well known in the art as evidenced by Bargury. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Badawy and Grisby by adding the ability that the privilege graph includes leaf nodes representing respective ones of the plurality of data environments, wherein the privilege graph includes parent nodes of the leaf nodes that represent privileges one or more users have with respect to the plurality of data environments, and wherein one or more ancestor nodes of the parent nodes represent the one or more users as provided by Bargury (see paragraph 38, graph has nodes for user account, permissions, and resources). One of ordinary skill in the art would have recognized the benefit that managing permissions in this way would assist in protecting resources from security risks such as data leakage and data loss (see Bargury, paragraph 15).
The combination of Badawy, Grisby, and Bargury does not explicitly state wherein the privilege graph is organized such that a traversal from a node representing one or more users to one of the parent nodes passes through one or more attribute nodes that represent respective user attributes indicated in the identity information. However, using role graphs in such a fashion was well known in the art as evidenced by Chui. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Badawy, Grisby, and Bargury by adding the ability that the privilege graph is organized such that a traversal from a node representing one or more users to one of the parent nodes passes through one or more attribute nodes that represent respective user attributes indicated in the identity information as provided by Chui (see paragraph 61, grant path includes roles). One of ordinary skill in the art would have recognized the benefit that implementing role graphs in this way would assist in providing privilege information for users and applications (see Chui, paragraph 4).
Regarding claim 12, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the program instructions direct the processing system to: display the privilege graph to an administrator authorized to view the privilege graph (Badawy, paragraph 70, visual representation of the graph).
Regarding claim 13, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein to form the subgraphs, the program instructions direct the processing system to: create a user node for a user of the plurality of users and sequentially connect the user node to one or more subgraph attribute nodes that each represent an attribute of the user indicated in the identity information (Badawy, paragraph 113, connected nodes have properties that define attributes of relationship).
Regarding claim 14, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the program instructions direct the processing system to: upon reaching a last attribute node of the one or more subgraph attribute nodes, connect the last attribute node to a privileges node representing one or more of the privileges; and connect the privileges node to one or more of the leaf nodes representing authorized data environments of the plurality of data environments that the user is authorized to access (Badawy, paragraph 118, identity node connected to entitlement node).
Regarding claim 15, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the one or more of the leaf nodes each represent data or a feature that the user is authorized to access (Badawy, paragraph 33, entitlement is ability to access, and Bargury, paragraph 38, resources).
Regarding claim 16, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the attribute comprises a role referred to differently by the canonical node label and the node label (Badawy, paragraph 65, role).
Regarding claim 17, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein to combine the subgraphs, the program instructions direct the processing system to: for an attribute represented by attribute nodes in multiple subgraphs, identify a common attribute node and migrate connections with the attribute nodes to the common attribute node (Badawy, paragraph 85, clusters identities into peer groups).
Regarding claim 18, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the program instructions direct the processing system to: identify replicated connections with the common attribute node; and deduplicate the replicated connections (Badawy, paragraph 85, clustering based on similarity).
Regarding claim 19, the combination of Badawy, Grisby, Bargury, and Chui discloses wherein the program instructions direct the processing system to: identify a change to the privilege information; and update the privilege graph based on the change (Badawy, paragraph 96, changes to entitlement, and paragraph 98, updating affected identities and entitlements).
Regarding claim 20, Badawy discloses one or more non-transitory computer readable storage media having program instructions stored thereon that, when read and executed by a processing system, direct the processing system to: extract identity information for a plurality of users from a plurality of identity environments and privilege information from a plurality of data environments (paragraph 65, identity management data includes identities and entitlements); form subgraphs for the identity environments and the data environments from the identity information and the privilege information (paragraph 68, identities subgraph and entitlement subgraph); translate the subgraphs into a canonical schema (paragraph 53, translation to graph format); and after translating the subgraphs, combine the subgraphs into the privilege graph (paragraph 70, stored identity graph).
Badawy does not explicitly state the translating from one or more different schemas used by the subgraphs, including relabeling a node in the subgraphs to a canonical node label in the canonical schema that represents an attribute differently from a node label representing the attribute in the one or more different schemas. However, translating graphs in such a fashion was well known in the art as evidenced by Grisby. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Badawy by adding the ability for the translating from one or more different schemas used by the subgraphs, including relabeling a node in the subgraphs to a canonical node label in the canonical schema that represents an attribute differently from a node label representing the attribute in the one or more different schemas as provided by Grisby (see column 13, lines 15-23, subgraph transformed based on transformation rule, and column 2, line 62 through column 3, line 10, attributes represented in different fashion after transformation). One of ordinary skill in the art would have recognized the benefit that managing subgraphs in this way would assist in processing graph-to-graph transformations (see Grisby, column 1, lines 20-35).
The combination of Badawy and Grisby does not explicitly state wherein the privilege graph includes leaf nodes representing respective ones of the plurality of data environments, wherein the privilege graph includes parent nodes of the leaf nodes that represent privileges one or more users have with respect to the plurality of data environments, and wherein one or more ancestor nodes of the parent nodes represent the one or more users. However, utilizing such a graph structure was well known in the art as evidenced by Bargury. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Badawy and Grisby by adding the ability that the privilege graph includes leaf nodes representing respective ones of the plurality of data environments, wherein the privilege graph includes parent nodes of the leaf nodes that represent privileges one or more users have with respect to the plurality of data environments, and wherein one or more ancestor nodes of the parent nodes represent the one or more users as provided by Bargury (see paragraph 38, graph has nodes for user account, permissions, and resources). One of ordinary skill in the art would have recognized the benefit that managing permissions in this way would assist in protecting resources from security risks such as data leakage and data loss (see Bargury, paragraph 15).
The combination of Badawy, Grisby, and Bargury does not explicitly state wherein the privilege graph is organized such that a traversal from a node representing one or more users to one of the parent nodes passes through one or more attribute nodes that represent respective user attributes indicated in the identity information. However, using role graphs in such a fashion was well known in the art as evidenced by Chui. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Badawy, Grisby, and Bargury by adding the ability that the privilege graph is organized such that a traversal from a node representing one or more users to one of the parent nodes passes through one or more attribute nodes that represent respective user attributes indicated in the identity information as provided by Chui (see paragraph 61, grant path includes roles). One of ordinary skill in the art would have recognized the benefit that implementing role graphs in this way would assist in providing privilege information for users and applications (see Chui, paragraph 4).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Victor Lesniewski/Primary Examiner, Art Unit 2493