DETAILED ACTION
This communication is a Final Office Action rejection on the merits. Claims 1-20 are currently pending and have been addressed below.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed on 04/06/2026 (related to the 103 Rejection) have been fully considered but are moot in view of new grounds of rejection. Applicant's amendments necessitated the new ground(s) of rejection presented in this Office action. Rejection based on a newly cited reference(s) follows.
Applicant's arguments filed on 04/06/2026 (related to the 101 Rejection) have been fully considered but they are not persuasive.
Applicant states, on pages 8-14, that amended claim 1 recites a particular technical way to enforce cross-platform compliance in distributed environments: adapters with platform-specific APis receive platform-triggered events; an event record manager normalizes those platform-specific events into a uniform event-record format; a rules engine selects platform-specific rules from rule storage keyed to extracted platform identity; and an event manager intercepts or revokes platform commands to prevent or revert platform-side permission/status changes until completion of training assigned by the rules engine. This is not a result-only claim; it specifies the architecture and control flow that accomplishes the enforcement. The Office Action's assertion that the claim "lacks details as to how the computer performed the change of status" is contradicted by the amendments requiring "revoking or intercepting ... commands communicated to the platform ... thereby preventing ... or reverting" the change.
In particular, if the Examiner contends that intercepting or revoking "commands communicated to the platform ... thereby preventing ... or reverting" a platform-side permission/status change is conventional or generic, Applicant requests the Examiner cite evidence showing that such command-path enforcement in heterogeneous platform environments is well-understood, routine, and conventional in the relevant timeframe, and explain how that evidence maps to the claim's ordered combination and platform-specific API/event normalization requirements. Absent such evidence and a claim-as-a-whole analysis consistent with the USPTO Memorandum, Applicant respectfully submits the§ 101 rejection should be withdrawn.
Examiner respectfully disagrees with Applicant. Claim 1 elements are considered to be abstract ideas because they are directed to “certain methods of organizing human activity” which include “managing personal behavior.” In this case, the claim as a whole is directed to management of compliance training based on rules (see MPEP 2106.04(a)(2), following rules or instructions). For example, claim 1 is directed to: assign a training when there’s a change in status (e.g., start a job within an organization and/or change in their job role); track training completion status; and provide network access/permission instructions in response to completing or not completing the required training. If a claim limitation, under its broadest reasonable interpretation, covers following rules or instructions, then it falls within the “certain methods of organizing human activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The mere nominal recitation of generic computer components does not take the claim out of the certain methods of organizing human activity grouping. The server is merely used to implement a system for automated management of compliance training (Paragraph 0069). The adapter is merely used to receive one or more events from one or more platforms and populate the information in an event record in a uniform format (Paragraph 0090 & 0109). The platform is merely used to record and indicate to the user their change in status (Paragraph 0075). The one or more networks using one or more application programming interfaces (APIs) is merely used to access one or more platforms (Paragraph 0019). The event record manager is merely used to retrieve information (also referred to as a pull mechanism) from one or more platforms 202-(1-N) associated with one or more events (Paragraph 0072). The event record is merely used to include information related to an event (Paragraph 0074). The rules engine is merely used to determine appropriate compliance training that is to be completed by the user before, during, or after a change of a status is implemented in one or more platforms 202-(1-N), or eligibility of a change of status is indicated to the one or more platforms 202-(1-N) (Paragraph 0076). The rules storage is merely used to store rules that define one or more actions or requirements, such as compliance training that the user has to undergo in response to a corresponding event associated with platform 202. Training storage 230 may store one or more compliance training modules or programs or any training content such as compliance training programs that are used for training the one or more users in response to one or more events associated with platforms 202-(1-N) (Paragraph 0084). Merely stating that the step is performed by a computer component results in “apply it” on a computer (MPEP 2106.05f). Those elements are recited at a high level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer element. Also, the adapters and API are considered “field of use” (MPEP 2106.05h) at Step 2A Prong 2; as they’re just used to receive status information, but the technology is not improved. At Step 2B, the adapter and API are considered a conventional computer function of “receiving or transmitting data over a network” and “performing repetitive calculations” (MPEP 2106.05d). Further, although claim 1 includes a final step of “one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status,” claim 1 lacked details as to how the computer performed/applied the change of status, which merely recites the idea of a solution or outcome (MPEP 2106.05f). Lastly, “normalizing event records of the one or more platform-specific events to a uniform format” is not considered a particular transformation (MPEP 2106.05(c)). Therefore, claim 1 does not recite a particular way to accomplish a technological outcome.
The claim fails to recite any improvements to another technology or technical field, improvements to the functioning of the computer itself, use of a particular machine, effecting a transformation or reduction of a particular article to a different state or thing, adding unconventional steps that confine the claim to a particular useful application, and/or meaningful limitations beyond generally linking the use of an abstract idea to a particular environment. See 84 Fed. Reg. 55. Viewed individually or as a whole, these additional claim elements do not provide meaningful limitations to transform the abstract idea into a patent eligible application of the abstract idea such that the claim amounts to significantly more than the abstract idea itself. Thus, the claim is not patent eligible.
Independent claim 11 recites similar features and therefore is rejected for the same reasons as independent claim 1. Claims 2-10 and 12-20 are rejected for having the same deficiencies as those set forth with respect to the claims that they depend from, independent claims 1 or 11.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., an abstract idea) without reciting significantly more.
Independent Claim 1
Step One - First, pursuant to step 1 in the January 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”) on 84 Fed. Reg. 53, the claim 1 is directed to a method which is a statutory category.
Step 2A, Prong One - Claim 1 recites: A method comprising a system for which a user carries out a job function unique, to detect or receive notification of an event of a change in status of the user and populated information from the event in a uniform format; receiving, events triggered based at least on the user carrying out the corresponding job function; responsive to occurrence of the one or more events to the uniform format; extracting, information comprising a platform identity on which the event occurred, a user identity uniquely identifying the user associated with the event and a change in status of the user corresponding to the platform identity; determining, responsive to each event and based on the information, one or more rules corresponding to the platform identify of each event; matching the selected one or more rules to an event comprising identification of the change in status of a permission of the user identified by the user identity by the platform identity; determine, responsive to the one or more rules matching the event and the change in status of the permission of the user in using the platform identified by the event, to assign a training identified to be completed by the user identified by the user identity of the event; identifying, responsive to and based at least on matching the event comprising the change in status of the permission of the user, maintaining a status of the user; determining that the change of status of the permission of the user is not to be allowed before the user completes the training assigned; and one of revoking or intercepting, responsive to determining the change of status is not to be allowed, one or more commands communicated to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status. These claim elements are considered to be abstract ideas because they are directed to “certain methods of organizing human activity” which include “managing personal behavior.” In this case, the claim as a whole is directed to management of compliance training based on rules (see MPEP 2106.04(a)(2), following rules or instructions). If a claim limitation, under its broadest reasonable interpretation, covers managing personal behavior, then it falls within the “certain methods of organizing human activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
Step 2A Prong 2 - The judicial exception is not integrated into a practical application. Claim 1 includes additional elements: by one or more servers, via one or more adapters; one or more platforms; using one or more application programming interfaces (APIs) of the corresponding platform; an event record manager; one or more event records; a rules engine; and a rules storage.
The server is merely used to implement a system for automated management of compliance training (Paragraph 0069). The adapter is merely used to receive one or more events from one or more platforms and populate the information in an event record in a uniform format (Paragraph 0090 & 0109). The platform is merely used to record and indicate to the user their change in status (Paragraph 0075). The application programming interface (API) is merely used to access one or more platforms (Paragraph 0019). The event record manager is merely used to retrieve information (also referred to as a pull mechanism) from one or more platforms 202-(1-N) associated with one or more events (Paragraph 0072). The event record is merely used to include information related to an event (Paragraph 0074). The rules engine is merely used to determine appropriate compliance training that is to be completed by the user before, during, or after a change of a status is implemented in one or more platforms 202-(1-N), or eligibility of a change of status is indicated to the one or more platforms 202-(1-N) (Paragraph 0076). The rules storage is merely used to store rules that define one or more actions or requirements, such as compliance training that the user has to undergo in response to a corresponding event associated with platform 202. Training storage 230 may store one or more compliance training modules or programs or any training content such as compliance training programs that are used for training the one or more users in response to one or more events associated with platforms 202-(1-N) (Paragraph 0084). Merely stating that the step is performed by a computer component results in “apply it” on a computer (MPEP 2106.05f). These elements of “server,” “adapter,” “platform,” “API,” “event record manager,” “event record,” “rules engine,” and “rules storage” are recited at a high level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer element. Also, the adapter and API are considered “field of use” (MPEP 2106.05h) as they’re just used to receive rules and status information, but the technology is not improved. Accordingly, alone and in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore, the claim is directed to an abstract idea.
Step 2B - The claim does not include additional elements that are sufficient to amount significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the claims describe how to generally “apply” the concept of changing the status of the user based on rules (e.g., before or after completing the required training). The specification shows that the server is merely used to implement a system for automated management of compliance training (Paragraph 0069). The adapter is merely used to receive one or more events from one or more platforms and populate the information in an event record in a uniform format (Paragraph 0090 & 0109). The platform is merely used to record and indicate to the user their change in status (Paragraph 0075). The API is merely used to access one or more platforms (Paragraph 0019). The event record manager is merely used to retrieve information (also referred to as a pull mechanism) from one or more platforms 202-(1-N) associated with one or more events (Paragraph 0072). The event record is merely used to include information related to an event (Paragraph 0074). The rules engine is merely used to determine appropriate compliance training that is to be completed by the user before, during, or after a change of a status is implemented in one or more platforms 202-(1-N), or eligibility of a change of status is indicated to the one or more platforms 202-(1-N) (Paragraph 0076). The rules storage is merely used to store rules that define one or more actions or requirements, such as compliance training that the user has to undergo in response to a corresponding event associated with platform 202. Training storage 230 may store one or more compliance training modules or programs or any training content such as compliance training programs that are used for training the one or more users in response to one or more events associated with platforms 202-(1-N) (Paragraph 0084). Also, the adapter and API are considered a conventional computer function of “receiving or transmitting data over a network” and “performing repetitive calculations” (MPEP 2106.05d). Further, “normalizing event records of the one or more platform-specific events to a uniform format” is not considered a particular transformation (MPEP 2106.05(c)). Thus, nothing in the claim adds significantly more to the abstract idea. The claim is ineligible.
Independent claim 11 is directed to an apparatus at step 1, which is a statutory category. Claim 11 recites similar limitations as claim 1 and is rejected for the same reasons at step 2a, prong one; step 2a, prong 2; and step 2b. The claim is not patent eligible.
Dependent claims 2-9 and 11-18 are not directed to any additional claim elements. Rather, these claims offer further descriptive limitations of elements found in the independent claims and addressed above - such as wherein the server: applies one or more rules to the one or more events to determine the training that is to be completed by the user before the change of the status is implemented in the one or more platforms; determines a level of harm if the user is allowed the change in status in the one or more platforms before the user completes the training; determines the change of status is to be allowed while the user completes the training; determines the change of status of the user is to be withheld while the user completes the training; identifies that the user is designated as a candidate for one or more types of the one or more events and assigning the user training to complete to implement the change in status; causes the change in status in the one or more platforms responsive to the user completing the training; causes the change in status in the one or more platforms and tracking progress or completion of the training of the user; disables the change in status in the one or more platforms responsive to the user not completing the training within a set period. These processes are similar to the abstract idea noted in the independent claim because they further the limitations of the independent claim which are directed to “certain methods of organizing human activity” which include “managing personal behavior” (e.g., following rules or instructions). In addition, no additional elements are integrated into the abstract idea. Therefore, the claims still recite an abstract idea that can be grouped into a method of organizing human activity.
Dependent claims 10 and 20 are directed to additional elements such as: an application programming interface (API). The API is further used to access one or more platforms and enable communication between the system components for information exchange (Paragraphs 0019 & 0069). The API is considered “field of use” at step 2A, Prong 2 (MPEP 2106.05h); as it’s just used to receive information and does not improve the technology. Also, at Step 2B, the API is considered a conventional computer function of “receiving or transmitting data over a network” (MPEP 2106.05d). Thus, nothing in the claim adds significantly more to the abstract idea. The claim is ineligible.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 5-12, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Barday et al. (US 2021/0141932 A1), in view of Shek et al. (US 20220414601 A1), in further view of Linga et al. (US 2021/0256152 A1).
Regarding claim 1 (Currently Amended), Barday et al. discloses a method comprising establishing, by one or more servers of a system, … to one or more platforms, the one or more platforms providing a separately distinct platform from the system for which a user carries out a job function unique to a corresponding platform of the one or more platforms (Paragraph 0008, Various other embodiments of data subject access request processing systems and methods are described in the listing of concepts below: 1. A data subject access request processing system, according to various embodiments, comprises: one or more data subject access request management servers; Paragraph 0419, In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. The learning management system may then be configured to interface with one or more system access authorization systems in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so; Examiner interprets the particular system as the platform), each of the … of the system configured to communicate with a corresponding platform of the one or more platforms over one or more networks using one or more platform-specific application programming interfaces (APIs) of the corresponding platform and to detect or receive notification of an event of a change in status of the user on the platform triggered by the corresponding platform and populated information from the event in an event record in a uniform format (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0418, In response to determining that the user and/or the computing device is not authorized to access the first data asset, the system may be configured to redirect the user (e.g., the user's computing device) to a second data asset. In various embodiments, the second data asset may include any suitable system, software, or other suitable data asset for, for example: (1) providing the user the opportunity to acquire authorization to access the first data asset (e.g., by enabling the user to complete one or more compliance trainings required to access the first data asset); (2) providing the user with training on how to make authorized access to the first data asset (e.g., by enabling the user to complete one or more required certifications, providing the information and/or training on device requirements to access the first data asset, etc.); and/or (3) enforcing one or more requirements related to the access to the first data assets (e.g., one or more requirements related to completion of one or more trainings related to the unauthorized access); Paragraph 0419, In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. The learning management system may then be configured to interface with one or more system access authorization systems in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so; In this case, the “event trigger” is to enable the user to complete one or more compliance trainings required to access the first data asset);
receiving, by the … one or more servers, via one or more APIs one or more platform-specific events triggered from the one or more platforms based at least on the user carrying out the corresponding job function on the corresponding platform on the one or more platforms (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use);
automatically processing, by an event record manager of the one or more servers responsive to occurrence of the one or more platform-specific events as the one or more platform-specific events are received from each of the one or more platforms via one or more platform-specific APIs, event records of the one or more platform-specific events to the uniform format (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use);
extracting, by the event record manager, from the one or more event records information comprising a platform identify indicating the specific platform on which the platform-specific event occurred, a user identity uniquely identifying the user associated with the platform-specific event and a change in status of the user on the platform corresponding to the platform identity (Paragraph 0008, one or more data subject access request management servers; Paragraph 0416, Various entities may require their employees to take one or more compliance training, security training, privacy training, and other training courses as part of their employment. In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. In various embodiments, the learning management system may be configured to interface with one or more system access authorization systems (e.g., access control systems) in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so. In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; Paragraph 0417, A user access management system, in various embodiments, is configured to analyze one or more pieces of data related to a user attempting to access a first data asset and/or the computing device via which the user is attempting to access the first data asset in order to determine the user's and/or the computing device's authorization to access the first data asset. In various embodiments, the first data asset may include any suitable data asset associated with the company such as, for example: (1) one or more software systems; (2) one or more data systems; (3) one or more databases (e.g., one or more databases that store particular types of data, such as customer data, personal data, employee data, etc.); and/or (4) any other suitable data asset. In any embodiment described herein, a first data asset (e.g., and/or any other suitable data asset or combination of data assets discussed herein) may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc.; In this case, Barday et al. discloses whether a particular employee (interpreted as the user identity) attempting to access a particular system (interpreted as platform identify such as one or more pieces of software and/or data within that system) has completed any necessary requirements (interpreted as a change in status of the user on a platform corresponding to the platform identity such as determining training/certifications status, wherein the status is used to determine access to the particular system));
determining, by a rules … responsive to each event record and based on the information in the one or more event records, one or more rules … for the platform corresponding to the platform identify of each event record; matching, by the rule …, the selected one or more rules to an event record comprising identification of the change in status of a permission of the user identified by the user identity in using the platform identified by the platform identity; determine, by the rules … responsive to the one or more rule matching the event record and the change in status of the permission of the user in using the platform identified by the event record, to assign a training identified by the rules … to be completed by the user identified by the user identity of the event record (Paragraph 0416, Various entities may require their employees to take one or more compliance training, security training, privacy training, and other training courses as part of their employment. In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. In various embodiments, the learning management system may be configured to interface with one or more system access authorization systems (e.g., access control systems) in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so. In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; Paragraph 0420, In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application; Examiner notes that Barday et al. identifies appropriate training required by the user based on user identity of the event record (e.g., particular user and/or user’s role within the company));
identifying, by the one or more servers responsive to and based at least on matching the event record comprising the change in status of the permission of the user in using the platform, the change of status of the user in using the platform to occur on the one or more platforms, each platform of the one or more platforms maintaining a status of the user on that platform separate from the status of the user on another platform of the one or more platforms (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Examiner interprets the learning management system as the first platform, wherein the learning management system maintains a status of the user (e.g., required compliance training). Also, Examiner interprets the one or more pieces of software as the second platform, wherein the one or more pieces of software maintains another status of the user (e.g., user’s permissions/access based on the role of the user));
determining, by the one or more servers, that the change of status of the permission of the user in using the platform is not to allowed in the platform of the one or more platforms before the user completes the training assigned by the rule … (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Examiner notes that the change of status is not allowed before the user completes the training (e.g., change in user’s permission is not allowed until the user completes the required compliance training));
and one of revoking or intercepting, by the event manager responsive to determining the change of status is not to be allowed, one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access; Paragraph 0416, In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; As stated in Paragraph 0004 of Applicant’s specification, the change of status may be changing user’s permission/access. Therefore, based on broadest reasonable interpretation in light of the specification, Barday et al. discloses “one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status” since it can change user’s permission/access back to a status prior the event in response to detecting that the user does not have all the required trainings/certifications and/or trainings/certifications have expired).
Although Barday et al. discloses determining, by the rules responsive to each event record and based on the information in the one or more event records (see Barday et al., Paragraph 0416, determine whether the user may access a particular system based on completed training/certifications and/or role), Barday et al. does not specifically disclose wherein the rules are stored in a rules storage. Also, Barday does not specifically disclose wherein the data is saved in a uniform format.
However, Shek et al. discloses a method comprising establishing, by one or more servers of a system, … to one or more platforms, the one or more platforms providing a separately distinct platform from the system for which a user carries out a job function unique to a corresponding platform of the one or more platforms, … the system configured to communicate with a corresponding platform of the one or more platforms over one or more networks using one or more platform-specific application programming interfaces (APIs) of the corresponding platform and to detect or receive notification of an event of a change in status of the user on the platform triggered by the corresponding platform and populated information from the event in an event record in a uniform format (Paragraph 0027, A centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0037, For example, an administrator of the centralized access control service can implement organization-level role based permissions, instead of platform-level roll based permissions. In this administrator can define that all managers in an organization have the same access across all tools. In other cases, permissions can be based on a team-by-team basis. In such examples, team-based permissions can dramatically simplify onboarding of new employees or team members; a single addition in the centralized access control service can permit a new team member to access specific content relevant to the team's project(s) stored in a documentation service, stored in an issue tracking service, and/or stored in any other suitable collaboration tool; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; In this case, when the system detects that the intern or consultant completed the job (e.g., finished the appropriate amount of time), then the system automatically revokes the access to the platform. Examiner interprets “finishing the appropriate amount of time” as the “change in status of the user on the platform”);
receiving, … of the one or more servers, via one or more platform APIs one or more platform-specific events triggered from the one or more platforms based at least on the user carrying out the corresponding job function on the corresponding platform on the one or more platforms; automatically processing, by an event record manager of the one or more servers responsive to occurrence of the one or more platform-specific events as the one or more platform-specific events are received from each of the one or more platforms via one or more platform-specific APIs, event records of the one or more platform-specific events to the uniform format (Paragraph 0027, A centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0037, For example, an administrator of the centralized access control service can implement organization-level role based permissions, instead of platform-level roll based permissions. In this administrator can define that all managers in an organization have the same access across all tools. In other cases, permissions can be based on a team-by-team basis. In such examples, team-based permissions can dramatically simplify onboarding of new employees or team members; a single addition in the centralized access control service can permit a new team member to access specific content relevant to the team's project(s) stored in a documentation service, stored in an issue tracking service, and/or stored in any other suitable collaboration tool; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; Examiner interprets “detecting that the amount of time is over for a specific user” as the “platform-specific event”);
extracting, by the event record manager, from the one or more event records information comprising a platform identity indicating the specific platform on which the platform-specific event occurred, a user identity uniquely identifying the user associated with the platform-specific event and a change in status of the user on the platform corresponding to the platform identity (Paragraph 0098, As with other embodiments described herein, the instance 302 is communicably coupled to a gateway 304. The instance 302 can be configured to receive from the gateway 304 one or more permissions requests which can include, in many cases, a content identifier and a user identifier. As noted above, a permissions request can include any suitable identifiers and may not be limited to content identifiers and/or user identifiers. For example, in some embodiments, the permissions request can include: a role identifier; an organization identifier; a tool or platform identifier; a timestamp; a datestamp or timestamp at which a two factor authentication operation failed or succeeded; a priority indicator; and so on; Paragraph 0037, For example, an administrator of the centralized access control service can implement organization-level role based permissions, instead of platform-level roll based permissions. In this administrator can define that all managers in an organization have the same access across all tools. In other cases, permissions can be based on a team-by-team basis. In such examples, team-based permissions can dramatically simplify onboarding of new employees or team members; a single addition in the centralized access control service can permit a new team member to access specific content relevant to the team's project(s) stored in a documentation service, stored in an issue tracking service, and/or stored in any other suitable collaboration tool; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; In this case, when the system detects that the intern or consultant completed the job (e.g., finished the appropriate amount of time), then the system automatically revokes the access to the platform. Examiner interprets “finishing the appropriate amount of time” as the “change in status of the user on the platform”);
determining, by a rules engine responsive to each event record and based on the information in the one or more event records, one or more rules selected from a rule storage for the platform corresponding to the platform identify of each event record; matching, by the rule engine, the selected one or more rules to an event record comprising identification of the change in status of a permission of the user identified by the user identity in using the platform identified by the platform identity (Paragraph 0027, centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; Paragraph 0101, In other cases, (and/or if the cache 308 is not usable to service the permissions request) the permissions query manager 306 may be configured to access one or more permissions managers to determine whether the permissions request should be granted. For example, in some configurations, a general permissions manager 310 can be configured to load one or more policies from a policy manger 312 into memory. The policies may associated particular roles with particular content, particular users with particular permissions or rules, and so on. A person of skill in the art understands and appreciates that any suitable number of policies and/or business rules can be constructed and implemented by a permissions manager, such as the permissions manager 310; In this case, one of the rules is to revoke access after a predetermined amount of time);
determine, by the rules engine responsive to the one or more rules matching the event record and the change in status of the permission of the user in using the platform identified by the event record, to [grant or revoke access] by the user identified by the user identity of the event record; identifying, by the one or more servers responsive to and based at least on matching the event record comprising the change in status of the permission of the user in using the platform, the change of status of the user in using the platform to occur on the one or more platforms, each platform of the one or more platforms maintaining a status of the user on that platform separate from the status of the user on another platform of the one or more platforms; determining, by the one or more servers, that the change of status of the permission of the user in using the platform is not to be allowed in the platform of the one or more platforms before the user [start period] by the rule engine; and one of revoking or intercepting, by the event manager responsive to determining the change of status is not to be allowed, one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status (Paragraph 0027, centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; Paragraph 0101, In other cases, (and/or if the cache 308 is not usable to service the permissions request) the permissions query manager 306 may be configured to access one or more permissions managers to determine whether the permissions request should be granted. For example, in some configurations, a general permissions manager 310 can be configured to load one or more policies from a policy manger 312 into memory. The policies may associated particular roles with particular content, particular users with particular permissions or rules, and so on. A person of skill in the art understands and appreciates that any suitable number of policies and/or business rules can be constructed and implemented by a permissions manager, such as the permissions manager 310).
It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for controlling a change in status of the user based on information received, via an API, from one or more platforms (e.g., rules to determine whether the user may access a particular system based on completed training/certifications and/or role) of the invention of Barday et al. to further specify a wherein the rules are stored in a rules storage of the invention of Shek et al. because doing so would allow the method to generate platform-specific permissions by accessing a permissions or rules database (see Shek et al., Paragraphs 0027 & 0038). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Although the combination of Barday et al. and Shek et al. discloses all the limitations above and an API configure to communicate with a corresponding platform of the one or more platforms, the combination of Barday et al. and Shek et al. does not specifically disclose one or more adapters to one or more platforms.
However, Linga et al. discloses one or more adapters to one or more platforms (Paragraph 0130, Computer system/server 702 may also communicate with one or more external devices 720 via a I/O adapter 724, such as a keyboard, a pointing device, a display 722, etc.; one or more devices that enable a user to interact with computer system/server 702; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 702 to communicate with one or more other computing devices. Such communication can occur via I/O interfaces 724 of the adapter 726. Still yet, computer system/server 702 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter), …;
It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for controlling a change in status of the user based on information received, via an API, from one or more platforms (e.g., provide required training to access the system) of the invention of Barday et al. to further specify wherein the communication is via one or more adapters of the invention of Linga et al. because doing so would allow the method to communicate with one or more external devices via a I/O adapter (see Linga et al., Paragraph 0130). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Regarding claim 11 (Currently Amended), Barday et al. discloses a system comprising: one or more servers to: establish … on the system to one or more platforms, the one or more platforms providing a separately distinct platform from the system for which a user carries out a job function unique to a corresponding platform of the one or more platforms (Paragraph 0008, Various other embodiments of data subject access request processing systems and methods are described in the listing of concepts below: 1. A data subject access request processing system, according to various embodiments, comprises: one or more data subject access request management servers; Paragraph 0419, In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. The learning management system may then be configured to interface with one or more system access authorization systems in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so; Examiner interprets the particular system as the platform), each of the … of the system configured to communicate with a corresponding platform of the one or more platforms over one or more networks using one or more platform-specific application programming interfaces (APIs) of the corresponding platform and to detect or receive notification of an event triggered by the corresponding platform associated with the user carrying out a corresponding job function on the corresponding platform (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0418, In response to determining that the user and/or the computing device is not authorized to access the first data asset, the system may be configured to redirect the user (e.g., the user's computing device) to a second data asset. In various embodiments, the second data asset may include any suitable system, software, or other suitable data asset for, for example: (1) providing the user the opportunity to acquire authorization to access the first data asset (e.g., by enabling the user to complete one or more compliance trainings required to access the first data asset); (2) providing the user with training on how to make authorized access to the first data asset (e.g., by enabling the user to complete one or more required certifications, providing the information and/or training on device requirements to access the first data asset, etc.); and/or (3) enforcing one or more requirements related to the access to the first data assets (e.g., one or more requirements related to completion of one or more trainings related to the unauthorized access); In this case, the “event trigger” is to enable the user to complete one or more compliance trainings required to access the first data asset);
receive, by … the one or more servers via one or more APIs one or more platform-specific events triggered from the one or more platforms based at least on the user carrying out the corresponding job function on the corresponding platform on the one or more platforms (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use);
an event record manager of the one or more servers configured to automatically process, responsive to occurrence of the one or more events as the one or more platform-specific events are received from each of the one or more platforms via one or more platform-specific APIs, event records of the one or more platform-specific events to the uniform format (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use), and extract event records of the one or more events to extract from the one or more event records information comprising a platform identity indicating the specific platform on which the event occurred, a user identity uniquely identifying the user associated with the platform-specific event and a change in status of the user on the platform corresponding to the platform identity (Paragraph 0008, one or more data subject access request management servers; Paragraph 0416, Various entities may require their employees to take one or more compliance training, security training, privacy training, and other training courses as part of their employment. In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. In various embodiments, the learning management system may be configured to interface with one or more system access authorization systems (e.g., access control systems) in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so. In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; Paragraph 0417, A user access management system, in various embodiments, is configured to analyze one or more pieces of data related to a user attempting to access a first data asset and/or the computing device via which the user is attempting to access the first data asset in order to determine the user's and/or the computing device's authorization to access the first data asset. In various embodiments, the first data asset may include any suitable data asset associated with the company such as, for example: (1) one or more software systems; (2) one or more data systems; (3) one or more databases (e.g., one or more databases that store particular types of data, such as customer data, personal data, employee data, etc.); and/or (4) any other suitable data asset. In any embodiment described herein, a first data asset (e.g., and/or any other suitable data asset or combination of data assets discussed herein) may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc.; In this case, Barday et al. discloses whether a particular employee (interpreted as the user identity) attempting to access a particular system (interpreted as platform identify such as one or more pieces of software and/or data within that system) has completed any necessary requirements (interpreted as a change in status of the user on a platform corresponding to the platform identity such as determining training/certifications status, wherein the status is used to determine access to the particular system));
a rules … configured to determine, responsive to each event record and based on the information in the one or more event records, one or more rules … for the platform corresponding to the platform identify of each event record; to use to match each event record; wherein the rules … is configured to match the selected one or more rules to an event record comprising identification of the change in status of a permission of the user identified by the user identity in using the platform identified by the platform identity; wherein the rules … is configured, responsive to the one or more rule matching the event record and the change in status of the permission of the user in using the platform identified by the event record, to assign a training identified by the rules … to be completed by the user identified by the user identity of the event record (Paragraph 0416, Various entities may require their employees to take one or more compliance training, security training, privacy training, and other training courses as part of their employment. In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. In various embodiments, the learning management system may be configured to interface with one or more system access authorization systems (e.g., access control systems) in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so. In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; Paragraph 0420, In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application; Examiner notes that Barday et al. identifies appropriate training required by the user based on user identity of the event record (e.g., particular user and/or user’s role within the company));
wherein the one or more servers are configured to identify, responsive to and based at least on matching the event record comprising the change in status of the permission of the user in using the platform one or more event records, a change of status of the user in using the platform to occur on the one or more platforms, each platform of the one or more platforms maintaining a status of the user on that platform separate from the status of the user on another platform of the one or more platforms (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Examiner interprets the learning management system as the first platform, wherein the learning management system maintains a status of the user (e.g., required compliance training). Also, Examiner interprets the one or more pieces of software as the second platform, wherein the one or more pieces of software maintains another status of the user (e.g., user’s permissions/access in response to completing the necessary training));
and determine that the change of status of the permission of the user in using the platform is not to be allowed in the platform of the one or more platforms before the user completes the training assigned by the rule … (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Examiner notes that the change of status is not allowed before the user completes the training (e.g., change in user’s permission is not allowed until the user completes the required compliance training));
and wherein the event manager is configured to one of revoke or intercept, responsive to determining the change of status is not to be allowed, one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access; Paragraph 0416, In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; As stated in Paragraph 0004 of Applicant’s specification, the change of status may be changing user’s permission/access. Therefore, based on broadest reasonable interpretation in light of the specification, Barday et al. discloses “one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status” since it can change user’s permission/access back to a status prior the event in response to detecting that the user does not have all the required trainings/certifications and/or trainings/certifications have expired).
Although Barday et al. discloses to determine, by the rules responsive to each event record and based on the information in the one or more event records (see Barday et al., Paragraph 0416, determine whether the user may access a particular system based on completed training/certifications and/or role), Barday et al. does not specifically disclose wherein the rules are stored in a rules storage. Also, Barday does not specifically disclose wherein the data is saved in a uniform format.
However, Shek et al. discloses a system comprising: one or more severs to: establish … on the system to one or more platforms, the one or more platforms providing a separately distinct platform from the system for which a user carries out a job function unique to a corresponding platform of the one or more platforms, … of the system configured to communicate with a corresponding platform of the one or more platforms over one or more networks using one or more platform-specific application programming interfaces (APIs) of the corresponding platform and to detect or receive notification of an event triggered by the corresponding platform associated with the user carrying out a corresponding job function on the corresponding platform (Paragraph 0027, A centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0037, For example, an administrator of the centralized access control service can implement organization-level role based permissions, instead of platform-level roll based permissions. In this administrator can define that all managers in an organization have the same access across all tools. In other cases, permissions can be based on a team-by-team basis. In such examples, team-based permissions can dramatically simplify onboarding of new employees or team members; a single addition in the centralized access control service can permit a new team member to access specific content relevant to the team's project(s) stored in a documentation service, stored in an issue tracking service, and/or stored in any other suitable collaboration tool; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; In this case, when the system detects that the intern or consultant completed the job (e.g., finished the appropriate amount of time), then the system automatically revokes the access to the platform. Examiner interprets “finishing the appropriate amount of time” as the “change in status of the user on the platform”);
receive by the … of the one or more servers via one or more APIs one or more platform-specific events triggered from one or more platforms based at least on the user carrying out the corresponding job function on the corresponding platform on the one or more platforms; an event record manager of the one or more servers configured to automatically process, responsive to occurrence of the one or more events as the one or more platform-specific events are received from each of the one or more platforms via one or more platform-specific APIs, event records of the one or more platform-specific events to the uniform format (Paragraph 0027, A centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0037, For example, an administrator of the centralized access control service can implement organization-level role based permissions, instead of platform-level roll based permissions. In this administrator can define that all managers in an organization have the same access across all tools. In other cases, permissions can be based on a team-by-team basis. In such examples, team-based permissions can dramatically simplify onboarding of new employees or team members; a single addition in the centralized access control service can permit a new team member to access specific content relevant to the team's project(s) stored in a documentation service, stored in an issue tracking service, and/or stored in any other suitable collaboration tool; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; Examiner interprets “detecting that the amount of time is over for a specific user” as the “platform-specific event”),
and extract event records of the one or more events to extract from the one or more event records information comprising a platform identity indicating the specific platform on which the event occurred, a user identity uniquely identifying the user associated with the platform-specific event and a change in status of the user on the platform corresponding to the platform identity (Paragraph 0098, As with other embodiments described herein, the instance 302 is communicably coupled to a gateway 304. The instance 302 can be configured to receive from the gateway 304 one or more permissions requests which can include, in many cases, a content identifier and a user identifier. As noted above, a permissions request can include any suitable identifiers and may not be limited to content identifiers and/or user identifiers. For example, in some embodiments, the permissions request can include: a role identifier; an organization identifier; a tool or platform identifier; a timestamp; a datestamp or timestamp at which a two factor authentication operation failed or succeeded; a priority indicator; and so on; Paragraph 0037, For example, an administrator of the centralized access control service can implement organization-level role based permissions, instead of platform-level roll based permissions. In this administrator can define that all managers in an organization have the same access across all tools. In other cases, permissions can be based on a team-by-team basis. In such examples, team-based permissions can dramatically simplify onboarding of new employees or team members; a single addition in the centralized access control service can permit a new team member to access specific content relevant to the team's project(s) stored in a documentation service, stored in an issue tracking service, and/or stored in any other suitable collaboration tool; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; In this case, when the system detects that the intern or consultant completed the job (e.g., finished the appropriate amount of time), then the system automatically revokes the access to the platform. Examiner interprets “finishing the appropriate amount of time” as the “change in status of the user on the platform”);
a rules engine configured to determine, responsive to each event record and based on the information in the one or more event records, one or more rules selected from a rule storage for the platform corresponding to the platform identify of each event record; to use to match each event record; wherein the rules engine is configured to match the selected one or more rules to an event record comprising identification of the change in status of a permission of the user identified by the user identity in using the platform identified by the platform identity (Paragraph 0027, centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; Paragraph 0101, In other cases, (and/or if the cache 308 is not usable to service the permissions request) the permissions query manager 306 may be configured to access one or more permissions managers to determine whether the permissions request should be granted. For example, in some configurations, a general permissions manager 310 can be configured to load one or more policies from a policy manger 312 into memory. The policies may associated particular roles with particular content, particular users with particular permissions or rules, and so on. A person of skill in the art understands and appreciates that any suitable number of policies and/or business rules can be constructed and implemented by a permissions manager, such as the permissions manager 310; In this case, one of the rules is to revoke access after a predetermined amount of time);
wherein the rules engine is configured, responsive to the one or more rule matching the event record and the change in status of the permission of the user in using the platform identified by the event record, to [grant or revoke access] identified by the rules engine … identified by the user identity of the event record; wherein the one or more servers are configured to identify, responsive to and based at least on matching the event record comprising the change in status of the permission of the user in using the platform one or more event records, a change of status of the user in using the platform to occur on the one or more platforms, each platform of the one or more platforms maintaining a status of the user on that platform separate from the status of the user on another platform of the one or more platforms; and determine that the change of status of the permission of the user in using the platform is not to be allowed in the platform of the one or more platforms before the user [start period] assigned by the rule engine; and wherein the event manager is configured to one of revoke or intercept, responsive to determining the change of status is not to be allowed, one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status (Paragraph 0027, centralized access control service, as described herein, can be configured to serve as a façade and/or gateway that translates individual platform permissions application programming interface (API) calls into a uniform form and format, thereby enabling cross-platform permissions control. In other words, any permissions request generated or served within a multiplatform environment can be handled by the centralized access control service which, in turn, can either (1) service the request directly by accessing a permissions or rules database associated with the centralized access control service or (2) service the request by generating a platform-specific permissions API call. In this manner, permissions policy control can be elevated from a per-platform management task to an organization-level management task, dramatically simplifying permissions control; Paragraph 0038, In yet other cases, permissions can be based on runtime attributes, such as a time period that a particular authenticated user last re-authenticated (e.g., via two-factor authentication). In yet other examples, permissions can be time-limited. For example, a consultant or intern may join a particular team for a temporary period. By adding the consultant to a permissions group (e.g., the team) for a fixed or variable duration of time, the consultant can be granted access to all tools used by that team for an appropriate amount of time. This in contrast to conventional systems in which an IT professional is required to manually (or with scripts) create multiple user accounts for the consultant and revoke access to those accounts at a later time; Paragraph 0101, In other cases, (and/or if the cache 308 is not usable to service the permissions request) the permissions query manager 306 may be configured to access one or more permissions managers to determine whether the permissions request should be granted. For example, in some configurations, a general permissions manager 310 can be configured to load one or more policies from a policy manger 312 into memory. The policies may associated particular roles with particular content, particular users with particular permissions or rules, and so on. A person of skill in the art understands and appreciates that any suitable number of policies and/or business rules can be constructed and implemented by a permissions manager, such as the permissions manager 310).
It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for controlling a change in status of the user based on information received, via an API, from one or more platforms (e.g., rules to determine whether the user may access a particular system based on completed training/certifications and/or role) of the invention of Barday et al. to further specify a wherein the rules are stored in a rules storage of the invention of Shek et al. because doing so would allow the method to generate platform-specific permissions by accessing a permissions or rules database (see Shek et al., Paragraphs 0027 & 0038). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Although the combination of Barday et al. and Shek et al. discloses all the limitations above and an API configure to communicate with a corresponding platform of the one or more platforms, the combination of Barday et al. and Shek et al. does not specifically disclose one or more adapters to one or more platforms.
However, Linga et al. discloses one or more adapters to one or more platforms (Paragraph 0130, Computer system/server 702 may also communicate with one or more external devices 720 via a I/O adapter 724, such as a keyboard, a pointing device, a display 722, etc.; one or more devices that enable a user to interact with computer system/server 702; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 702 to communicate with one or more other computing devices. Such communication can occur via I/O interfaces 724 of the adapter 726. Still yet, computer system/server 702 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter), …;
It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for controlling a change in status of the user based on information received, via an API, from one or more platforms (e.g., provide required training to access the system) of the invention of Barday et al. to further specify wherein the communication is via one or more adapters of the invention of Linga et al. because doing so would allow the method to communicate with one or more external devices via a I/O adapter (see Linga et al., Paragraph 0130). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Regarding claims 2 and 12 (Original), which are dependent of claims 1 and 11, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 1 and 11. Barday et al. further discloses applying, by the one or more servers, one or more rules to the one or more events to determine the training that is to be completed by the user before the change of the status is implemented in the one or more platforms (Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access).
Regarding claims 5 and 15 (Original), which are dependent of claims 1 and 11, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 1 and 11. Barday et al. further discloses determining, by the one or more servers, the change of status of the user is to be withheld while the user completes the training (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access).
Regarding claims 6 and 16 (Original), which are dependent of claims 5 and 15, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 5 and 15. Barday et al. further discloses identifying, by the one or more servers, that the user is designated as a candidate for one or more types of the one or more events and assigning the user training to complete to implement the change in status in the one or more platforms (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access).
Regarding claims 7 and 17 (Original), which are dependent of claims 6 and 16, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 6 and 16. Barday et al. further discloses causing, by the one or more servers, the change in status in the one or more platforms responsive to the user completing the training (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access).
Regarding claims 8 and 18 (Original), which are dependent of claims 6 and 16, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 6 and 16. Barday et al. further discloses causing, by the one or more servers, the change in status in the one or more platforms and tracking progress or completion of the training of the user (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access).
Regarding claims 9 and 19 (Original), which are dependent of claims 6 and 16, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 6 and 16. Barday et al. further discloses disabling, by the one or more servers, the change in status in the one or more platforms responsive to the user not completing the training within a set period (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access).
Regarding claims 10 and 20 (Original), which are dependent of claims 1 and 11, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 1 and 11. Barday et al. further discloses controlling, by the one or more servers, the change of status in the one or more platforms by accessing the one or more platform via one or more application programming interfaces (APIs) (Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access).
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Barday et al. (US 2021/0141932 A1), in view of Shek et al. (US 20220414601 A1), in further view of Linga et al. (US 2021/0256152 A1) and Gilbert et al. (US 2001/0011280 A1).
Regarding claims 3 and 13 (Original), which is dependent of claims 1 and 11, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 1 and 11. Although Barday et al. discloses providing training for mitigating risk (Paragraph 0212, indicate a risk that an entity may not be in compliance with one or more legal or industry requirements related to the collection, storage, and/or processing of personal data), Barday et al. does not specifically disclose determining a level of harm if the user is allowed the change in status in the one or more platforms before the user completes the training.
However, Gilbert et al. discloses determining, by the one or more servers, a level of harm if the user is allowed the change in status in the one or more platforms before the user completes the training (Paragraph 0024, Referring to FIG. 3, assessment tables 22 store data used by assessment software 16 to determine the training an employee requires. The assessment tables 22 represent analysis of business processes and associated compliance risks. Assessment data 20 can include questions 48, possible responses 50, and the legal compliance risks 52 associated by different employee characteristics as indicated by employee responses. For example, an employee may be asked via user interface on the client whether her job entails pricing decisions. A positive response indicates the employee may require antitrust compliance training at a particular level in order to reduce the risk of an antitrust violation. Each risk type has an I.D. 52 associated with it. The risk I.D. 52 acts as an index into a training information table 58 that stores training session identifiers 54 that correspond to training sessions 26 directed toward eliminating a particular risk 52. The training information table 53 also stores a level of proficiency 56 required by the employee to adequately address a particular risk, and whether such training is recommended or required 58. For example, the employee making price decisions could benefit from training in antitrust topics such as price discrimination and predatory pricing).
It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for providing training to a user based on required compliance training related to the use of a platform (e.g., a business application or software application), wherein the training helps in mitigating risk of the invention of Barday et al. to further incorporate a level of harm if the user is allowed the change in status in the one or more platforms before the user completes the training of the invention of Gilbert et al. because doing so would allow the method to provide training sessions directed toward eliminating a particular risk (see Gilbert et al., Paragraph 0024). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Barday et al. (US 2021/0141932 A1), in view of Shek et al. (US 20220414601 A1), in further view of Linga et al. (US 2021/0256152 A1) and Solmssen et al. (US 2023/0042345 A1).
Regarding claims 4 and 14 (Original), which are dependent of claims 1 and 11, the combination of Barday et al., Shek et al., and Linga et al. discloses all the limitations in claims 1 and 11. Although Barday et al. discloses wherein the change of status is to be allowed after the user completes the training, Barday et al. does not specifically discloses wherein the change of status is to be allowed while the user completes the training.
However, Solmssen et al. further discloses determining, by the one or more servers, the change of status is to be allowed while the user completes the training (Paragraph 0027, According to aspects, the compliance engine may take into account and track changes in a user's status. For example, a user may have already undergone training through the compliance engine for a year. It is possible that in the middle of the year that the user was promoted to become a manager and thus needed more training (or the user may have changed states/jurisdictions, etc.). In such cases, the compliance engine may update its tracking to ensure that the user remains compliant and/or attains compliance (e.g., receive the right training), where necessary. The compliance engine may also provide visibility to an administrator regarding the user's compliance status; Paragraph 0028, According to aspects, the compliance engine may be configured to perform many functions, including assigning the right people the right training, especially when something about them changes (e.g., they move, become a manager, etc.). This allows administrators to simply “set it and forget it” instead of having to remember and keep track of every change in every employee. The compliance engine may also be configured to report on whether someone is compliant or not, close to being not compliant, etc. The compliance engine may also be configured to clearly communicate to an administrator an up-to-date status of a given employee, and whether or not they are at risk of falling out of compliance; Paragraph 0053, For example, when someone gets new training for a valid reason, regulations may be considered that imply some grace period for training (e.g., when a new employee joins, they get 90 days to be trained). It may be assumed this counts for when a user's status changes and new training is needed (e.g., promotion to manager, moved into a new state, etc.); Examiner notes that the change of status is allowed before the user completes the training, wherein the user has a grace period for completing the training as defined by an administrator).
It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for controlling a change of status based at least on the one or more events (e.g., change a user’s access in response to completing a required training) of the invention of Barday et al. to further specify other rules for controlling the change of status (e.g., wherein the change of status is to be allowed while the user completes the training) of the invention of Solmssen et al. because doing so would allow the method to provide some grace period for training when a user’s status changes and new training is needed (see Solmssen et al., Paragraph 0053). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Frank (WO 0195105 A1) – discloses compliance programs may be manually developed on a location by location, department by department, and/or job by job basis, tailored to the site specific activities of each location, department or job. Alternatively, a general compliance program may be developed which covers all regulations whether or not applicable to a specific location, department or job. Each method has benefits and detriments (see at least Page 3).
Swartz (Swartz, M., Krull, I. and McCabe, J., 2004. Training and Compliance—Easing the Burden Through Cooperation with Instrument Vendors. LC GC NORTH AMERICA, 22(9), pp.906) - discloses to help an employee understand the GMP regulations that impact the lab, the training should be specific to an individual’s function and focus within the lab. It is of little value to train or educate an employee on all of the regulations if there is no impact on the job that person fulfills every day (Page 906, Compliance Training).
Chalmers et al. (US 2018/0069866 A1) – discloses to monitor the user's completion of the training session and the user access update component 218 may increase the user's access privileges 223 once the training has been completed. The increase in the user's access privileges 223 may re-instate the reduced user privileges or may allow new privileges due to the training being completed. The risk management system 210, in one embodiment, may restore system access, elevate privileges and change user profile status when the end user has completed the appropriate training (see at least Paragraph 0046).
Carter (US 2011/0277012 A1)– discloses events 510 are rules for selecting number of permissions for a trainee based on events that may occur. For example, events 510 may include steps completed 512 and resources accessed 514. Steps completed 512 are rules that assign or provide the trainee additional permissions of the trainer as different steps in a training session are completed. For example, with a successful completion of changes to a code base, a software engineer in training may be provided additional permissions to run the code base. Resources accessed 514 may include rules that provide the trainee additional permissions based on the resources being used. As one illustrative example, a rule may indicate that a trainee may not have access to edit particular files until other files have been edited (see at least Paragraph 0083).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARJORIE PUJOLS-CRUZ whose telephone number is (571)272-4668. The examiner can normally be reached Mon-Thru 7:30 AM - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patricia H Munson can be reached at (571)270-5396. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.P./Examiner, Art Unit 3624 /PATRICIA H MUNSON/Supervisory Patent Examiner, Art Unit 3624