AUTOMATED MANAGEMENT OF COMPLIANCE TRAINING

§101 §103

DETAILED ACTION This communication is a Non-Final Office Action rejection on the merits. Claims 1-20 are currently pending and have been addressed below. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed on 10/06/2025 (related to the 103 Rejection) have been fully considered but are moot in view of new grounds of rejection. Applicant's amendments necessitated the new ground(s) of rejection presented in this Office action. Rejection based on a newly cited reference(s) follows. Applicant's arguments filed on 10/06/2025 (related to the 101 Rejection) have been fully considered but they are not persuasive. Applicant states, on pages 7-11, that the claimed solution integrates any alleged abstract concept into a practical application as a specific, ordered combination of components that changes external platform behavior by intercepting or revoking platform commands responsive to event time rule matches. The claimed solutions provides a particular technological solution to cross platform computer compliance enforcement with specific limitations on providing the solution in a particular way and not a generalized instruction to 'apply rules on a computer nor just reciting a desired result. The "as received" event extraction, rule store matching per event record, and command path interception/reversion across distinct external platforms of the claimed solution is a particular way to accomplish a technological outcome (governing downstream commands) and improves the technical field of distributed computer access compliance enforcement by revoking or intercepting commands downstream that would change to a non-compliance status of user on a platform, of which a human cannot practically do. Examiner respectfully disagrees with Applicant. Claim 1 elements are considered to be abstract ideas because they are directed to “certain methods of organizing human activity” which include “managing personal behavior.” In this case, the claim as a whole is directed to management of compliance training based on rules (see MPEP 2106.04(a)(2), following rules or instructions). If a claim limitation, under its broadest reasonable interpretation, covers managing personal behavior, then it falls within the “certain methods of organizing human activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. The mere nominal recitation of generic computer components does not take the claim out of the certain methods of organizing human activity grouping. The server is merely used to implement a system for automated management of compliance training (Paragraph 0069). The adapter is merely used to receive one or more events from one or more platforms (Paragraph 0109). The platform is merely used to record and indicate to the user their change in status (Paragraph 0075). The one or more networks using one or more application programming interfaces (APIs) is merely used to access one or more platforms (Paragraph 0019). The event record manager is merely used to retrieve information (also referred to as a pull mechanism) from one or more platforms 202-(1-N) associated with one or more events (Paragraph 0072). The event record is merely used to include information related to an event (Paragraph 0074). The rules engine is merely used to determine appropriate compliance training that is to be completed by the user before, during, or after a change of a status is implemented in one or more platforms 202-(1-N), or eligibility of a change of status is indicated to the one or more platforms 202-(1-N) (Paragraph 0076). The rules storage is merely used to store rules that define one or more actions or requirements, such as compliance training that the user has to undergo in response to a corresponding event associated with platform 202. Training storage 230 may store one or more compliance training modules or programs or any training content such as compliance training programs that are used for training the one or more users in response to one or more events associated with platforms 202-(1-N) (Paragraph 0084). Merely stating that the step is performed by a computer component results in “apply it” on a computer (MPEP 2106.05f). Those elements are recited at a high level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer element. Also, the adapters and API are considered “field of use” (MPEP 2106.05h) at Step 2A Prong 2; as they’re just used to receive status information, but the technology is not improved. At Step 2B, the adapter and API are considered a conventional computer function of “receiving or transmitting data over a network” and “performing repetitive calculations” (MPEP 2106.05d). Further, although claim 1 includes a final step of “one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status,” claim 1 lacked details as to how the computer performed the change of status, which merely recites the idea of a solution or outcome (MPEP 2106.05f). Therefore, claim 1 does not recite a particular way to accomplish a technological outcome. Lastly, the claim fails to recite any improvements to another technology or technical field, improvements to the functioning of the computer itself, use of a particular machine, effecting a transformation or reduction of a particular article to a different state or thing, adding unconventional steps that confine the claim to a particular useful application, and/or meaningful limitations beyond generally linking the use of an abstract idea to a particular environment. See 84 Fed. Reg. 55. Viewed individually or as a whole, these additional claim elements do not provide meaningful limitations to transform the abstract idea into a patent eligible application of the abstract idea such that the claim amounts to significantly more than the abstract idea itself. Thus, the claim is not patent eligible. Independent claim 11 recites similar features and therefore is rejected for the same reasons as independent claim 1. Claims 2-10 and 12-20 are rejected for having the same deficiencies as those set forth with respect to the claims that they depend from, independent claims 1 or 11. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., an abstract idea) without reciting significantly more. Independent Claim 1 Step One - First, pursuant to step 1 in the January 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”) on 84 Fed. Reg. 53, the claim 1 is directed to a method which is a statutory category. Step 2A, Prong One - Claim 1 recites: A method for which a user carries out a job function and to detect or receive notification of an event triggered associated with the user carrying out a corresponding job function; receiving one or more events triggered based at least on the user carrying out the corresponding job function; automatically processing responsive to occurrence of the one or more events as the one or more events are received, one or more event information comprising a platform identity indicating the specific platform on which the event occurred, a user identity uniquely identifying the user associated with the event and a change in status of the user on a platform corresponding to the platform identity; determine, responsive to each event and based on the information, one or more rules to use to match each event; determine, responsive to the one or more rules matching the event, a training identified by the rules to be completed by the user identified by the user identity of the event; identifying, responsive to and based at least on the one or more events, the change of status of the user, maintaining a status of the user; determining that the change of status is not to be allowed before the user completes the training; and one of revoking or intercepting, responsive to determining the change of status is not to be allowed, one or more commands to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status. These claim elements are considered to be abstract ideas because they are directed to “certain methods of organizing human activity” which include “managing personal behavior.” In this case, the claim as a whole is directed to management of compliance training based on rules (see MPEP 2106.04(a)(2), following rules or instructions). If a claim limitation, under its broadest reasonable interpretation, covers managing personal behavior, then it falls within the “certain methods of organizing human activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. Step 2A Prong 2 - The judicial exception is not integrated into a practical application. Claim 1 includes additional elements: by one or more servers, via one or more adapters; one or more platforms; using one or more application programming interfaces (APIs) of the corresponding platform; an event record manager; one or more event records; a rules engine; and a rules storage. The server is merely used to implement a system for automated management of compliance training (Paragraph 0069). The adapter is merely used to receive one or more events from one or more platforms (Paragraph 0109). The platform is merely used to record and indicate to the user their change in status (Paragraph 0075). The application programming interface (API) is merely used to access one or more platforms (Paragraph 0019). The event record manager is merely used to retrieve information (also referred to as a pull mechanism) from one or more platforms 202-(1-N) associated with one or more events (Paragraph 0072). The event record is merely used to include information related to an event (Paragraph 0074). The rules engine is merely used to determine appropriate compliance training that is to be completed by the user before, during, or after a change of a status is implemented in one or more platforms 202-(1-N), or eligibility of a change of status is indicated to the one or more platforms 202-(1-N) (Paragraph 0076). The rules storage is merely used to store rules that define one or more actions or requirements, such as compliance training that the user has to undergo in response to a corresponding event associated with platform 202. Training storage 230 may store one or more compliance training modules or programs or any training content such as compliance training programs that are used for training the one or more users in response to one or more events associated with platforms 202-(1-N) (Paragraph 0084). Merely stating that the step is performed by a computer component results in “apply it” on a computer (MPEP 2106.05f). These elements of “server,” “adapter,” “platform,” “API,” “event record manager,” “event record,” “rules engine,” and “rules storage” are recited at a high level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer element. Also, the adapter and API are considered “field of use” (MPEP 2106.05h) as they’re just used to receive status information, but the technology is not improved. Accordingly, alone and in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore, the claim is directed to an abstract idea. Step 2B - The claim does not include additional elements that are sufficient to amount significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the claims describe how to generally “apply” the concept of changing the status of the user based on rules (e.g., before or after completing the required training). The specification shows that the server is merely used to implement a system for automated management of compliance training (Paragraph 0069). The adapter is merely used to receive one or more events from one or more platforms (Paragraph 0109). The platform is merely used to record and indicate to the user their change in status (Paragraph 0075). The API is merely used to access one or more platforms (Paragraph 0019). The event record manager is merely used to retrieve information (also referred to as a pull mechanism) from one or more platforms 202-(1-N) associated with one or more events (Paragraph 0072). The event record is merely used to include information related to an event (Paragraph 0074). The rules engine is merely used to determine appropriate compliance training that is to be completed by the user before, during, or after a change of a status is implemented in one or more platforms 202-(1-N), or eligibility of a change of status is indicated to the one or more platforms 202-(1-N) (Paragraph 0076). The rules storage is merely used to store rules that define one or more actions or requirements, such as compliance training that the user has to undergo in response to a corresponding event associated with platform 202. Training storage 230 may store one or more compliance training modules or programs or any training content such as compliance training programs that are used for training the one or more users in response to one or more events associated with platforms 202-(1-N) (Paragraph 0084). Also, the adapter and API are considered a conventional computer function of “receiving or transmitting data over a network” and “performing repetitive calculations” (MPEP 2106.05d). Thus, nothing in the claim adds significantly more to the abstract idea. The claim is ineligible. Independent claim 11 is directed to an apparatus at step 1, which is a statutory category. Claim 11 recites similar limitations as claim 1 and is rejected for the same reasons at step 2a, prong one; step 2a, prong 2; and step 2b. The claim is not patent eligible. Dependent claims 2-9 and 11-18 are not directed to any additional claim elements. Rather, these claims offer further descriptive limitations of elements found in the independent claims and addressed above - such as wherein the server: applies one or more rules to the one or more events to determine the training that is to be completed by the user before the change of the status is implemented in the one or more platforms; determines a level of harm if the user is allowed the change in status in the one or more platforms before the user completes the training; determines the change of status is to be allowed while the user completes the training; determines the change of status of the user is to be withheld while the user completes the training; identifies that the user is designated as a candidate for one or more types of the one or more events and assigning the user training to complete to implement the change in status; causes the change in status in the one or more platforms responsive to the user completing the training; causes the change in status in the one or more platforms and tracking progress or completion of the training of the user; disables the change in status in the one or more platforms responsive to the user not completing the training within a set period. These processes are similar to the abstract idea noted in the independent claim because they further the limitations of the independent claim which are directed to “certain methods of organizing human activity” which include “managing personal behavior” (e.g., following rules or instructions). In addition, no additional elements are integrated into the abstract idea. Therefore, the claims still recite an abstract idea that can be grouped into a method of organizing human activity. Dependent claims 10 and 20 are directed to additional elements such as: an application programming interface (API). The API is further used to access one or more platforms and enable communication between the system components for information exchange (Paragraphs 0019 & 0069). The API is considered “field of use” at step 2A, Prong 2 (MPEP 2106.05h); as it’s just used to receive information and does not improve the technology. Also, at Step 2B, the API is considered a conventional computer function of “receiving or transmitting data over a network” (MPEP 2106.05d). Thus, nothing in the claim adds significantly more to the abstract idea. The claim is ineligible. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 4, 10-11, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Barday et al. (US 2021/0141932 A1), in view of Linga et al. (US 2021/0256152 A1), in further view of Carter et al. (US 2011/0277012 A1). Regarding claim 1 (Currently Amended), Barday et al. discloses a method comprising establishing, by one or more servers of a system, … to one or more platforms, the one or more platforms providing a separately distinct platform from the system for which a user carries out a job function unique to a corresponding platform of the one or more platforms (Paragraph 0008, Various other embodiments of data subject access request processing systems and methods are described in the listing of concepts below: 1. A data subject access request processing system, according to various embodiments, comprises: one or more data subject access request management servers; Paragraph 0419, In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. The learning management system may then be configured to interface with one or more system access authorization systems in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so; Examiner interprets the LMS as the platform that carries out a job function, wherein the job function refers to a user completing a training), each of the … of the system configured to communicate with a corresponding platform of the one or more platforms over one or more networks using one or more application programming interfaces (APIs) of the corresponding platform and to detect or receive notification of an event triggered by the corresponding platform associated with the user carrying out a corresponding job function on the corresponding platform (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0418, In response to determining that the user and/or the computing device is not authorized to access the first data asset, the system may be configured to redirect the user (e.g., the user's computing device) to a second data asset. In various embodiments, the second data asset may include any suitable system, software, or other suitable data asset for, for example: (1) providing the user the opportunity to acquire authorization to access the first data asset (e.g., by enabling the user to complete one or more compliance trainings required to access the first data asset); (2) providing the user with training on how to make authorized access to the first data asset (e.g., by enabling the user to complete one or more required certifications, providing the information and/or training on device requirements to access the first data asset, etc.); and/or (3) enforcing one or more requirements related to the access to the first data assets (e.g., one or more requirements related to completion of one or more trainings related to the unauthorized access); In this case, the “event trigger” is to enable the user to complete one or more compliance trainings required to access the first data asset); receiving, by the … one or more servers, via one or more APIs one or more events triggered from the one or more platforms based at least on the user carrying out the corresponding job function on the corresponding platform on the one or more platforms (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use); automatically processing, by an event record manager of the one or more servers responsive to occurrence of the one or more events as the one or more events are received, event records of the one or more events to extract from the one or more event records information comprising a platform identify indicating the specific platform on which the event occurred, a user identity uniquely identifying the user associated with the event and a change in status of the user on a platform corresponding to the platform identity (Paragraph 0008, one or more data subject access request management servers; Paragraph 0416, Various entities may require their employees to take one or more compliance training, security training, privacy training, and other training courses as part of their employment. In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. In various embodiments, the learning management system may be configured to interface with one or more system access authorization systems (e.g., access control systems) in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so. In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; Paragraph 0417, A user access management system, in various embodiments, is configured to analyze one or more pieces of data related to a user attempting to access a first data asset and/or the computing device via which the user is attempting to access the first data asset in order to determine the user's and/or the computing device's authorization to access the first data asset. In various embodiments, the first data asset may include any suitable data asset associated with the company such as, for example: (1) one or more software systems; (2) one or more data systems; (3) one or more databases (e.g., one or more databases that store particular types of data, such as customer data, personal data, employee data, etc.); and/or (4) any other suitable data asset. In any embodiment described herein, a first data asset (e.g., and/or any other suitable data asset or combination of data assets discussed herein) may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc.; In this case, Barday et al. discloses whether a particular employee (interpreted as the user identity) attempting to access a particular system (interpreted as platform identify such as one or more pieces of software and/or data within that system) has completed any necessary requirements (interpreted as a change in status of the user on a platform corresponding to the platform identity such as determining training/certifications status, wherein the status is used to determine access to the particular system); determine, by a rules … responsive to each event record and based on the information in the one or more event records, one or more rules … to use to match each event record; determine, by the rules … responsive to the one or more rule matching the event record, a training identified by the rules … to be completed by the user identified by the user identity of the event record (Paragraph 0416, Various entities may require their employees to take one or more compliance training, security training, privacy training, and other training courses as part of their employment. In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. In various embodiments, the learning management system may be configured to interface with one or more system access authorization systems (e.g., access control systems) in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so. In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; Examiner notes that Barday et al. identifies appropriate training required by the user based on user identity of the event record (e.g., particular user and/or user’s role within the company)); identifying, by the one or more servers responsive to and based at least on the one or more events records, the change of status of the user to occur on the one or more platforms, each platform of the one or more platforms maintaining a status of the user on that platform separate from the status of the user on another platform of the one or more platforms (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Examiner interprets the learning management system as the first platform, wherein the learning management system maintains a status of the user (e.g., required compliance training). Also, Examiner interprets the one or more pieces of software as the second platform, wherein the one or more pieces of software maintains another status of the user (e.g., user’s permissions/access in response to completing the necessary training)); determining, by the one or more servers, that the change of status is not to allowed in the platform of the one or more platforms before the user completes the training (Paragraph 0008, one or more data subject access request management servers; Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Examiner notes that the change of status is not allowed before the user completes the training (e.g., change in user’s permission is not allowed until the user completes the required compliance training)); and one of revoking or intercepting, by the event manager responsive to determining the change of status is not to be allowed, one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status (Paragraph 0008, one or more data subject access request management servers; Paragraph 0173, (3) using one or more application programming interfaces (API) to obtain data for the data model from another software application; Paragraph 0219, In still other embodiments, in addition to connecting to a database, the system may be configured to: (1) access an application through one or more application programming interfaces (APIs); Paragraph 0420, In a particular example, an employee (e.g., a system user) may attempt to access a particular business application. In response to the use attempting to access the particular business application, the system may be configured to access the learning management system to determine a completion state (e.g., and completion date) or one or more training courses associated with the particular business application that the employee is attempting to access. In response to determining that the employee (e.g., user) has not completed a particular required training related to the use of the business application (e.g., and/or the user has completed the required training but the completion is expired or out of date), the system may be configured to substantially automatically (e.g., automatically) redirect the employee to the curriculum and/or training that the employee is required to complete (e.g., and pass) before the employee can access the business application. In response to determining that the employee has completed the required training, the system may be configured to automatically redirect the employee back to the desired business application for use; Paragraph 0422, In various embodiments, the system may be configured to integrate with one or more single sign on systems (e.g., or other suitable systems for managing access control by a user to multiple software and/or data systems). The system may be configured to use the single sign on system to access data for an authenticated user. For example, the system may be configured to: (1) verify a user's credentials via the single sign-on and/or access control system; (2) verify a particular application the user is trying to access (e.g., in response to the access attempt by the user via single sign-on); (3) review a system of data related to the particular application (e.g., training requirements for access, certification requirements for access, device requirements for access, etc.); (4) determine whether the user has passed and taken the appropriate (e.g., required) security, privacy or other training classes (e.g., or holds the required one or more certifications); (5) in response to determining that the user has passed the required trainings and/or holds the required certifications, allow access to the requested application; and (6) in response to determining that the user has not passed one or more of the required trainings and/or does not hold all of the required certifications, automatically redirect the user to force the user to complete the missing training(s) and/or certifications prior to access; Paragraph 0416, In particular embodiments, the system may be configured to determine whether a particular user accessing a system has completed any necessary training or certifications based at least in part on, for example: (1) a type of system the user is attempting to access; (2) a type of data stored on the system (e.g., customer, employee, financial, etc.); (3) a classification of that data (e.g., sensitive, public, etc.); (4) a volume of data stored within the system; (5) the user's role within the company; (6) a type of computing device via which the user is attempting to access the system; (7) one or more attributes of the device; and/or (8) any other suitable information related to the user, the attempted access, and/or the system, software, data, or other asset the user is attempting to access. In response to determining that the user does not have authorization to access the system (e.g., because the user has not completed one or more required trainings and/or certifications), the system may be configured to prevent the access, and redirect the user to the appropriate training required for completion prior to allowing access; As stated in Paragraph 0004 of Applicant’s specification, the change of status may be changing user’s permission/access. Therefore, based on broadest reasonable interpretation in light of the specification, Barday et al. discloses “one or more commands communicated to the platform to apply the change in user status thereby preventing the change of status or reverting the user back to a status prior to the change of status” since it can change user’s permission/access back to a status prior the event in response to detecting that the user does not have all the required trainings/certifications and/or trainings/certifications have expired). Although Barday et al. discloses all the limitations above and an API configure to communicate with a corresponding platform of the one or more platforms, Barday et al. does not specifically disclose one or more adapters to one or more platforms. Also, although Barday et al. discloses one or more event records information comprising a user identity and platform identity (e.g., whether a particular employee has access to a particular system), Barday et al. does not specifically disclose wherein the event record indicates the specific platform on which the event occurred. However, Linga et al. discloses one or more adapters to one or more platforms (Paragraph 0130, Computer system/server 702 may also communicate with one or more external devices 720 via a I/O adapter 724, such as a keyboard, a pointing device, a display 722, etc.; one or more devices that enable a user to interact with computer system/server 702; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 702 to communicate with one or more other computing devices. Such communication can occur via I/O interfaces 724 of the adapter 726. Still yet, computer system/server 702 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter), …; automatically processing, by an event record manager of the one or more servers responsive to occurrence of the one or more events as the one or more events are received, event records of the one or more events to extract from the one or more event records information comprising a platform identity indicating the specific platform on which the event occurred, a user identity uniquely identifying the user associated with the event and a change in status of the user on a platform corresponding to the platform identity (Paragraph 0062, FIG. 2A illustrates an example code annotation and documentation management configuration according to example embodiments. Referring to FIG. 2A, the configuration 200 may include a code repository server 120 which may be a local enterprise server or a server maintained at a third party source, such as ‘GITHUB’ which can be used to access code and manage code development efforts. When one or more user devices 102/103 attempt to access the server 120 and retrieve, access and/or modify code, the code may be organized as segments or blocks 226 which may be accessed according to one or more code access permissions/restrictions 206 associated with the user devices 102/103. Each device profile may have a unique copy of the code blocks/segments 225/227 depending on the permissions and rights associated with the user devices 102/103; Paragraph 0064, An identity of a user device may be confirmed from credentials, such as multi-factor authentication (MFA) which are stored on the device and forwarded during an access attempt. For example, a personal access token may be required to obtain access to the code repository. A software source code security function may be stored in the third party cloud code source. The agent application may be periodically auditing the user device 102 to ensure the permissions are active and the actions taken are consistent with the permissions associated with that particular user device 102); determine, by a rules … responsive to each event record and based on the information in the one or more event records, one or more rules selected from a rule … to use to match each event record (Paragraph 0107, The one or more automated actions taken by the server code management application may include, upon identifying a rule violation, one or more of revoking user profile code access permissions, locking access to the sensitive code segments, and preventing code egress operations); … It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for controlling a change in status of the user based on information received, via an API, from one or more platforms (e.g., training required to access the system) of the invention of Barday et al. to further specify a platform identity indicating the specific platform on which the event occurred (e.g., Github) of the invention of Linga et al. because doing so would allow the method to use a third-party source to access code and manage code development efforts (see Linga et al., Paragraph 0062). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Although the combination of Barday et al. and Linga et al. discloses to determine, by the rules responsive to each event record and based on the information in the one or more event records, one or more rules to use to match each event record (see Barday et al., Paragraph 0416, determine whether the user may access a particular system based on completed training/certifications and/or role; see Linga et al., Paragraph 0107, rule violation), the combination Barday et al. and Linga et al. does not specifically disclose wherein the rules are stored in a rules storage. However, Carter et al. discloses to determine, by a rules engine responsive to each event record and based on the information in the one or more event records, one or more rules selected from a rule storage to use to match each event record; determine, by the rules engine responsive to the one or more rules matching the event record, a training identified by the rules engine to be completed by the user identified by the user identity of the event record (Figure 3, item 325, Policy, Paragraph 0060, In these illustrative examples, access control process 324 selects number of access permissions 320 from permissions 323 for first user 308. Number of access permissions 320 is selected using policy 325 in these illustrative examples. Policy 325 is a number of rules used by access control process 324 in controlling access to resources 318; Paragraph 0083, Events 510 are rules for selecting number of permissions for a trainee based on events that may occur. For example, events 510 may include steps completed 512 and resources accessed 514. Steps completed 512 are rules that assign or provide the trainee additional permissions of the trainer as different steps in a training session are completed. For example, with a successful completion of changes to a code base, a software engineer in training may be provided additional permissions to run the code base. Resources accessed 514 may include rules that provide the trainee additional permissions based on the resources being used. As one illustrative example, a rule may indicate that a trainee may not have access to edit particular files until other files have been edited). It would have been obvious to one ordinary skill in the art before the effective filing date to modify the method for controlling a change in status of the user based on information received, via an API, from one or more platforms (e.g., rules to determine whether the user may access a particular system based on completed training/certifications and/or role) of the invention of Barday et al. to further specify a wherein the rules are stored in a rules storage of the invention of Carter et al. because doing so would allow the method to use rules for selecting number of permissions for a trainee based on events that may occur (see Carter et al., Paragraph 0060). Further, the claimed invention is merely a combination of old elements, and in combination each element would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Regarding claim 11 (Currently Amended), Barday et al. discloses a system comprising: one or more servers to: establish … on the system to one or more platforms, the one or more platforms providing a separately distinct platform from the system for which a user carries out a job function unique to a corresponding platform of the one or more platforms (Paragraph 0008, Various other embodiments of data subject access request processing systems and methods are described in the listing of concepts below: 1. A data subject access request processing system, according to various embodiments, comprises: one or more data subject access request management servers; Paragraph 0419, In various embodiments, an entity or organization may utilize one or more learning management systems in order to deliver one or more compliance, security, privacy and other training and/or certification courses for completion by one or more employees. The learning management system may then be configured to track training requirements (e.g., on an employee-by-employee basis) in addition to completion status of required trainings. The learning management system may then be configured to interface with one or more system access authorization systems in order to ensure that a particular employee attempting to access a particular system (e.g., or one or more pieces of software and/or data within that system) have completed any necessary requirements (e.g., trainings, certifications, etc.) in order to do so; Examiner interprets the LMS as the platform that carries out a job function, wherein the job function refers to a user completing a training), each of the … of the system configured to communicate with a corresponding platform of the one or more platforms over one or more networks using one or more application programming interfaces (APIs) of the corresponding platform and to detect or receive notification of an event triggered by the corresponding platform associated with the user carrying out a corresponding job function on the corresponding platform (Paragraph 0008, one or more data subject access request managem