SYSTEMS AND METHODS FOR ROLE HARMONIZATION, APPLICATION, AND MONITORING

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action This communication is in response to the application Request for Continued Examination filed on 03/09/2026 in which Claims 1-5, 7-22 are remained for examination. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 03/09/2026 has been entered. Response to Arguments Applicant's arguments with respect to amended claims have been fully considered but are moot in view of the new ground(s) of rejection. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action: (a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made. Claims 1-5, 7-11, 13-22 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Hirsch US PGPUB No. 20200097872 A1 in view of Kling US No. 20140181913 A1; in further view of Gutesman US 20160119380 A1. As to claim 1, Hirsch discloses a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to (Hirsch Pa. [0009]) [aspects of the present disclosure generally relate to a system including: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to]: receive one or more separation of duty (SoD) rulesets (Hirsch Pa. [0009]) [receive one or more separation of duty (SoD) rulesets]; extract user authorizations corresponding to actions that potentially violate the one or more SoD rulesets (Hirsch Pa. [0042-0047]) [automated role system 110 extracts user identifications and authorizations from role database 130. In some cases, automated role system 110 extracts role definitions and role assignments for each user. Automated role system 110 may also extract SoD rulesets from SoD database 150... automated role system 110 may compare redesigned roles to the SoD rulesets to ensure no single roles violate a SoD]; harmonize the extracted authorizations (Hirsch Pa. [0002]) [user authorization management], wherein harmonizing the extracted authorizations comprises: identifying organization-wide authorizations in the extracted authorizations (Hirsch Pa. [0053]) [Following configuration, automated role system 110 may extract user activity, extract user identifications and authorizations, verify and validate data and functions, generate redesigned roles, test roles assigned to test used, verify and manually test any failed test roles, transmit role to product environment and provision roles to all users in the production environment at 310-380] But Hirsch fails to teach determining that the organization-wide authorizations do not violate the one or more SoD rulesets; and identify, from the harmonized extracted authorizations, SoD violations. However, Kling discloses determining that the organization-wide authorizations do not violate the one or more SoD rulesets (Kling Fig. 8, Pa. [0080]) [ an access request may require approval before the IAM system provisions the requested access rights. If, however, the reviewer clears the potential SoD violation, the reviewer may dismiss the SoD violation (block 812:N) and the access request may be further reviewed, e.g., for completeness. It will be appreciated that an access request may be reviewed for completeness even if the access request does not represent a potential SoD violation (block 808:N)]; identify, from the harmonized extracted authorizations, one or more SoD violations (Kling Fig. 8, Pa. [0079-0080]) [an access request may require approval before the IAM system provisions the requested access rights…an access request that is flagged as a potential SoD violation (block 808:Y) may be sent to a reviewer for approval (block 810). If the reviewer confirms the potential SoD violation (block 812:Y), then the access request may be denied (block 814).] Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Kling to the communication system of Hirsch would have yield predictable results and resulted in an improved system, namely, a system that would provide access to computing resources and particularly relate to provisioning access to computing resources using an identity access management data model (Kling Pa. [0003]) Furthermore, the combination Hirsch and Kling fails to disclose monitor a plurality of user actions corresponding to the user authorizations; and preempt at least one user action of the plurality of user actions in response to determining the at least one user action corresponds to at least one of the one or more SoD violations. However, Gutesman discloses monitor a plurality of user actions corresponding to the user authorizations (Gutesman Pa. [0028]) [effective real-time monitoring of the actions performed by users over the business-critical applications and, therefore, providing visibility on potential and effective violations to a pre-defined set of incompatibilities] [0030] [matrices express conflicting actions in the business-critical application and are an input to the present embodiments. Two actions are considered to be in conflict if a user is authorized to execute both inside the same business-critical application. Conflicting actions could lead to fraudulent business activity]; and preempt at least one user action of the plurality of user actions in response to determining the at least one user action corresponds to at least one of the one or more SoD violations (Gutesman Pa. [0081]) [Preventive SoD violations can advantageously prevent potential frauds in addition to preventing improper authorizations assignments. Preventive SoD violations indicate when a user has executed certain action in conflict with another executable action] [0085] [The detective SoD method generates an alert (as described previously) when an SoD violation is effectively being exploited by a user, for example, performing two incompatible actions. An additional check within the detective SoD is actually verifying whether the SoD violation was performed in the same process flow] Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Gutesman to the communication system of Hirsch and Kling would have yield predictable results and resulted in an improved system, namely, a system that would provide real time detection and prevention of segregation of duties violations in business-critical applications. (Gutesman Pa. [0002]) As to claim 2, Hirsch teaches wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to extract the one or more SoD rulesets from an SoD database (Hirsch Pa. [0033]) [automated role system 110 extracts the user activity (e.g., transaction code usage) from user activity database 140, role definitions and assignments from role database 130, and SoD rulesets from SoD database 150.] As to claim 3, Hirsch teaches wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to analyze the one or more SoD rulesets to determine actions that potentially violate the one or more SoD rulesets (Hirsch Pa. [0047]) [automated role system 110 tests the generated roles. As a non-limiting example, automated role system 110 may compare redesigned roles to the SoD rulesets to ensure no single roles violate an SoD] As to claim 4, Hirsch teaches wherein the user authorizations potentially violate the one or more SoD rulesets for a plurality of organizational systems (Hirsch Pa. [0042-0047]) [automated role system 110 extracts user identifications and authorizations from role database 130. In some cases, automated role system 110 extracts role definitions and role assignments for each user. Automated role system 110 may also extract SoD rulesets from SoD database 150... automated role system 110 may compare redesigned roles to the SoD rulesets to ensure no single roles violate an SoD] As to claim 5, the combination Hirsch, Kling and Gutesman teaches wherein harmonizing the extracted authorizations (Hirsch Pa. [0002]) [user authorization management] comprises identifying a same vendor in multiple organization systems with divergent configurations (Gutesman Pa. [0085]) [The detective SoD method generates an alert (as described previously) when an SoD violation is effectively being exploited by a user, for example, performing two incompatible actions. An additional check within the detective SoD is actually verifying whether the SoD violation was performed in the same process flow (e.g. in the while creating a vendor and then issuing a payment to that same vendor, in the same system and by the same user).] Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Gutesman to the communication system of Hirsch and Kling would have yield predictable results and resulted in an improved system, namely, a system that would provide real time detection and prevention of segregation of duties violations in business-critical applications. (Gutesman Pa. [0002]) As to claim 7, the combination Hirsch, Kling and Gutesman teaches wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to create an alert for any SoD violations across a plurality of organizational systems (Gutesman Pa. [0159]) [If the system detects a conflict, it raises a detective alert, as shown by block 603. Once the system determined there was a violation to the SoD rules defined in the Conflict Rules Database 107, the system checks whether the user effectively exercised the conflicting actions, by checking the process tables. The system analyzes if the user exploited the conflict, as shown by Block 604, and if so, outputs a critical detective alert,] Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Gutesman to the communication system of Hirsch and Kling would have yield predictable results and resulted in an improved system, namely, a system that would provide real time detection and prevention of segregation of duties violations in business-critical applications. (Gutesman Pa. [0002]) As to claim 8, the combination Hirsch, Kling and Gutesman teaches wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to take a corrective action (Gutesman Pa. [0159]) [Once the system determined there was a violation to the SoD rules defined in the Conflict Rules Database 107, the system checks whether the user effectively exercised the conflicting actions, by checking the process tables. The system analyzes if the user exploited the conflict, as shown by Block 604, and if so, outputs a critical detective alert, as shown by block 605.] Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Gutesman to the communication system of Hirsch and Kling would have yield predictable results and resulted in an improved system, namely, a system that would provide real time detection and prevention of segregation of duties violations in business-critical applications. (Gutesman Pa. [0002]) As to claims 9-10, the combination Hirsch, Kling and Gutesman teaches wherein the corrective action comprises modifying user authorization to eliminate an identified SoD violation (Gutesman Pa. [0075]) [if the system captures an action where a user is being granted permissions, either by being assigned a new role or by already having a role that has just been modified, these new authorizations will be checked against the SoD matrices 103]; wherein the corrective action comprises removing a user role from a user to eliminate an identified SoD violation. (Gutesman Pa. [0009]) [Every periodical check of users' permissions still leaves a window where permissions can be granted and removed] Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Gutesman to the communication system of Hirsch and Kling would have yield predictable results and resulted in an improved system, namely, a system that would provide real time detection and prevention of segregation of duties violations in business-critical applications. (Gutesman Pa. [0002]) As to claim 11, the combination Hirsch, Kling and Gutesman teaches wherein the corrective action comprises altering a user role to eliminate an identified SoD violation (Gutesman Pa. [0075]) [if the system captures an action where a user is being granted permissions, either by being assigned a new role or by already having a role that has just been modified, these new authorizations will be checked against the SoD matrices 103] As to claims 13 and 19, claims 13 and 19 recite the claimed that contain similar limitations as claim 1 therefore, they are rejected under the same rationale. As to claim 14, the combination of Hirsch and Kling teaches further comprising, in response to determining the one or more new user authorizations creates an SoD violation with the identified one or more partial SoD violations (Hirsch Pa. [0031-0041]) [creating new conflict-free roles] [0042-0051]) [automated role system 110 extracts user identifications and authorizations from role database - may compare redesigned roles to the SoD rulesets to ensure no single roles violate an SoD] (Hirsch Pa. [0052-0056]) [user-based SoD conflicts (e.g., users who have authorizations with violate SoD rulesets) may be minimized], remediating, via one of one or more computing devices, the SoD violation (Kling Pa. [0073]) [If the physical entitlements as provisioned do not match the physical entitlements as specified, then remedial measures may also be taken to align existing access rights for a user account with the access rights originally specified] Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Kling to the communication system of Hirsch would have yield predictable results and resulted in an improved system, namely, a system that would provide access to computing resources and particularly relate to provisioning access to computing resources using an identity access management data model (Kling Pa. [0003]) As to claim 15, Hirsch teaches wherein remediating the SoD violation comprises disabling at least one of the one or more user authorizations (Hirsch Pa. [0052-0056]) [role redesign configuration may include adjustment of different parameters or conditions for different types of roles (e.g., unused/unassigned roles, unused transactions or functions within roles, and roles with SoD violations).] As to claim 16, Hirsch teaches wherein a partial SoD violation is determined by an authorization of one action of an unallowed action pair in an SoD rule (Hirsch Pa. [0052-0056]) [[user-based SoD conflicts] As to claim 17, Hirsch teaches wherein the one or more new user authorizations comprises an added role to a user having a partial SoD violation (Hirsch Pa. [0031-0041]) [creating new conflict-free roles] [0042-0051]) [automated role system 110 extracts user identifications and authorizations from role database - may compare redesigned roles to the SoD rulesets to ensure no single roles violate an SoD] (Hirsch Pa. [0052-0056]) [user-based SoD conflicts (e.g., users who have authorizations with violate SoD rulesets) may be minimized. oD conflicts were reduced by 95 percent] As to claim 18, Hirsch teaches wherein the one or more new user authorizations comprises an additional authorization for a user having a partial SoD violation (Hirsch Pa. [0052-0056]) [role redesign configuration may include adjustment of different parameters or conditions for different types of roles (e.g., unused/unassigned roles, unused transactions or functions within roles, and roles with SoD violations). Certain parameters may include a risk dimension (e.g., setting different parameters for roles or functions classified as high, medium, or low risk), time dimension (e.g., removing roles, or functions within roles, where the role/function has not been assigned/used within a certain time period), whether old roles or functions should be archived or deleted,] As to claim 19, Hirsch teaches wherein preempting the SoD violation comprises disabling a second action in the first potential SoD violation for the user (Hirsch Pa. [0052-0056]) [role redesign configuration may include adjustment of different parameters or conditions for different types of roles (e.g., unused/unassigned roles, unused transactions or functions within roles, and roles with SoD violations).] As to claim 21, Hirsch teaches wherein preempting the SoD violation comprises disabling a user's authorization to conduct a second action in the first potential SoD violation (Hirsch Pa. [0052-0056]) [role redesign configuration may include adjustment of different parameters or conditions for different types of roles (e.g., unused/unassigned roles, unused transactions or functions within roles, and roles with SoD violations).] As to claim 22, claim 22 recites the claimed that contain similar limitations as claim 5 therefore, it is rejected under the same rationale. Allowable Subject Matter Claim 12 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Friday 8:00 am - 5:30 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /EVANS DESROSIERS/Primary Examiner, Art Unit 2491