DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is response to RCE filed on 12/17/2025.
Claims 1-6, 8-14, and 16-22 are currently pending in this application.
No IDS has been filed for this application.
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/17/2025 has been entered.
Response to Arguments
Applicant’s arguments have been fully considered but are moot in view of new grounds of rejection. See amended rejection below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 5, 13, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Hen et al. US Patent Application Publication 2023/0110080 (Hen), in view of Goel et al. US Patent Application Publication 2022/0129575 (Goel), in view of Kukreja et al. US Patent Application Publication 2021/0014221 (Kukreja), and further in view of Cunico et al. US Patent Application Publication 2018/0082069 (Cunico).
As per claim 5, Hen teaches a method comprising: generating a dataset comprising a plurality of users, the plurality of entries comprising the user access information and the user group information (paragraphs 60-62 wherein all the information is collected such that the system can generate a prediction model; see further paragraph 67-71 with multiple users); inputting, into a machine learning model, the dataset to obtain a plurality of predictions as to whether the user requires access to one or more functions to one or more applications, wherein the machine learning model is trained to predict required user access (abstract and throughout; paragraph 61 wherein generating a model that predicts access rules for identity based on configuration data obtained from multiple tenants/clusters; see also paragraphs 71-72); and in response to determining that a particular prediction does not include one or more particular functions included in the user access information for the user, revoking access to an access token or removing information assocaited with the one or more particular functions or the user (abstract, paragraph 62 with utilizing prediction to determine misconfiguration based on current identity/role; see also paragraph 79 with misconfiguration alert; see paragraph 35 with alert including access rule that is extra or missing; see paragraph 49 with access rules determines which applications/resources a role can access; see further paragraphs 65-66 with alert including description of included/excluded access rules; paragraphs 65 and 66 further teach automatic reconfiguration of the user’s access based on whether a rule is included or excluded, thus teaching adding or revoking rights).
Although Hen teaches making predictions, Hen does not explicitly teach making a plurality of predictions and applying it to a plurality of users. This would have been inherent, if not obvious, to one of ordinary skill in the art. As seen in Hen, the reference is directed toward RBAC (role based access control) and configuring rules for multiple tenants/clusters (see paragraph 59/60). It would have thus been obvious that the predictions being made in Hen apply to more than one user, as a system built for configuring roles/permissions should be applied to more than one person/individual. However, for a more explicit teaching on configuring permissions for multiple entities, see Goel (see paragraphs 40-43 with monitoring permissions of multiple users; based on the scans and monitoring, customers with higher privileges than they should are identified and access is restricted). Goel thus further teaches revoking access to an access token or removing information associated with one or more particular functions or the respective user identifier (Goel paragraph 42).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Hen with Goel. One of ordinary skill in the art would have been motivated to perform such an addition to provide a flexible way to control access privileges based on actions (paragraph 70 of Goel).
Although the Hen combination teaches generating datasets and inputting into a machine learning model, the Hen combination does not teach generating based on user access information and user group information for a plurality of users, the user access information indicating access history for a user of the plurality of users, and the user group information indicating one or more other users associated with the user and one or more corresponding groups. However, inputting information such as access history of a user and user group information indicating one or more other users assocaited with the user and one or more corresponding groups into a learning machine model would have been obvious. For example, see Kukreja (paragarphs 9, 10, claims 2 and 3).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Hen combination with Goel. One of ordinary skill in the art would have been motivated to perform such an addition to provide efficient session parameters specific to particular users (paragraph 4 of Kukreja).
Although the Hen combination teaches access control based on history, the combination does not explicitly teach the histories including information indicating one or more users that communicate with the user. However, utilizing historical information such as prior communications to determine access control is well known in the art. For example, see Cunico (paragraphs 22-27 with controlling access based on historical communication information).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Hen combination with Cunico. One of ordinary skill in the art would have been motivated to perform such an addition to create more security by protecting information to avoid unauthorized and unwanted disclosures (paragraph 1 of Cunico).
Claim 13 is rejected using the same basis of arguments used to reject claim 5 above.
As per claim 22, the Hen combination teaches wherein the user access information indicates one or more occurrences of a user accessing a function of the one or more functions of the one or more applications (Goel paragraph 38 with management events or alerts for unauthorized activity; see paragraph 34 wherein privileges may include particular commands or programs).
Claim(s) 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over the Hen combination as applied above, in view of Webster et al. US Patent Application Publication 2022/0198015 (Webster).
As per claim 6, the Hen combination does not explicitly teach wherein the user association information indicates other user identifiers with which each user identifier is associated and wherein the user access information indicates the one or more functions of the one or more applications to which each user identifier has access and the one or more functions with each training identifier has accessed. However, this would have been obvious, if not inherent, over Hen. Hen teaches utilizing rules and predictions based on RBAC, and that would heavily imply, or would have been inherent, that such information are associated with other users of that identity (paragraph 73 with machine learning utilizing identity/role bindings data and role/access rule data collected form multipole tenants/clusters; see also paragraphs 60-61; see paragraphs 48-50 with an RBAC system which relates users to roles and correlates users with other users based on their roles; see paragraph 66 with comparison of user identities with other roles in the same cluster;). However, for a further teaching on roles and the association with other users, see Webster (paragraph 58 with role based risk events are identified based on behavior data of plurality of users; see further paragraph 69 that events and settings may be based on actions of multiple users; see also throughout Webster wherein such behaviors are used to predict events and dynamic adjustment of role based access (paragraphs 5-6 and throughout).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Webster with the Hen combination. One of ordinary skill in the art would have been motivated to perform such an addition to increase security and improve efficiency (paragraph 5 of Webster).
Claim 14 is rejected using the same basis of arguments used to reject claim 6 above.
Claim(s) 8, 9, 16, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over the Hen combination as applied above, in view of Nevatia et al. US Patent Application Publication 2020/0412726 (Nevatia)
As per claim 8, the Hen combination teaches receiving a training dataset comprising a plurality of training dataset entries for a plurality of users, the plurality of entries comprising training group information and training access information, the training group information indicating other users with which each user is associated and the training access information indicating the access history for auser of the plurality of users (Hen paragraph 35 that detects when access rule is missing for assigned role or extra; see also Kukreja paragraphs 9 and 10). Although Hen teaches utilizing machine learning, which inherently requires training, Hen does not explicitly teach wherein each training dataset entry comprises an output label indicating whether each user requires access to the one or more functions of the one or more applications and training, using the training dataset, the machine learning model. This would have been obvious, if not inherent, as machine learning models need to be trained in order to output the desired outcomes. Hen already teaches utilizing a machine learning model to predict roles that are extra and missing, and it would have been obvious to train the model accordingly. However, for a more explicit teaching on training, see Nevatia (paragraph 26 with training machine learning utilizing access rights data and a plurality of labels. Nevatia further teaches information including the data/functions to which users have accessed (paragraph 26 with historical data that relates to permissions; and throughout).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Hen combination with Nevatia. One of ordinary skill in the art would have been motivated to perform such an addition to create more security by minimizing risks that may result from unauthorized access (paragraph 10 of Nevatia).
As per claim 9, the Hen combination does not explicitly teach wherein the particular prediction comprises a probability of required access, and wherein determining that the particular prediction does not include the one or more particular functions included in the user access information comprises determining that the probability does not reach a threshold for required access. However, utilizing probabilities to determine whether a user should have access or not would have been obvious. For example, see Nevatia (paragraph 34 with utilizing probabilitie scores to determine access rights of user and revoking or allowing access level based on prediction probability; see also paragraph 26 with threshold probabilities used in determining restricted access levels).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Hen combination with Nevatia. One of ordinary skill in the art would have been motivated to perform such an addition to create more security by minimizing risks that may result from unauthorized access (paragraph 10 of Nevatia).
Claim 16 is rejected using the same basis of arguments used to reject claim 8 above.
Claim 17 is rejected using the same basis of arguments used to reject claim 9 above.
Claim(s) 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over the Hen combination as applied above, in view Parimi et al. US Patent Application Publication 2017/0295197 (Parimi).
As per claim 10, the Hen combination does not explicitly teach wherein retrieving the user access information for the plurality of users comprises: accessing a permissions file indicating the one or more functions of the one or more applications to which each user identifier has access; accessing an access log for the plurality of users, wherein the access log indicates one or more occurrences of each user identifier accessing the one or more functions of the one or more applications to which each user identifier has access; and extracting, from the access log, the one or more occurrences of each user identifier accessing the one or more functions fo the one or more applications. However, retrieving such access permissions including permission files, access logs, and which users have accessed what resources would have been obvious. For example, see Parimi (paragraph 196 with finding all user permissions, role privileges, and user activities performed by all users from entire history).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Parimi with the Hen combination. One of ordinary skill in the art would have been motivated to perform such an addition to increase security by detecting discrepancies (paragraph 7).
Claim 18 is rejected using the same basis of arguments used to reject claim 10 above.
Claim(s) 11, 12, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over the Hen combination as applied above, in view Smith US Patent No. 11,689,534 (Smith)
As per claim 11, Hen does not explicitly teach wherein retrieving the user association information for the plurality of users comprises: accessing a user listing comprising the plurality of user identifiers; extracting, from the user listing, a group identifier associated with each user identifier, wherein the group identifier indicates a group of other user identifiers to which each user identifier belongs; and identifying the other user identifiers associated with the group identifier. However, identifying users and associating them with group for access control is well known in the art. For example, see Smith (col. 2 lines 60 to col. 3 line 8 with updating permissions for roles; see col. 3 lines 35-44 with associating roles with all the users; changing permissions within a role will change permissions to all users within role).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Hen with Smith. One of ordinary skill in the art would have been motivated to perform such an addition to increase security and efficiency (col. 1 lines 20-30).
As per claim 12, the Hen combination teaches generating a recommendation to revoke access to one or more particular functions of the one or more applications from the other user identifiers associated with the group identifier; and outputting the recommendation (see throughout Hen paragraphs 34-35 and throughout with recommending to remove or add access rights; see throughout Smith such as in col. 2 line 60 to col. 3 line 8 with making changes to permissions within a role to change the permissions of all users within the role/group)
Claim 19 is rejected using the same basis of arguments used to reject claim 11 above.
Claim 20 is rejected using the same basis of arguments used to reject claim 12 above.
Claim(s) 21 is rejected under 35 U.S.C. 103 as being unpatentable over the Hen combination as applied above, in view Cameron US Patent Application Publication 2012/0246695 (Cameron)
As per claim 21, the Hen combination does not explicitly teach wherein the user access information indicates that a user has: a first level of access to a first function of an application of the one or more applications, and a second level of access to a second function of the application, wherein the second level of access is different from the first level of access. However, having different levels of access to different functions of an application is well known in the art. For example, see Cameron (see paragraph 44 with role based access control; see paragraph 43 wherein resources may be computing functions; see paragraphs 55 and 56 wherein role based access includes different levels of access to a resource).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Cameron with the Hen combination. One of ordinary skill in the art would have been motivated to perform such an addition to provide further provisioning of rights by informing each of the resources of what the users’ access privileges are in relation to the particular resource (paragraph 56)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431. The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/JASON K GEE/Primary Examiner, Art Unit 2495