Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1. This action is in response to application amendments filed 12-10-2025.
2. Claims 1 - 20 are pending. Claims 1, 13, 17 have been amended. Claims 1, 13, 17 are independent. This application was filed on 8-16-2023.
Response to Arguments
3. Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 12-10-2025, with respect to the rejection(s) under Dargude have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Dargude in view of Sharma.
A. Applicant argues on page 11 of Remarks: ... Dargude does not disclose at least "obtaining, by a data management system as part of a backup procedure of an identity management system, a snapshot of the identity management system," ,,, ,
The Examiner respectfully disagrees. Dargude discloses an identity management server analogous to the claimed invention’s indicated identity management system. Dargude discloses a system that manages user entitlements of objects. Dargude discloses a structured set of permissions for interacting with objects. (see Dargude col 7: the identity module 104 may obtain a user profile from the identity management server 206. The identity module 104 may process the user profile and identify a user identifier associated with the user.; col 17: Examples of systems ... , systems providing managed security services, data loss prevention systems, identity authentication systems, access control systems, encryption systems, policy compliance systems, intrusion detection and prevention systems, electronic discovery systems, and the like; (a particular sequence of steps is utilized in order to enable processing by a particular service); (access control system: accessed approved, access denied))
B. Applicant argues on page 12 of Remarks: ... Dargude does not disclose at least "identifying a sequential order associated with the one or more access approvals and the one or more access denials included in an access control list for a respective computing object from among the set of computing objects," ... .
The Examiner respectfully disagrees. Dargude discloses enabling various services to provide functions to system users. A service requires a set of predefined steps to enabling the service to perform its designated functions. (Dargude col 16: Cloud-computing environments may provide various services and applications via the Internet. These cloud-based services (e.g., software as a service, platform as a service, infrastructure as a service, etc.) may be accessible through a web browser or other remote interface. Various functions described herein may be provided through a remote desktop environment or any other cloud-based computing environment.; col 17: Examples of systems ... , systems providing managed security services, data loss prevention systems, identity authentication systems, access control systems, encryption systems, policy compliance systems, intrusion detection and prevention systems, electronic discovery systems, and the like; (a particular sequence of steps is utilized in order to enable processing by a particular service); (access control system: accessed approved, access denied))
C. Applicant argues on page 12 of Remarks: ... Dargude does not disclose at least "identifying a sequential order associated with the one or more access approvals and the one or more access denials included in an access control list for a respective computing object from among the set of computing objects," ... .
The Examiner respectfully disagrees. Dargude discloses enabling various services to provide functions to system users. A particular service requires a set of predefined steps to enable the service to perform its designated functions. (Dargude col 16: Cloud-computing environments may provide various services and applications via the Internet. These cloud-based services (e.g., software as a service, platform as a service, infrastructure as a service, etc.) may be accessible through a web browser or other remote interface. Various functions described herein may be provided through a remote desktop environment or any other cloud-based computing environment.; col 17: Examples of systems ... , systems providing managed security services, data loss prevention systems, identity authentication systems, access control systems, encryption systems, policy compliance systems, intrusion detection and prevention systems, electronic discovery systems, and the like; (a particular sequence of steps is utilized to enable processing by a particular service); (access control system: accessed approved, access denied))
D. Applicant argues on page 13 of Remarks: ... Dependent claims 2, 3, 14, 15, 18, and 19 each depend from one of independent claims 1, 13, and 17 and are therefore allowable for at least the same reasons that independent claims 1, 13, and 17 are allowable.
Responses to arguments against the independent claims also answer arguments against the associated dependent claims.
E. Applicant argues on page 13 of Remarks: ... Dependent claims 4-12, 16, and 20 each depend from one of independent claims 1, 13, and 17 and are therefore allowable for at least the same reasons that independent claims 1, 13, and 17 are allowable.
Responses to arguments against the independent claims also answer arguments against the associated dependent claims.
Claim Rejections - 35 USC § 103
4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
5. Claims 1 - 3, 13 - 15, 17 - 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dargude et al. (US Patent No. 11,070,560) in view of Sharma et al. (US PGPUB No. 20240427670).
Regarding Claims 1, 13, 17, Dargude discloses a method and an apparatus and an non-transitory computer-readable medium storing code, comprising:
a) obtaining, a snapshot of the identity management system, wherein the identity management system governs access to a set of computing objects for a plurality of principals, the plurality of principals comprising users and groups of users; (see Dargude col 7: the identity module 104 may obtain a user profile from the identity management server 206. The identity module 104 may process the user profile and identify a user identifier associated with the user.; Entitlements may be assigned directly to users by owners of objects or users of objects with appropriate permissions. In some examples, entitlements of objects for a user may be inherited from parent objects or from memberships in user groups.; col 8: the identity module 104 may obtain a user profile from the identity management server 206. The identity module 104 may process the user profile and identify a user identifier associated with the user.; col 14: include a primary storage device 532 and a backup storage device 533 coupled to the communication infrastructure 512 via a storage interface 534. ... the user profiles 121, the ACLs 122, and/or the effective entitlements 123 from FIG. 1 may be stored and/or loaded in the primary storage device 532.)
b) generating, based at least in part on the snapshot of the identity management system, membership data structures for the plurality of principals, wherein a membership data structure for a principal indicates one or more users or one or more groups included in the principal; (see Dargude col 7: the identity module 104 may obtain a user profile from the identity management server 206. The identity module 104 may process the user profile and identify a user identifier associated with the user.; Entitlements may be assigned directly to users by owners of objects or users of objects with appropriate permissions. In some examples, entitlements of objects for a user may be inherited from parent objects or from memberships in user groups.)
c) obtaining, from a snapshot of the set of computing objects, access control lists for the set of computing objects, the access control lists indicating, for respective computing objects, one or more access approvals, one or more access denials, or any combination thereof for one or more associated principals from among the plurality of principals; (see Dargude col 7: an ACL may specify which users or system processes are granted access to objects. ACLs may indicate what operations are allowed on the object. Examples of operations may include READ, WRITE, DELETE, or the like. An ACL may be stored with an object or embedded in the object.; (access approval, access denial))
d) generating a set of mapping functions based at least in part on the access control lists, wherein applying a mapping function for an access control list to one or more membership data structures for one or more principals associated with the access control list yields a set of one or more permitted users, the set of one or more permitted users having access to a computing object that is associated with the access control list; (see Dargude col 7: the identity module 104 may generate a unique user identifier using data from the user profile. The identity module 104 may transmit the user identifier to the entitlement management module 108.; col 7: an ACL may specify which users or system processes are granted access to objects. ACLs may indicate what operations are allowed on the object. Examples of operations may include READ, WRITE, DELETE, or the like. An ACL may be stored with an object or embedded in the object.; (access approval, access denial)) and
e) using the set of mapping functions and the membership data structures to identify, for the set of computing objects, respective sets of one or more permitted users. (see Dargude col 7: obtain one or more ACLs for objects from the content source 208. The content source module 106 may process the ACLs 122 to identify one or more users and their associated entitlements. In some examples, the processing of the ACLs 122 may trigger obtaining user profiles 121 from identity management servers 206.; col 3: The systems and methods described herein may determine effective entitlements of users by associating information from a user profile of a user to the different permissions identified from the processed ACLs. The effective entitlements may be normalized and stored. The effective entitlements may include permissions from different types of content sources, enabling a unified view of the entitlements across the different content sources.)
Furthermore, Dargude discloses a data management system as part of an identity management system. (see Dargude col 7: the identity module 104 may obtain a user profile from the identity management server 206. The identity module 104 may process the user profile and identify a user identifier associated with the user.; col 17: Examples of systems ... , systems providing managed security services, data loss prevention systems, identity authentication systems, access control systems, encryption systems, policy compliance systems, intrusion detection and prevention systems, electronic discovery systems, and the like; (a particular sequence of steps is utilized to enable processing by a particular service); (access control system: accessed approved, access denied))
Dargude does not specifically disclose a backup procedure of an identity management system (a snapshot of system state).
However, Sharma discloses wherein a backup procedure of an identity management system (recover a snapshot of system state). (see Sharma paragraph [0001]: A backup and restore application performs a backup operation either occasionally or continuously to enable this restoration, storing a copy of each desired data object state (such as the values of the data object and the embedding of these values in a database's data structures) within dedicated backup files. When the data protection administrator decides to reinstate the data object to a previous state, the data protection administrator specifies the desired previous state by identifying a desired time when the data object was in this previous state, and then instructs the backup and restore application to perform a restore operation to restore a copy of the corresponding backup file(s) for that previous state to the data object.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for a backup procedure of an identity management system as taught by Sharma. One of ordinary skill in the art would have been motivated to employ the teachings of Sharma for the flexibility of a system that enables the utilization of a backup and restore mechanism to retrieve and recover a previous state for a system. (see Sharma paragraph [0001])
Furthermore, for Claim 13, Dargude discloses wherein one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the apparatus to perform operations. (see Dargude col 14: The computer-readable medium containing the computer program may be loaded into the computing system 510. All or a portion of the computer program stored on the computer-readable medium may then be stored in the system memory 516 and/or various portions of the storage devices 532 and 533. When executed by the processor 514, a computer program loaded into the computing system 510 may cause the processor 514 to perform and/or be a means for performing the functions of one or more of the example embodiments described and/or illustrated herein.)
Furthermore, for Claim 17, Dargude discloses wherein a non-transitory computer-readable medium storing code, the code comprising instructions executable by one or more processors to perform operations. (see Dargude col 14: The computer-readable medium containing the computer program may be loaded into the computing system 510. All or a portion of the computer program stored on the computer-readable medium may then be stored in the system memory 516 and/or various portions of the storage devices 532 and 533. When executed by the processor 514, a computer program loaded into the computing system 510 may cause the processor 514 to perform and/or be a means for performing the functions of one or more of the example embodiments described and/or illustrated herein.)
Regarding Claims 2, 14, 18, Dargude-Sharma discloses the method of claim 1 and the apparatus of claim 13 and the non-transitory computer-readable medium of claim 17, further comprising: obtaining metadata for the plurality of principals based at least in part on information included in the snapshot, wherein the metadata for a principal comprises an identifier of the principal, direct group membership information for the principal, a type of the principal, one or more secureness attributes associated with the principal, or any combination thereof, and wherein the direct group membership information for the principal indicates one or more groups of which the principal is a direct member. (see Dargude col 7: obtain one or more ACLs for objects from the content source 208. The content source module 106 may process the ACLs 122 to identify one or more users and their associated entitlements. In some examples, the processing of the ACLs 122 may trigger obtaining user profiles 121 from identity management servers 206.; col 7: “user profile,” as used herein, generally refers to data, such as personal data and settings, associated with an identified user and stored in a data structure. The user profile may include a unique identifier for the user, such as an email address or username. Personal data that may be included in the user profile may include the user's name, address, contact information (e.g., phone number, email addresses, messaging handle, etc.), position within an organization, hierarchical organization information (e.g., direct reports, supervisor, etc.), or the like.)
Regarding Claims 3, 15, 19, Dargude-Sharma discloses the method of claim 1 and the apparatus of claim 13 and the non-transitory computer-readable medium of claim 17, further comprising:
a) identifying a sequential order associated with the one or more access approvals and the one or more access denials included in an access control list for a respective computing object from among the set of computing objects; (see Dargude col 8: the entitlement management module 108 may detect a conflict between the entitlements identified for the user. For example, conflicts may be between directly assigned entitlement for the user for an object and a group entitlement for the same object.) and
b) partitioning the access control list into one or more subsets of permissions based at least in part on the identified sequential order, wherein a subset of permissions comprises a single access denial of the one or more access denials and a subset of access approvals from among the one or more access approvals, and wherein generating a mapping function of the set of mapping functions for the respective computing object is based at least in part on the one or more subsets of permissions. (see Dargude col 8: conflicts may be between directly assigned entitlement for the user for an object and a group entitlement for the same object. In some examples, the entitlement management module 108 may resolve the conflict using a set of conflict resolution rules. For example, a rule may specify that directly assigned entitlements have higher priority than group entitlements, which would mean that the entitlement management module 108 would select the entitlement of the user over the group entitlement. Similarly, a rule may specify that group entitlements have a higher priority than individual entitlements, which would mean that the entitlement management module 108 may select the group entitlement over the individual entitlement of the user.)
6. Claims 4, 16, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dargude in view of Sharma and further in view of Brodfuehrer et al. (US PGPUB No. 20110055902).
Regarding Claims 4, 16, 20, Dargude-Sharma discloses the method of claim 3 and the apparatus of claim 13 and the non-transitory computer-readable medium of claim 17, wherein generating a mapping function from among the set of mapping functions comprises:
a) generating, for the one or more subsets of permissions, respective information that represent the one or more subsets of permissions; (see Dargude col 7: an ACL may specify which users or system processes are granted access to objects. ACLs may indicate what operations are allowed on the object. Examples of operations may include READ, WRITE, DELETE, or the like. An ACL may be stored with an object or embedded in the object.; (access approval, access denial)) and
b) generating the mapping function based at least in part on a combination of the respective information associated with the one or more subsets of permissions included in the access control list, the mapping function associated with the respective computing object. (see Dargude col 7: obtain one or more ACLs for objects from the content source 208. The content source module 106 may process the ACLs 122 to identify one or more users and their associated entitlements. In some examples, the processing of the ACLs 122 may trigger obtaining user profiles 121 from identity management servers 206.; col 3: The systems and methods described herein may determine effective entitlements of users by associating information from a user profile of a user to the different permissions identified from the processed ACLs.
Dargude does not specifically disclose for a) generating respective logical expressions that represent permissions, and for b) logical expressions that represent permissions.
However, Brodfuehrer discloses for a) generating respective logical expressions that represent the one or more subsets of permissions; and for b) wherein logical expressions that represent permissions. (see Brodfuehrer paragraph [0003]: modifying base permissions of access control lists by evaluating logical expressions on a server. A server determines base permissions for a subject by comparing a name of the subject against access control list entries for an object. The server maintains the access control list entries for the object that comprise base entries and logical expression entries. The logical expression access control list entries also include one of the following set operators: union, intersect, or replace. In addition to determining what base entries apply to the subject, the server determines the logical expression entries of the access control list entries for the object with logical expression attributes of the subject. The logical expression entries are evaluated to determine which logical expression entries are true for the logical expression attributes of the subject.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for a) generating respective logical expressions that represent permissions, and for b) logical expressions that represent permissions as taught by Brodfuehrer. One of ordinary skill in the art would have been motivated to employ the teachings of Brodfuehrer for the flexibility of a system the enables the utilization of logical expressions in the secure processing of data based on permissions. (see Brodfuehrer paragraph [0003])
7. Claims 5, 7 - 9 are rejected under 35 U.S.C. 103 as being unpatentable over Dargude in view of Sharma and further in view of Smith et al. (US PGPUB No. 20050097357).
Regarding Claim 5, Dargude-Sharma discloses the method of claim 3, wherein using the set of mapping functions and the membership data structures to identify the respective sets of one or more permitted users comprises:
a) inputting the membership data structures for the one or more principals associated with the access control list into the mapping function for the access control list; (see Dargude col 7: obtain one or more ACLs for objects from the content source 208. The content source module 106 may process the ACLs 122 to identify one or more users and their associated entitlements. In some examples, the processing of the ACLs 122 may trigger obtaining user profiles 121 from identity management servers 206.) and
d) outputting, to a client, the set of one or more identifiers associated with the set of one or more permitted users. (see Dargude col 7: the identity module 104 may generate a unique user identifier using data from the user profile. The identity module 104 may transmit the user identifier to the entitlement management module 108.))
Dargude does not specifically disclose for b) generating a bitmap that represents the set of permitted users having access to computing objects, and for c) bitmap that represents the set of permitted users to a set of identifiers for the set of permitted users.
However, Smith discloses:
b) generating a bitmap that represents the set of one or more permitted users having access to the computing object that is associated with the access control list based at least in part on inputting the membership data structures into the mapping function; (see Smith paragraph [0060]: a bitmap security label is used to implement a multilateral security paradigm, the security label information is used to provide data access groups or user groups,) and
c) converting, based at least in part on a plurality of unique values assigned to the plurality of principals, the bitmap that represents the set of one or more permitted users to a set of one or more identifiers for the set of one or more permitted users, wherein a unique value of the plurality of unique values corresponds to a position in the bitmap that represents a respective principal. (see Smith paragraph [0060]: a bitmap security label is used to implement a multilateral security paradigm, the security label information is used to provide data access groups or user groups, in situations in which levels of classification are inappropriate (e.g., corporate environments, which are better delineated by function (e.g., marketing, engineering and the like)). In this scenario, the authentication server assigns a security bitmap that includes, for example, a bitmap with one or more bits set, indicating membership in one or more security groups (e.g., data access or user groups). As before, data packets need only be labeled with a single security level. However, in using a bitmap security label, multiple bits can be set in the bitmap, allowing a user, host or network entity to enjoy membership in multiple security groups.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for b) generating a bitmap that represents the set of permitted users having access to computing objects, and for c) bitmap that represents the set of permitted users to a set of identifiers for the set of permitted users. as taught by Smith. One of ordinary skill in the art would have been motivated to employ the teachings of Smith for the flexibility of a system that enables identification of clients within a compact data structure such as a bitmap. (see Smith paragraph [0060])
Regarding Claim 7, Dargude-Sharma discloses the method of claim 1, further comprising: assigning a plurality of unique values to the plurality of principals based at least in part on metadata for the plurality of principals. (see Dargude col 7: obtain one or more ACLs for objects from the content source 208. The content source module 106 may process the ACLs 122 to identify one or more users and their associated entitlements. In some examples, the processing of the ACLs 122 may trigger obtaining user profiles 121 from identity management servers 206.; col 7: “user profile,” as used herein, generally refers to data, such as personal data and settings, associated with an identified user and stored in a data structure. The user profile may include a unique identifier for the user, such as an email address or username. Personal data that may be included in the user profile may include the user's name, address, contact information (e.g., phone number, email addresses, messaging handle, etc.), position within an organization, hierarchical organization information (e.g., direct reports, supervisor, etc.), or the like.)
Dargude does not specifically disclose a unique value assigned to a principal comprises an integer associated with a position that represents the principal within one or more bitmaps.
However, Smith discloses wherein a unique value assigned to a principal comprises an integer associated with a position that represents the principal within one or more bitmaps, and wherein a quantity of bits in a bitmap of the one or more bitmaps is equal to a quantity of the plurality of principals identified from the snapshot. (see Smith paragraph [0060]: a bitmap security label is used to implement a multilateral security paradigm, the security label information is used to provide data access groups or user groups, in situations in which levels of classification are inappropriate (e.g., corporate environments, which are better delineated by function (e.g., marketing, engineering and the like)). In this scenario, the authentication server assigns a security bitmap that includes, for example, a bitmap with one or more bits set, indicating membership in one or more security groups (e.g., data access or user groups). As before, data packets need only be labeled with a single security level. However, in using a bitmap security label, multiple bits can be set in the bitmap, allowing a user, host or network entity to enjoy membership in multiple security groups.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for a unique value assigned to a principal comprises an integer associated with a position that represents the principal within one or more bitmaps as taught by Smith. One of ordinary skill in the art would have been motivated to employ the teachings of Smith for the flexibility of a system that enables identification of clients within a compact data structure such as a bitmap. (see Smith paragraph [0060])
Regarding Claim 8, Dargude-Sharma-Smith discloses the method of claim 7, wherein assigning the plurality of unique values comprises: assigning respective unique values to the plurality of principals until all principals within the plurality of principals are assigned a respective unique value. (see Dargude col 7: the identity module 104 may obtain a user profile from the identity management server 206. The identity module 104 may process the user profile and identify a user identifier associated with the user. ... generate a unique user identifier using data from the user profile. The identity module 104 may transmit the user identifier to the entitlement management module 108.)
Regarding Claim 9, Dargude-Sharma-Smith discloses the method of claim 7.
Dargude does not specifically disclose generating membership bitmaps for the plurality of principals in accordance with the plurality of unique values, wherein a membership bitmap for a principal of the plurality of principals comprises one or more bits set to a first value and remaining bits set to a second value.
However, Smith discloses wherein generating the membership data structures for the plurality of principals comprises: generating membership bitmaps for the plurality of principals in accordance with the plurality of unique values, wherein a membership bitmap for a principal of the plurality of principals comprises one or more bits set to a first value and remaining bits set to a second value, the one or more bits set to the first value corresponding to one or more positions in the membership bitmap that are assigned to one or more principals that descend from the principal within a hierarchical structure of the plurality of principals identified from the snapshot. (see Smith paragraph [0060]: a bitmap security label is used to implement a multilateral security paradigm, the security label information is used to provide data access groups or user groups, in situations in which levels of classification are inappropriate (e.g., corporate environments, which are better delineated by function (e.g., marketing, engineering and the like)). In this scenario, the authentication server assigns a security bitmap that includes, for example, a bitmap with one or more bits set, indicating membership in one or more security groups (e.g., data access or user groups). As before, data packets need only be labeled with a single security level. However, in using a bitmap security label, multiple bits can be set in the bitmap, allowing a user, host or network entity to enjoy membership in multiple security groups.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for generating membership bitmaps for the plurality of principals in accordance with the plurality of unique values, wherein a membership bitmap for a principal of the plurality of principals comprises one or more bits set to a first value and remaining bits set to a second value. as taught by Smith. One of ordinary skill in the art would have been motivated to employ the teachings of Smith for the flexibility of a system that enables identification of clients within a compact data structure such as a bitmap. (see Smith paragraph [0060])
8. Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Dargude in view of Sharma and further in view of Habraken et al. (US PGPUB No. 20110035604).
Regarding Claim 6, Dargude-Sharma discloses the method of claim 1.
Dargude does not specifically disclose for a) performing a plurality of secureness checks for the plurality of principals of the identity management system, comprising whether a principal has access to all computing objects of the set of computing objects, and for b) outputting an indication of respective secureness levels based at least in part on the plurality of secureness checks.
However, Habrakan discloses:
a) performing a plurality of secureness checks for the plurality of principals of the identity management system based at least in part on one or more secureness attributes comprising whether a principal has access to all computing objects of the set of computing objects, whether a password for the principal has an expiration time, whether the password for the principal aligns with one or more password policies, or any combination thereof; (see Habrakan paragraph [0137]: an operation that establishes that a user of the access card is a legitimate user, authorized to gain access to one or more of an organization's secure facilities. ... (e.g., a facial comparison with a photo identification or other biometric identification of the user, a security interview, and the like), and/or an electronic interaction with an automated gate-keeping circuit or software (e.g., entry of a personal identification number on a keypad at a front security desk, entry of a userid and password or other computer login through a remote login procedure, authentication of a digital certificate or other user credential, and the like).) and
b) outputting, to a client, an indication of respective secureness levels for the plurality of principals based at least in part on the plurality of secureness checks. (see Habraken paragraph [0109]: Trusted server 230 can also communicate an appropriate signal back to card reader 220, which flashes a green light and/or emits a tone or otherwise indicates that access has been approved. If trusted server 230 determines that access should not be granted, trusted server 230 can communicate a different signal back to card reader 220, which can then flash a red light and/or emit a tone or otherwise indicate that access has been denied.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for a) performing a plurality of secureness checks for the plurality of principals of the identity management system, comprising whether a principal has access to all computing objects of the set of computing objects, and for b) outputting an indication of respective secureness levels based at least in part on the plurality of secureness checks. as taught by Habrakan. One of ordinary skill in the art would have been motivated to employ the teachings of Habrakan for the flexibility of a system that enables additional security such as the utilization of secure password. (see Habrakan paragraph [0137]; paragraph [0109])
9. Claims 10, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Dargude in view of Sharma and further in view of Weeden et al. (US Patent No. 8,055,680).
Regarding Claim 10, Dargude-Sharma discloses the method of claim 1, further comprising: performing a graph traversal procedure for the plurality of principals, wherein performing the graph traversal procedure comprises identifying, based at least in part on direct group membership information included in metadata for the plurality of principals. (see Dargude col 7: the identity module 104 may obtain a user profile from the identity management server 206. The identity module 104 may process the user profile and identify a user identifier associated with the user.; Entitlements may be assigned directly to users by owners of objects or users of objects with appropriate permissions. In some examples, entitlements of objects for a user may be inherited from parent objects or from memberships in user groups.)
Dargude does not specifically disclose a hierarchical structure comprising dependency chains between principals.
However, Weeden discloses wherein a hierarchical structure comprising dependency chains between principals. (see Weeden col 1: assigning ACLs to a hierarchical namespace to optimize ACL inheritance. Embodiments include creating an entitlement matrix for a plurality of resources, creating a tree structure having a plurality of nodes for the hierarchical namespace in dependence upon the entitlement matrix, creating a plurality of ACLs in dependence upon the entitlement matrix, identifying a plurality of attachment points in the hierarchical namespace for the ACLs in dependence upon ACL attachment rules, and attaching the ACLs to the attachment points. Creating an entitlement matrix for a plurality of resources may be carried out by creating a matrix of resources and permissions for users.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for a hierarchical structure comprising dependency chains between principals as taught by Weeden. One of ordinary skill in the art would have been motivated to employ the teachings of Weeden for the flexibility of a system that enables multiple processing techniques such as hierarchical data structures utilized within the data processing environment. (see Weeden col 1)
Regarding Claim 11, Dargude-Sharma discloses the method of claim 10, wherein the graph traversal procedure comprises a plurality of iterations, and wherein performing an iteration of the plurality of iterations comprises:
b) performing, for the first set of principals and based at least in part on identifying the one or more groups, one or more union procedures to generate one or more membership data structures, the one or more membership data structures for the one or more groups identified in the respective subset of direct group membership information for the first set of principals. (see Dargude col 7: “user profile,” as used herein, generally refers to data, such as personal data and settings, associated with an identified user and stored in a data structure. The user profile may include a unique identifier for the user, such as an email address or username. Personal data that may be included in the user profile may include the user's name, address, contact information (e.g., phone number, email addresses, messaging handle, etc.), position within an organization, hierarchical organization information (e.g., direct reports, supervisor, etc.), or the like. Settings may include information indicative of a user's preferences in a computing environment, past user behavior, and the like. User profile information may indicate default entitlement for information objects and membership in any user groups.)
Furthermore, Dargude discloses for a) identifying, for a first set of principals from among the plurality of principals identified from the snapshot of the identity management system, a respective subset of metadata that corresponds to the first set of principals, wherein the respective subset of metadata comprises a respective subset of direct group membership information that indicates one or more groups of which principals in the first set of principals are direct members from within the hierarchical structure of the plurality of principals; (see Dargude col 7: “user profile,” as used herein, generally refers to data, such as personal data and settings, associated with an identified user and stored in a data structure. The user profile may include a unique identifier for the user, such as an email address or username. Personal data that may be included in the user profile may include the user's name, address, contact information (e.g., phone number, email addresses, messaging handle, etc.), position within an organization, hierarchical organization information (e.g., direct reports, supervisor, etc.), or the like.)
Dargude does not specifically disclose for a) the hierarchical structure of the plurality of principals.
However, Weeden discloses wherein for a) the hierarchical structure of the plurality of principals. (see Weeden col 1: assigning ACLs to a hierarchical namespace to optimize ACL inheritance. Embodiments include creating an entitlement matrix for a plurality of resources, creating a tree structure having a plurality of nodes for the hierarchical namespace in dependence upon the entitlement matrix, creating a plurality of ACLs in dependence upon the entitlement matrix, identifying a plurality of attachment points in the hierarchical namespace for the ACLs in dependence upon ACL attachment rules, and attaching the ACLs to the attachment points. Creating an entitlement matrix for a plurality of resources may be carried out by creating a matrix of resources and permissions for users.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for a) the hierarchical structure of the plurality of principals.as taught by Weeden. One of ordinary skill in the art would have been motivated to employ the teachings of Weeden for the flexibility of a system that enables multiple processing techniques such as hierarchical data structures utilized within the data processing environment. (see Weeden col 1)
10. Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Dargude in view of Sharma and further in view of Weeden and Cole et al. (US PGPUB No. 20250005185).
Regarding Claim 12, Dargude-Sharma-Weeden discloses the method of claim 11.
Dargude does not specifically disclose performing collection of membership information until respective group membership information for all of the plurality of principals is identified.
However, Cole discloses wherein performing the graph traversal procedure further comprises: performing, after performing the iteration, one or more second iterations of the plurality of iterations until respective direct group membership information for all of the plurality of principals is identified and the membership data structures for the plurality of principals are generated. (see Cole paragraph [0082]: a user's permissions with respect to a given data object are defined by the sum of all permissions that apply to the given data object, across all groups in which the user is a member. Other examples are also possible.; paragraph [0083]: the disclosed framework for configuring permissions groups enables users to be added to multiple permissions groups, thus enabling more than one set of permissions to be associated with a given user for different types of data objects and different conditions. Further still, the disclosed framework for configuring permissions groups enables access to data objects to be automatically and dynamically updated based on attribute values of the data objects.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Dargude for performing collection of membership information until respective group membership information for all of the plurality of principals is identified as taught by Cole. One of ordinary skill in the art would have been motivated to employ the teachings of Cole for the flexibility of a system processing permissions on a user and a group basis. (see Cole paragraph [0082]; paragraph [0083])
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032. The examiner can normally be reached Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CJ/
March 23, 2026
/KHOI V LE/Primary Examiner, Art Unit 2436