DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 01/19/2026 has been entered.
Response to Amendments
This communication is in response to the amendments filed on 19 January 2026:
Claims 1 and 11-12 are amended.
Claims 1-21 are pending.
Response to Arguments
In response to Applicant’s remarks filed on 19 January 2026:
a. Applicant’s arguments that none of the cited references teach detecting a violation of an access policy based on assigned metadata as recited in amended claim 1 has been fully considered but is deemed moot in view of the new grounds of rejection presented in this Office Action.
b. Applicant’s arguments that a person having ordinary skill in the art would not be motivated to modify Badawy and Cook using Ikhlaq as suggested in the Office Action has been fully considered but is deemed not-persuasive. Applicant’s attention is directed to the fact that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the application regards as the invention.
Regarding claims 1 and 11-12, it is unclear due to the lack of antecedent basis for “the policy” in
lines 11-12, as to whether the policy is the same as the access policy recited earlier in the claimed limitations. It is also unclear due to the lack of antecedent basis for “each identity object” in lines 11-12. The claim is therefore rendered indefinite.
Regarding claims 2-10 and 13-21, the claims are rejected because they are dependent to a previous rejected claim.
Appropriate correction(s) is/are required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3-4, 8, 11-12, 14-15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy et al. (U.S. PGPub. 2021/0287107), hereinafter Badawy, in view of Cook et al. (U.S. PGPub. 2019/0007443), hereinafter Cook, in further view of Ikhlaq (U.S. PGPub. 2019/0362014), in further view of Todd et al. (U.S. Patent 9,424,187), hereinafter Todd.
Regarding claim 1, Badawy teaches A method for identity management, including:
creating a plurality of identity objects, wherein each identity object corresponds to an identity utilized in a computing environment (Badawy, Paragraph [0044], see “…To assist in implementing security measures and access controls in an enterprise environment, many of these enterprises have implemented Identity Management in association with their distributed networked computer environments…an identity may be almost physical or virtual thing, place, person or other item that an enterprise would like to define…”);
extracting common features from data retrieved from a plurality of data sources of a plurality of computing service providers, wherein each common feature is common to at least two of the identity objects (Badawy, Paragraph [0059], see “These indexing messages can be received by the document store 162 and used to index the data for documents 161 for the identity management artifacts in the data store 162…The documents 161 in the data store may thus represent the identity management artifacts of the enterprise 100 according to a nested denormalized document model”, where “nested” is being read as having common features, and where features are extracted and indexed into a nested document model),
assigning metadata to each of the identity objects based on the common features (Badawy, Paragraph [0061], see “As another example of identity management data that may be obtained from an identity management system, the following is one example of a JSON object that may relate to an entitlement”, which shows metadata that is assigned to each of the identity objects based on the common features);
Badawy does not teach the following limitation(s) as taught by Cook: detecting a violation of an access policy with respect to at least one of the identity objects based on the assigned metadata (Cook, Paragraph [0134], see “If the policy analyzer service 1314 indicates that the applied policy is more permissive than the applicable reference policy, then the policy monitoring service 1312 may perform various mitigating procedures”); and
mitigating the detected violation (Cook, Paragraph [0134], see “If the policy analyzer service 1314 indicates that the applied policy is more permissive than the applicable reference policy, then the policy monitoring service 1312 may perform various mitigating procedures. For example, the policy management service 1304 may be notified that the web API request to apply the security policy is more permissive than a reference policy and instruct the policy management service 1304 to deny the request…”).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, by implementing techniques of detecting a violation of an access policy and mitigating the detected violation, disclosed of Cook.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of detecting a violation of an access policy and mitigating the detected violation. This allows for better security management by detecting a violation of an access policy and performing a remediation action to resolve it. Cook is deemed as analogous art due to the art disclosing techniques of detecting a violation of an access policy and mitigating the detected violation (Cook, Paragraph [0134]).
Badawy as modified by Cook do not teach the following limitation(s) a taught by Ikhlaq: wherein the data retrieved from each of the plurality of data sources is structured as structured within the data source (Ikhlaq, Paragraph [0029], see “…Data received from the plurality of data sources 104 may either be structured or unstructured…”, which is analogous to the data retrieved from each of the plurality of data sources is structured as structured within the data source).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, and techniques disclosed of Cook, by implementing techniques of the data retrieved from each of the plurality of data sources being structured as structured within the data source, disclosed of Ikhlaq.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of the data retrieved from each of the plurality of data sources being structured as structured within the data source. This allows for better security management and faster analysis for efficient processing, ultimately leading to better data quality and consistency. Ikhlaq is deemed as analogous art due to the art disclosing techniques of the data retrieved from each of the plurality of data sources being structured as structured within the data source (Ikhlaq, Paragraph [0029]).
Badawy as modified by Cook and further modified by Ikhlaq do not teach the following limitation(s) as taught by Todd: wherein the access policy is defined with respect to a set of metadata such that the policy is enforced with respect to each identity object having the set of metadata defined in the policy among the metadata assigned to the identity object (Todd, Column 3, Lines 21 – 27, see “…The interface may be configured to, in response to a command to perform a storage operation to an object, for each fragment of at least a portion of the plurality of fragments of the object: access metadata associated with the fragment; access a policy; and select a storage tier of the fragment based on the policy and the metadata associated with the fragment”, which is analogous to the access policy being defined with respect to a set of metadata such that the policy is enforced with respect to each identity object (e.g., fragments of an object) having the set of metadata defined in the policy).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, techniques disclosed of Cook, and techniques disclosed of Ikhlaq, by implementing techniques of the access policy being defined with respect to a set of metadata such that the policy is enforced with respect to each identity object having the set of metadata defined in the policy, disclosed of Todd.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of the access policy being defined with respect to a set of metadata such that the policy is enforced with respect to each identity object having the set of metadata defined in the policy. This allows for better security management and system efficiency by defining access policies based on a set of metadata rather than static, user-by-user assignment of policies. Todd is deemed as analogous art due to the art disclosing techniques of the access policy being defined with respect to a set of metadata such that the policy is enforced with respect to each identity object having the set of metadata defined in the policy (Todd, Column 3, Lines 21 – 27).
Regarding claim 3, Badawy as modified by Cook and further modified by Ikhlaq and Todd teaches The method of claim 1, wherein the access policy is defined with respect to at least one tag included among the assigned metadata, wherein the access policy is applied to each of the plurality of identity objects having the at least one tag (Badawy, Paragraph [0061], which discloses the metadata alongside attributes, id, name, tags, entitlements, etc.).
Regarding claim 4, Badawy as modified by Cook and further modified by Ikhlaq and Todd teaches The method of claim 1, further comprising:
indexing the plurality of identity objects based on the common features (Badawy, Paragraph [0059], see “These indexing messages can be received by the document store 162 and used to index the data for documents 161 for the identity management artifacts in the data store 162”); and
correlating among the plurality of identity objects based on the common features, wherein the violation is detected based on the correlation (Badawy, Paragraph [0080], see “…For a particular account-identity pair, a feature value for a specific feature pair may be determined by taking the value associated with the account of the account-identity pair for the column of the feature pair associated with the non-authoritative source and the value associated with the identity of the account-identity pair for the column of the feature pair associated with the authoritative source, and determining a similarity measure based on the two values”, which is being read as correlating among the identity objects based on the common features, wherein the violation (if there isn’t a similarity) is detected based on the correlation).
Regarding claim 8, Badawy as modified by Cook and further modified by Ikhlaq and Todd teaches The method of claim 1, further comprising:
integrating with the plurality of data sources by creating an integration for each of the plurality of data sources, wherein each integration includes code that integrates with a respective service in order to access at least one of the plurality of data sources (Badawy, Paragraph [0030], see “…an identity management system, can obtain identity management data associated with a plurality of source systems in a distributed enterprise computing environment…”) (Badawy, Paragraph [0063], see “…connectors 156 of the identity management system 150 may thus request or otherwise obtain data from a variety of source systems within enterprise environment 100 to obtain identity management data 154”); and
retrieving the data from the plurality of data sources via the integration created for each of the plurality of data sources (Badawy, Paragraph [0030], see “…an identity management system, can obtain identity management data associated with a plurality of source systems in a distributed enterprise computing environment…”).
Regarding claims 11-12, the claims are rejected under the same reasoning as claim 1.
Regarding claim 14, the claim is rejected under the same reasoning as claim 3.
Regarding claim 15, the claim is rejected under the same reasoning as claim 4.
Regarding claim 19, the claim is rejected under the same reasoning as claim 8.
Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy, in view of Cook, in further view of Ikhlaq, in further view of Todd, in further view of Southerland et al. (U.S. PGPub. 2021/0064772), hereinafter Southerland.
Regarding claim 2, Badawy as modified by Cook and further modified by Ikhlaq and Todd do not teach the following limitation(s) as taught by Southerland: The method of claim 1, further comprising:
creating a graph with respect to at least one identity object of the plurality of identity objects, wherein the violation is detected based further on the graph (Southerland, FIG. 2AB, which shows a graph used to detect any violations between two or more identities) (Southerland, Paragraph [0068], see “…requires navigation of each of the branches of the tree or graph structure to evaluate any two entitlements in association with another”).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, techniques disclosed of Cook, techniques disclosed of Ikhlaq, and techniques disclosed of Todd, by implementing techniques of creating a graph with respect to at least one identity object, wherein the violation is detected based further on the graph, disclosed of Southerland.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of creating a graph with respect to at least one identity object, wherein the violation is detected based further on the graph. This allows for better security management and organization by creating a graph structure to evaluate relationships and threats between multiple identities. Southerland is deemed as analogous art due to the art disclosing techniques of creating a graph with respect to at least one identity object, wherein the violation is detected based further on the graph (Southerland, Paragraph [0068]).
Regarding claim 13, the claim is rejected under the same reasoning as claim 2.
Claims 5-6 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy, in view of Cook, in further view of Ikhlaq, in further view of Todd, in further view of Mont et al. (U.S. PGPub. 2017/0223039), hereinafter Mont.
Regarding claim 5, Badawy as modified by Cook and further modified by Ikhlaq and Todd do not teach the following limitation(s) as taught by Mont: The method of claim 1, wherein mitigating the detected violation further comprises:
identifying a mitigation action template for the violation (Mont, Paragraph [0047], see “…the workflow template may include a number of actions to remediate the security threat”);
generating an action set based on the mitigation action template (Mont, Paragraph [0069], see “…the workflow library includes workflow templates such as action one template, action two templates, action three template, action four template…”); and
executing at least one mitigation step based on the action set (Mont, Paragraph [0070], see “…action one notifies user A that a source device threatens the network”, where at least one mitigation step is executed based on the action set).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, techniques disclosed of Cook, techniques disclosed of Ikhlaq, and techniques disclosed of Todd, by implementing techniques of identifying a mitigation action template, generating an action set based on the template and executing a mitigation step based on the action set, disclosed of Mont.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of identifying a mitigation action template, generating an action set based on the template and executing a mitigation step based on the action set. This allows for better security management as well as efficiency for mitigating threats in a system by assigning different tasks to a workflow template. Mont is deemed as analogous art due to the art disclosing techniques of identifying a mitigation action template, generating an action set based on the template and executing a mitigation step based on the action set (Mont, Paragraphs [0069 – 0070]).
Regarding claim 6, Badawy as modified by Cook and further modified by Ikhlaq and Todd do not teach the following limitation(s) as taught by Mont: The method of claim 5, wherein the action set is a first action set, further comprising:
generating at least one work package by grouping actions of the first action set and at least one second action set (Mont, Paragraph [0075], see “While this example has been described with reference to one workflow template associated with a security threat, the workflow templates may associate with several security threats. For example, a notification workflow template and an authorization workflow template may be associated with security threat A”, which is analogous to generating a work package by grouping actions of different templates).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, techniques disclosed of Cook, techniques disclosed of Ikhlaq, and techniques disclosed of Todd, by implementing techniques of generating a work package by grouping action of a first action set and a second action set, disclosed of Mont.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of generating a work package by grouping action of a first action set and a second action set. This allows for better security management and efficiency for remediating threats in a system by associating different tasks to a specific threat. Mont is deemed as analogous art due to the art disclosing techniques of generating a work package by grouping action of a first action set and a second action set (Mont, Paragraph [0075]).
Regarding claim 16, the claim is rejected under the same reasoning as claim 5.
Regarding claim 17, the claim is rejected under the same reasoning as claim 6.
Claims 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy, in view of Cook, in further view of Ikhlaq, in further view of Todd, in further view of Maltz et al. (U.S. PGPub. 2016/0020940), hereinafter Maltz.
Regarding claim 7, Badawy as modified by Cook and further modified by Ikhlaq and Todd do not teach the following limitation(s) as taught by Maltz: The method of claim 1, further comprising:
documenting a plurality of mitigation steps performed when mitigating the detected violation (Maltz, Paragraph [0037], see “…the pipeline 102 is explicitly designed to record the inputs and outputs of each mitigation step…”);
determining that at least one expected change failed to occur as a result of the documented plurality of mitigation steps (Maltz, Claim 17, see “…determining whether the action mitigated the failure…”, which is analogous to determining that at least one expected change failed to occur as a result of the mitigation step); and
performing at least one follow-up activity based on the at least one expected change that failed to occur (Maltz, Claim 17, see “…determining whether the action mitigated the failure, and if so, advancing to step e), and if not, returning to step c) to select another action until the failure is mitigated…”).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, techniques disclosed of Cook, techniques disclosed of Ikhlaq, and techniques disclosed of Todd, by implementing techniques of documenting a plurality of mitigation steps, determining that at least one mitigation step failed and performing a follow-up activity based on the mitigation step failing, disclosed of Maltz.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of documenting a plurality of mitigation steps, determining that at least one mitigation step failed and performing a follow-up activity based on the mitigation step failing. This allows for better security management as well as efficiency for remediating a threat at a system by having a back-up action to take place if the first action fails to remediate the threat. Maltz is deemed as analogous art due to the art disclosing techniques of documenting a plurality of mitigation steps, determining that at least one mitigation step failed and performing a follow-up activity based on the mitigation step failing (Maltz, Claim 17).
Regarding claim 18, the claim is rejected under the same reasoning as claim 7.
Claims 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy, in view of Cook, in further view of Ikhlaq, in further view of Todd, in further view of Massaro (U.S. PGPub. 2012/0088211).
Regarding claim 9, Badawy as modified by Cook and further modified by Ikhlaq and Todd do not teach the following limitation(s) as taught by Massaro: The method of claim 1, wherein a secret is attached to each of the plurality of identity objects (Massaro, Paragraph [0082], see “…a bar code may be attached to an object or to a person that encodes identity information”).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, techniques disclosed of Cook, techniques disclosed of Ikhlaq, and techniques disclosed of Todd, by implementing techniques of attaching a secret to each of the identity objects, disclosed of Massaro.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of attaching a secret to each of the identity objects. This allows for better security management by attaching a secret to each of the identity objects in order to uniquely and securely identify each object. Massaro is deemed as analogous art due to the art disclosing techniques of attaching a secret to each of the identity objects (Massaro, Paragraph [0082]).
Regarding claim 20, the claim is rejected under the same reasoning as claim 9.
Claims 10 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy, in view of Cook, in further view of Ikhlaq, in further view of Todd, in further view of Bunker et al. (U.S. PGPub. 2006/0075503), hereinafter Bunker.
Regarding claim 10, Badawy as modified by Cook and further modified by Ikhlaq and Todd do not teach the following limitation(s) as taught by Bunker: The method of claim 1, wherein mitigating the detected violation further comprises causing performance of at least one task, each task corresponding to a respective identity object of the plurality of identity objects wherein each of the plurality of identity objects is owned by a respective owner entity (Bunker, Paragraph [0006], see “…providing remediation steps, assigning the tasks to asset owners, reporting and measuring the results or alerting on new vulnerabilities affecting the assets”)., further comprising:
assigning each of the tasks to the owner entity of the identity object corresponding to the task (Bunker, Paragraph [0006], see “…providing remediation steps, assigning the tasks to asset owners, reporting and measuring the results or alerting on new vulnerabilities affecting the assets”).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques disclosed of Badawy, techniques disclosed of Cook, techniques disclosed of Ikhlaq, and techniques disclosed of Todd, by implementing techniques of assigning each of the tasks to the owner entity of the identity object, disclosed of Bunker.
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for contextual management of machine identities, comprising of assigning each of the tasks to the owner entity of the identity object. This allows for better security management by associating each identity artifact/object to a specific owner entity, that way, the remediation/mitigation actions can be assigned and sent to each owner entity when a threat occurs. Bunker is deemed as analogous art due to the art disclosing techniques of assigning each of the tasks to the owner entity of the identity object (Bunker, Paragraph [0006]).
Regarding claim 21, the claim is rejected under the same reasoning as claim 10.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747. The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571) 272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2499