Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsAmazon Technologies, Inc. › 18359456
Last updated: April 19, 2026
Application No. 18/359,456

POLICY SCOPE MANAGEMENT

Final Rejection §102§103§DP
Filed
Jul 26, 2023
Examiner
DOAN, TRANG T
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Amazon Technologies, Inc.
OA Round
4 (Final)
83%
Grant Probability
Favorable
5-6
OA Rounds
3y 6m
To Grant
99%
With Interview

Interview Optional

+17.7% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 615 resolved cases, 2023–2026

Examiner Intelligence

DOAN, TRANG T View full profile →
Grants 83% — above average
83%
Career Allow Rate
511 granted / 615 resolved
+25.1% vs TC avg
Strong +18% interview lift
Without
With
+17.7%
Interview Lift
resolved cases with interview
Typical timeline
3y 6m
Avg Prosecution
30 currently pending
Career history
645
Total Applications
across all art units

Statute-Specific Performance

§101
15.3%
-24.7% vs TC avg
§103
34.1%
-5.9% vs TC avg
§102
20.0%
-20.0% vs TC avg
§112
18.9%
-21.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 615 resolved cases

Office Action

§102 §103 §DP
DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This Office Action is in response to the amendment filed on 12/19/2025. Claim 1, 6 and 17 have been amended. Claims 1-20 are pending for consideration. Response to Arguments The double patent rejection has been maintained as the pending claims are still rejectable over claims 1-19 of U.S. Patent No. 11,863,563. Applicant's arguments filed 12/19/2025 have been fully considered but they are not persuasive. Applicant argues on pages 9-13 of the Remarks that the cited reference, Seigel, fails to teach the limitation “generating a second access policy including a second set of permissions relating to access of the set of resources, the second set of permissions including the plurality of types of access previously granted according to the first set of permissions and including the at least one narrowed scope of access for the at least one type of access”. In response to the above argument, Examiner respectfully disagrees. Seigel teaches that an updated user-resource access map is broadly interpreted as the second access policy (Seigel: paragraphs 0018, 0041 and 0051, “an identity manager may determine the user accounts that are members of groups, the access privileges associated with each group to access resources, to create a user-resource access map that identifies the access privileges to access each resource for each user account. The identity manager may correlate activity data with the user-resource access map to determine which privileges are being used and which privileges are unused (or seldom used) and then modify the user accounts or the groups to remove the unused privileges from the user accounts. For example, if an access privilege to a particular resource is used for less than a threshold percentage (e.g., five percent, three percent, one percent, etc.) of the time, then the access privilege may be considered to be “seldom used” and may be a candidate for removal. The threshold percentage may be set by a system administrator or business owner.”). The modified user-resource access map include read and write access which are mapped to the plurality of types of access previously granted according to the first set of permissions (Seigel: paragraphs 0018, 0041, 0049-0050, 0056-0058 and 0060-0062, “a first user account belonging to a first group may have full (e.g., read access and write access) database access privileges while a second user account belonging to a second group may have read-only database access privileges. The activity data generated from monitoring user access to resources over a period of time may include information identifying which operations were performed with which permission level (e.g., privileges)”). Seigel further teaches including the at least one narrowed scope of access for the at least one type of access (Seigel: paragraphs 0018, 0026 and 0049-0050, “For example, a user account with read/write access privileges to databases in a computer system may perform several read operations over a period of time but may not perform any write operations. Based on this information, the identity manager may modify the user account to remove write privileges to the database because the user account was not used to perform write operations during the period of time that was analyzed.”). As can be seen in the citations, a modified user account only keeps the read access privileges and removes the write access privileges. The process of removing a type of access is equivalent to including the at least one narrowed scope of access for the at least one type of access. For at least reasons discussed above, the cited art does teach the disputed limitation as recited in claims 1, 6 and 17. Regarding claims 2-5, 7-16 and 18-20, Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 11863563. Although the claims at issue are not identical, they are not patentably distinct from each other because both applications disclose the same subject matter, such as, a scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy, See Claims Comparison Table below. Instant Application 18/359,456 Patent Application 11,863,563 Claim 1. A computer-implemented method comprising: receiving a first access policy including a first set of permissions relating to access of a set of resources in a multi-tenant environment; analyzing logged access data to determine at least one type of access of a plurality of types of access, to the set of resources, previously granted according to the first set of permissions; determining at least one narrowed scope of access for the at least one type of access; and generating a second access policy including a second set of permissions relating to access of the set of resources, the second set of permissions including the plurality of types of access previously granted according to the first set of permissions and including the at least one narrowed scope of access for the at least one type of access, wherein the second access policy is able to be used in place of the first access policy to provide the at least one type of access without also providing additional types of access that are not required for the set of resources. Claim 1. A computer-implemented method, comprising: receiving, over a period of time, a plurality of requests to access a set of electronic resources in a multi-tenant environment; determining whether to grant access to the set of electronic resources based on a first access policy, the first access policy including permissions relating to a set of actions capable of being executed against the set of electronic resources; storing access information for the plurality of requests received over the period of time; analyzing, after the period of time, the access information to determine a subset of actions, of the set of actions capable of being executed against the set of electronic resources, that were requested during the period of time; determining a subset of the permissions of the first access policy that were used to grant the access for the subset of actions; generating a new access policy granting permissions only corresponding to the subset of permissions that were used to previously grant access during the period of time and maintaining status of permissions previously denied in the first access policy; evaluating the new access policy to check that the new access policy does not restrict access for all actions to one or more of the set of electronic resources previously allowed under the first access policy; verifying, using a policy logic, that any change in scope of the permissions as granted in the new access policy does not violate the permissions of the first access policy; providing the new access policy as a recommendation with respect to the set of electronic resources; determining that permission for access should be granted corresponding to a second subset of permissions, the second subset of permissions not included in the subset of permissions; modifying the new access policy to permit access corresponding to the second subset of permissions; and causing the new access policy to be enforced for the set of electronic resources in response to receiving acceptance of the new access policy. Claim 6. A computer-implemented method, comprising: obtaining a first access policy including a first set of permissions applied to access of a set of resources in a multi-tenant environment; analyzing logged access data to determine at least one type of access of a plurality of types of access, to the set of resources, previously granted according to the first set of permissions; determining, for the at least one type of access, at least one narrowed scope of access; and generating a second access policy including a second set of permissions relating to access of the set of resources, the second set of permissions including the plurality of types of access previously granted according to the first set of permissions and including the at least one narrowed scope of access for the at least one type of access, wherein the second access policy is able to be used in place of the first access policy to provide the at least one type of access without also providing additional types of access that are not required for the set of resources. Claim 5. A computer-implemented method, comprising: determining a set of actions performed over a period of time on a set of resources in a multi-tenant environment, the actions performed using access granted according to permissions of a first access policy; generating a second access policy granting permission for access corresponding to the actions previously performed during the period of time and denying permission for access corresponding to a subset of actions of the set; evaluating the second access policy to check that the second access policy does not restrict access for all actions to one or more of the set of resources previously allowed under the first access policy; verifying, using a policy logic, that any change in scope of the permissions as granted in the second access policy does not violate the permissions of the first access policy; storing the second access policy for implementation with respect to the set of resources; providing the second access policy as a recommendation with respect to the set of electronic resources; determining that permission for access should be granted corresponding to at least one of the subset of actions after denying permission for access corresponding to the subset of actions; and modifying the second access policy to permit access corresponding to the at least one of the subset of actions. Claim 17. A system, comprising: at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to: obtain a first access policy including a first set of permissions applied to access of a set of resources in a multi-tenant environment; analyze logged access data to determine at least one type of access of a plurality of types of access, to the set of resources, previously granted according to the first set of permissions; determine, for the at least one type of access, at least one narrowed scope of access; and generate a second access policy including a second set of permissions relating to access of the set of resources, the second set of permissions including the plurality of types of access previously granted according to the first set of permissions and including the at least one narrowed scope of access for the at least one type of access, wherein the second access policy is able to be used in place of the first access policy to provide the at least one type of access without also providing additional types of access that are not required for the set of resources. Claim 16. A system, comprising at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to: determine a set of actions performed over a period of time using a set of resources in a multi-tenant environment, the actions performed using access granted according to permissions of a first access policy; generate a second access policy granting permission for access corresponding to the actions previously performed during the period of time and denying permission for access corresponding to a subset of actions of the set; evaluate the second access policy to check that the second access policy does not restrict access for all actions to one or more of the set of resources previously allowed under the first access policy; verifying, using a policy logic, that any change in scope of the permissions as granted in the second access policy does not violate the permissions of the first access policy; provide the second access policy as a recommendation for implementation with respect to the set of resources; determine that permission for access should be granted corresponding to at least one of the subset of actions after denying permission for access corresponding to the subset of actions; and modify the second access policy to permit access corresponding to the at least one of the subset of actions. The dependent claims of the instant application recite language similar to the dependent claims of the patent application and are covered by the patent application. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 1-15 and 17-20 are rejected under 35 U.S.C. 102(a)(1)/102(a)(2) as being anticipated by Seigel et al. (US 20170163650) (hereinafter Seigel). Regarding claim 1, Seigel discloses a computer-implemented method comprising: receiving a first access policy including a first set of permissions relating to access of a set of resources in a multi-tenant environment (Seigel: paragraphs 0033-0035 and 0044-0046, “correlate the group membership data 122 with the access map data 124 to create a user-resource access map 126 that identifies which resources each user account can access and a privilege level with which the user account can access the resources.”… “The identity manager 120 may correlate the activity data 128 with the user-resource access map 126 to create the usage data 130 identifying which user accounts are used with which privilege levels to access which resources. The identity manager 120 may determine a Boolean field to the usage data 130 indicating whether an access privilege to a resource was used or may determine a percentage field indicating a percentage of the time that an access privilege was used”); analyzing logged access data to determine at least one type of access of a plurality of types of access, to the set of resources, previously granted according to the first set of permissions (Seigel: paragraphs 0018, 0026 and 0046-0049, “After determining the activity data 128 and identifying which privilege levels were unused (or seldom used) during the time period associated with the activity data 128, the identity manager 120 may automatically modify user accounts with unused (or seldom used) privilege levels. For example, the identity manager 120 may determine that the first user account's write access to the first resource is unused (or seldom used) and may remove the write access (e.g., privilege level) to the first resource. The identity manager 120 may determine that the first user account's write access to the second resource is unused (or seldom used) and may remove the write access privilege level to the first resource.”); determining at least one narrowed scope of access for the at least one type of access (Seigel: paragraphs 0018, 0026, 0049-0050, 0056-0058 and 0060-0062, “For example, a user account with read/write access privileges to databases in a computer system may perform several read operations over a period of time but may not perform any write operations. Based on this information, the identity manager may modify the user account to remove write privileges to the database because the user account was not used to perform write operations during the period of time that was analyzed.”); generating a second access policy including a second set of permissions relating to access of the set of resources (Seigel: paragraphs 0018, 0041 and 0051, “an identity manager may determine the user accounts that are members of groups, the access privileges associated with each group to access resources, to create a user-resource access map that identifies the access privileges to access each resource for each user account. The identity manager may correlate activity data with the user-resource access map to determine which privileges are being used and which privileges are unused (or seldom used) and then modify the user accounts or the groups to remove the unused privileges from the user accounts. For example, if an access privilege to a particular resource is used for less than a threshold percentage (e.g., five percent, three percent, one percent, etc.) of the time, then the access privilege may be considered to be “seldom used” and may be a candidate for removal. The threshold percentage may be set by a system administrator or business owner.”), the second set of permissions including the plurality of types of access previously granted according to the first set of permissions and including the at least one narrowed scope of access for the at least one type of access, (Seigel: paragraphs 0018, 0049-0051, 0056-0058 and 0060-0062, “a first user account belonging to a first group may have full (e.g., read access and write access) database access privileges while a second user account belonging to a second group may have read-only database access privileges. The activity data generated from monitoring user access to resources over a period of time may include information identifying which operations were performed with which permission level (e.g., privileges)”), wherein the second access policy is able to be used in place of the first access policy to provide the at least one type of access without also providing additional types of access that are not required for the set of resources (Seigel: paragraphs 0018, 0026 and 0049-0051, “For example, a user account with read/write access privileges to databases in a computer system may perform several read operations over a period of time but may not perform any write operations. Based on this information, the identity manager may modify the user account to remove write privileges to the database because the user account was not used to perform write operations during the period of time that was analyzed.”… “the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”). Regarding claim 6, claim 6 discloses a method claim that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 1 and rejected for the same reasons Regarding claim 17, claim 17 discloses a system claim that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 17 and rejected for the same reasons. Regarding claims 2, 7 and 18, Seigel discloses further comprising: accessing, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”). Regarding claim 3, Seigel discloses further comprising: determining the at least one scope, associated with the first set of permissions, based at least in part on at least one previous request to access at least one of the one or more resources of the set of resources (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”). Regarding claim 4, Seigel further discloses wherein the first set of permissions include permissions associated with at least one access request or at least one authentication request, the permissions defining a set of actions associated with at least one of the one or more resources of the set of resources (Seigel: paragraphs 0033-0035 and 0044-0046, “correlate the group membership data 122 with the access map data 124 to create a user-resource access map 126 that identifies which resources each user account can access and a privilege level with which the user account can access the resources.”… “The identity manager 120 may correlate the activity data 128 with the user-resource access map 126 to create the usage data 130 identifying which user accounts are used with which privilege levels to access which resources. The identity manager 120 may determine a Boolean field to the usage data 130 indicating whether an access privilege to a resource was used or may determine a percentage field indicating a percentage of the time that an access privilege was used”.) Regarding claim 5, Seigel discloses further comprising: analyzing the second set of permissions to ensure that any changes in permissions either result in a narrowing of the at least one scope, associated with the first set of permissions, or do not violate other permissions of the second set of permissions (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager may modify the user account to remove write privileges to the database because the user account was not used to perform write operations during the period of time that was analyzed.”…“the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”). Regarding claim 8, Seigel discloses further comprising: obtaining a policy template for the set of electronic resources for use in generating the second set of permissions (Seigel: see figure 2 PNG media_image1.png 1076 888 media_image1.png Greyscale and paragraphs 0018, 0026 and 0049-0050, “Modifying a user account to remove an unused (or seldom used) privilege level may be done in several different ways. As a first example, the identity manager 120 may determine that the members of the first group do not use (or seldom use) write access to the first resource and remove write access to the first resource from the first group. In this way, members of the first group, such as the first user account, may have read access to the first resource. As a second example, the identity manager 120 may define a new group, e.g., a Qth group that has read access to the first resource and remove the first user account from the first group, and add the first user account to the Qth group. In this way, members of the Qth group, such as the first user account, may have read access to the first resource”). Regarding claim 9, Seigel discloses further comprising: determining, based at least in part on the at least one scope associated with the first set of permissions, that the type of access is a least privileged access (Seigel: paragraphs 0036, 0041-0044 and 0047-0050, “The user resource access map 126 identifies which resources each user account can access and a privilege level with which the user account can access the resources. For example, as illustrated in FIG. 2, the user-resource access map 126 may indicate that the first user account has read-write access privileges to the first resource and read-write access privileges to the second resource.”); and analyzing the second set of permissions to ensure that at least one scope associated with the second set of permissions is reduced (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may automatically modify user accounts with unused (or seldom used) privilege levels. For example, the identity manager 120 may determine that the first user account's write access to the first resource is unused (or seldom used) and may remove the write access (e.g., privilege level) to the first resource. The identity manager 120 may determine that the first user account's write access to the second resource is unused (or seldom used) and may remove the write access privilege level to the first resource.”). Regarding claim 10, Seigel discloses further comprising: determining at least one event executed for at least one resource of the one or more resources of the set of resources, wherein the at least one event is mapped to at least one permission of the first set of permissions to determine the permission under which the at least one event was granted access (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may automatically modify user accounts with unused (or seldom used) privilege levels. For example, the identity manager 120 may determine that the first user account's write access to the first resource is unused (or seldom used) and may remove the write access (e.g., privilege level) to the first resource. The identity manager 120 may determine that the first user account's write access to the second resource is unused (or seldom used) and may remove the write access privilege level to the first resource.”). Regarding claim 11, Seigel discloses further comprising: determining at least one scope associated with the second set of permissions, wherein the at least one scope associated with the second set of permissions is narrower than the at least one scope associated with the first set of permissions (Seigel: paragraphs 0018, 0026 and 0049-0050, “As a third example, the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”). Regarding claim 12, Seigel discloses further comprising: wherein the second set of permissions does not remove denied permissions from the first set of permissions and maintains access that was previously granted in the first set of permissions (Seigel: paragraphs 0018, 0026 and 0049-0050, “As a third example, the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”). Regarding claim 13, Seigel discloses further comprising: determining that the second set of permissions applies to a specific task, the task performed on behalf of a user (Seigel: paragraphs 0049-0050, “As a third example, the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”); and wherein at least one scope of the second set of permissions is based at least in part on the user (Seigel: paragraphs 0018, 0026 and 0049-0050, “As a third example, the identity manager 120 may define a new user account, remove the first user account from the first group, add the new user account to the second group that has read access to the first resource, and assign the new user account to a user that was previously associated with the first user account. Of course, the identity manager may perform other combinations of (i) modifications to group memberships, (ii) modifications to group access privileges, and (iii) modifications to user accounts to remove write access to the first resource by the first user account.”). Regarding claim 14, Seigel discloses further comprising: validating the first set of permissions against permissible actions granted to at least one user associated with a customer account to ensure that the first set of permissions reflect the appropriate permissions (Seigel: paragraphs 0020 and 0049-0050, “As a first example, the permissions associated with a seldom accessed resource may be set to deny access, effectively preventing access without modifying user permissions, group memberships, or the like. As a second example, the user account may be removed from one or more groups that have been granted access to the resource, thereby preventing the user account from accessing the resource. The identity manager may have sufficient data (e.g., based on the user-to-resource access mapping and the activity data) to determine if removing the user account from the one or more groups will have adverse consequences. As a third example, an entry in an access policy (e.g., Dell® Change Auditor® protection policy) may be added to deny the user account access to the resource. If the user account's access to the resource was legitimate and the access was erroneously removed, e.g., due to infrequent resource access or another similar reason, a system administrator may enable the user account to access the resource, such as by removing the entry in the access policy.”). Regarding claim 15, Seigel discloses further comprising: wherein a scope of the second set of permissions grants only permissions granted in the first set of permissions (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may automatically modify user accounts with unused (or seldom used) privilege levels. For example, the identity manager 120 may determine that the first user account's write access to the first resource is unused (or seldom used) and may remove the write access (e.g., privilege level) to the first resource. The identity manager 120 may determine that the first user account's write access to the second resource is unused (or seldom used) and may remove the write access privilege level to the first resource.”). Regarding claim 18, Seigel discloses wherein the instructions when executed further cause the system to: access, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may automatically modify user accounts with unused (or seldom used) privilege levels. For example, the identity manager 120 may determine that the first user account's write access to the first resource is unused (or seldom used) and may remove the write access (e.g., privilege level) to the first resource. The identity manager 120 may determine that the first user account's write access to the second resource is unused (or seldom used) and may remove the write access privilege level to the first resource.”). Regarding claim 19, Seigel discloses wherein the instructions when executed further cause the system to: generate the second set of permissions to only grant permission for access corresponding to a set of actions performed with respect to the first set of permissions (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may automatically modify user accounts with unused (or seldom used) privilege levels. For example, the identity manager 120 may determine that the first user account's write access to the first resource is unused (or seldom used) and may remove the write access (e.g., privilege level) to the first resource. The identity manager 120 may determine that the first user account's write access to the second resource is unused (or seldom used) and may remove the write access privilege level to the first resource.”). Regarding claim 20, Seigel discloses wherein the instructions when executed further cause the system to: analyze the second set of permissions to ensure that any changes in permissions either result in a narrowing of the at least one scope associated with the first set of permissions, or do not violate other permissions of the second set of permissions (Seigel: paragraphs 0018, 0026 and 0049-0050, “the identity manager 120 may automatically modify user accounts with unused (or seldom used) privilege levels. For example, the identity manager 120 may determine that the first user account's write access to the first resource is unused (or seldom used) and may remove the write access (e.g., privilege level) to the first resource. The identity manager 120 may determine that the first user account's write access to the second resource is unused (or seldom used) and may remove the write access privilege level to the first resource.”). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 16 is rejected under 35 U.S.C. 103 as being unpatentable over Seigel in view of Parimi et al. (US 20170295197) (hereinafter Parimi). Regarding claim 16, Seigel does not explicitly disclose the following limitation which is disclosed by Parimi, further comprising: detecting at least one suspicious request (Parimi: paragraphs 0014, 0055 and 0078, “the monitored activity of the user 104 (e.g., user activity 1712)”... “The system detects a discrepancy of the infrastructure security configurations from the translated security best practice configurations and/or the translated CVE in the infrastructure security configurations”); generating an alert for the at least one suspicious request (Parimi: paragraph 0056, “A set of devices and a user are alerted (e.g., using alert 1511) about any discrepancy of the infrastructure security configurations 1516 from the translated security best practice configurations and/or any translated CVE 1503 in the infrastructure security configurations”); and providing a recommendation to change at least one permission of the first set of permissions to deny access corresponding to the at least one suspicious request (Parimi: paragraph 0056, “Modifications of the infrastructure security configurations 1516 associated with the heterogeneous infrastructures 1518 (e.g., 108A, 108B, 112A, 112B) are suggested as a remediation for the discrepancy and the CVE 1503”). Seigel and Parimi are analogous art because they are from the same field of endeavor, data protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Seigel and Parimi before him or her, to modify the system of Seigel to include detecting at least one suspicious request and providing a recommendation to change at least one permission of a first set of permissions to deny access corresponding to a at least one suspicious request of Parimi. The suggestion/motivation for doing so would have been to detect discrepancy in infrastructure security configurations from translated security best practice configurations in heterogeneous environments (Parimi: paragraph 0002). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached on Monday-Friday 7-4 ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TRANG T DOAN/Primary Examiner, Art Unit 2431
Read full office action

Prosecution Timeline

Jul 26, 2023
Application Filed
Dec 14, 2024
Non-Final Rejection — §102, §103, §DP
Feb 26, 2025
Applicant Interview (Telephonic)
Mar 10, 2025
Response Filed
Mar 16, 2025
Examiner Interview Summary
May 23, 2025
Final Rejection — §102, §103, §DP
Jul 03, 2025
Applicant Interview (Telephonic)
Jul 07, 2025
Examiner Interview Summary
Jul 24, 2025
Response after Non-Final Action
Aug 15, 2025
Request for Continued Examination
Aug 19, 2025
Response after Non-Final Action
Sep 19, 2025
Non-Final Rejection — §102, §103, §DP
Dec 19, 2025
Response Filed
Mar 09, 2026
Final Rejection — §102, §103, §DP (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/687,958
Patent 12587545
SECURING ENDPOINTS IN A HETEROGENOUS ENTERPRISE NETWORK
2y 5m to grant Granted Mar 24, 2026
18/464,538
Patent 12587849
SYSTEM AND METHOD FOR USING RADIO NOISE TO ASSURE USER PRESENCE WITH DEVICE BEING ACCESSED
2y 5m to grant Granted Mar 24, 2026
18/226,607
Patent 12574401
OPERATIONAL TECHNOLOGY CYBER DEFENSE CLOUD SERVICES PLATFORM
2y 5m to grant Granted Mar 10, 2026
18/716,504
Patent 12554894
LOW-LATENCY MULTI-DOMAIN MASKING
2y 5m to grant Granted Feb 17, 2026
17/548,089
Patent 12549565
System and Method for Intrusion Detection of Malware Traffic
2y 5m to grant Granted Feb 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
83%
Grant Probability
99%
With Interview (+17.7%)
3y 6m
Median Time to Grant
High
PTA Risk
Based on 615 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month