Prosecution Insights
Last updated: July 05, 2026
Application No. 18/400,818

REDUCED ON-DEMAND AND STANDING PRIVILEGE ACCESS CONTROL ASSIGNMENT RECOMMENDATIONS IN MULTI-CLOUD ENVIRONMENTS

Non-Final OA §103
Filed
Dec 29, 2023
Examiner
MAI, KEVIN S
Art Unit
2499
Tech Center
2400 — Computer Networks
Assignee
Microsoft Technology Licensing, LLC
OA Round
1 (Non-Final)
29%
Grant Probability
At Risk
1-2
OA Rounds
2y 2m
Est. Remaining
56%
With Interview

Examiner Intelligence

Grants only 29% of cases
29%
Career Allowance Rate
126 granted / 430 resolved
-28.7% vs TC avg
Strong +26% interview lift
Without
With
+26.3%
Interview Lift
resolved cases with interview
Typical timeline
4y 8m
Avg Prosecution
39 currently pending
Career history
471
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
95.7%
+55.7% vs TC avg
§102
3.1%
-36.9% vs TC avg
§112
0.5%
-39.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 430 resolved cases

Office Action

§103
DETAILED ACTION Claims 1-20 have been examined and are pending. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2014/0033267 to Aciicmez (hereinafter “Aciicmez”) and further in view of US Pat. No. 12/452245 to Gacek et al. (hereinafter “Gacek”). As to Claim 1, Aciicmez discloses a method comprising: determining, from historical activity data, paired activity data associated with an identity, the paired activity data comprising task and resource pairs, a task and resource pair indicating a task performed by the identity and a resource on which the task was performed (Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); determining, for a particular candidate access control assignment of a plurality of candidate access control assignments, an over-privileging cost based on a permission and resource scope granted by the particular candidate access control assignment and the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle); determining, for the identity, a set of recommended access control assignments as a subset of the plurality of candidate access control assignments with a lowest aggregate over-privileging cost whose combined permissions and resource scopes cover at least a predetermined [percentage] of the paired activity data (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject. Paragraph [0082] of Aciicmez discloses an overall cost associated with a type enforcement configuration is represented by the equation Cost = aCs + bCp) wherein a and b are pre-determined for meeting specific performance and security requirements of the computing system); generating, based on the set of recommended access control assignments, a recommended assignment state for the particular candidate access control assignment (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject); and performing a responsive action based on the recommended assignment state (Paragraph [0037] of Aciicmez discloses When a subject makes an access attempt on an object, the access control module 150 determines whether to allow or deny the access attempt based on the type of the object, the type of the subject, and the security policy information 151 maintained). Aciicmez does not explicitly disclose percentage. However, Gacek discloses this. Column 2 lines 1-10 of Gacek disclose generate candidate access control policies, rank those candidate access control policies based on a coverage percentage of access request logs included in the data set, and select a candidate access control policy with a highest coverage score as an access control policy for an access control policy set. It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the access control system as disclosed by Aciicmez, with using a percentage as disclosed by Gacek. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device ready for improvement to yield predictable results. Aciicmez and Gacek are directed toward access controls system and as such it would be obvious to use the techniques of one in the other. Gacek discloses using such a metric is well known in access control systems to analyze policy effectiveness and as such would be obvious to implement in Aciicmez. As to Claim 2, Aciicmez-Gacek discloses the method of claim 1, wherein the recommended assignment state comprises at least one of: excepting the particular candidate access control assignment from being assigned to the identity, assigning the particular candidate access control assignment to the identity on a permanent basis, or assigning the particular candidate access control assignment to the identity on an on-demand basis (Paragraph [0045] of Aciicmez discloses the automated security policy generation system 200 will revise the recommended security policy information 151 using the monitoring and analysis module 210 and/or the policy generation module 220. Therefore, the process of generating recommended security policy information 151 may be iterative). As to Claim 3, Aciicmez-Gacek discloses the method of claim 1, wherein said determining, for the particular candidate access control assignment, the over-privileging cost comprises: determining, for the particular access control assignment, a first over-privileging cost based on permissions and a resource scopes granted by the particular candidate access control assignment on a permanent basis, and the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); and determining, for the particular access control assignment, a second over-privileging cost based on the permitted tasks and the resource scopes granted by the particular candidate access control assignment on an on-demand basis, and a frequency or pattern of task and resource pairs in the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); wherein determining the set of recommended access control assignments comprises: determining, based on the first over-privileging cost and the second over-privileging cost, that a recommended access control assignment of the set of recommended access control assignments should be assigned on at least one of a permanent basis or an on-demand basis (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject. Paragraph [0082] of Aciicmez discloses an overall cost associated with a type enforcement configuration is represented by the equation Cost = aCs + bCp) wherein a and b are pre-determined for meeting specific performance and security requirements of the computing system). As to Claim 4, Aciicmez-Gacek discloses the method of claim 3, wherein said determining, for the particular access control assignment, the first over-privileging cost comprises at least one of: determining the first over-privileging cost based on a permission type of the permitted tasks granted by the particular candidate access control assignment; determining the first over-privileging cost based on a data type of the resource scopes granted by the particular candidate access control assignment; determining the first over-privileging cost based on a data size of the resource scopes granted by the particular candidate access control assignment; or determining the first over-privileging cost based on a presence of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle.). As to Claim 5, Aciicmez-Gacek discloses the method of claim 3, wherein said determining, for the particular access control assignment, the second over-privileging cost comprises at least one of: determining the second over-privileging cost based on a frequency of occurrence of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment; or determining the second over-privileging cost based on a pattern of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100). As to Claim 6, Aciicmez-Gacek discloses the method of claim 1, wherein said performing the action comprises at least one of: providing, to a user, a recommendation to keep a current access control assignment currently assigned to the identity; providing, to a user, a recommendation to reassign, on an on-demand basis, a current access control assignment currently assigned to the identity on a permanent basis; providing, to a user, a recommendation to reassign, on a permanent basis, a current access control assignment currently assigned to the identity on an on-demand basis; providing, to a user, a recommendation to replace a current access control assignment currently assigned to the identity with at least a portion of the set of recommended access control assignments on a permanent basis; providing, to a user, a recommendation to assign a recommended access control assignment in the set of recommended access control assignments on a permanent basis; providing, to a user, a recommendation to assign a recommended access control assignment in the set of recommended access control assignments to the identity on an on-demand basis; automatically reassigning, on an on-demand basis, a current access control assignment currently assigned to the identity on a permanent basis; automatically reassigning, on a permanent basis, a current access control assignment currently assigned to the identity on an on-demand basis; automatically replacing a current access control assignment currently assigned to the identity with at least a portion of the set of recommended access control assignments; automatically assigning a recommended access control assignment in the set of recommended access control assignments to the identity on a permanent basis; or automatically assigning a recommended access control assignment in the set of recommended access control assignments to the identity on an on-demand basis (Paragraph [0045] of Aciicmez discloses the automated security policy generation system 200 will revise the recommended security policy information 151 using the monitoring and analysis module 210 and/or the policy generation module 220. Therefore, the process of generating recommended security policy information 151 may be iterative). As to Claim 7, Aciicmez-Gacek discloses the method of claim 1, wherein the plurality of candidate access control assignments comprise at least one of: a built-in role associated with a first cloud platform provider and a first resource scope, the built-in role associated with a first set of role permissions to perform a first set of tasks on resources associated with the first resource scope; a built-in policy associated with a second cloud platform provider, the built-in policy associated with a first set of policy permissions to perform a second set of tasks, and a first set of policy resources on which the second set of tasks may be performed; a customer-defined role and a second resource scope, the customer-defined role associated with a second set of role permissions to perform a third set of tasks on resources associated with the second resource scope; or a customer-defined policy associated, the customer-defined policy associated with a second set of policy permissions to perform a fourth set of tasks, and a second set of policy resources on which the fourth set of tasks may be performed (Paragraph [0037] of Aciicmez discloses Type enforcement (TE) is an example MAC model. In type enforcement, each subject and each object is associated with a corresponding type. In this specification, a type is a security label used to identify an entity. In one embodiment, the security policy information 151 maintained is a label-based type enforcement security policy. For example, the security policy information 151 maintained may indicate which types of objects each type of subject may access and perform operations (e.g., read, write, execute, append) on. When a subject makes an access attempt on an object, the access control module 150 determines whether to allow or deny the access attempt based on the type of the object, the type of the subject, and the security policy information 151 maintained). As to Claim 8, Aciicmez-Gacek discloses the method of claim 1, further comprising: determining a current over-privileging metric indicative of a proportion of permissions and resource scopes granted by the current access control assignment that lack a corresponding task and resource pair in the paired activity data; determining a potential over-privileging metric indicative of a proportion of permissions and resource scopes granted by the set of recommended access control assignments that lack a corresponding task and resource pair in the paired activity data; and determining an over-privileging reduction metric based on the current over-privileging metric and the potential over-privileging metric, wherein said performing the action is further based on the over-privileging reduction metric (Paragraph [0045] of Aciicmez discloses a revision to the recommended security policy information 151 is necessary (e.g., a performance constraint is not met or an access control requirement needs to be relaxed or tightened because of an update to the computing system 100), the automated security policy generation system 200 will revise the recommended security policy information 151 using the monitoring and analysis module 210 and/or the policy generation module 220. Therefore, the process of generating recommended security policy information 151 may be iterative). As to Claim 9, Aciicmez discloses a system comprising: a processor; and a memory device comprising program code structured to cause the processor to: determine, from historical activity data, paired activity data associated with an identity, the paired activity data comprising task and resource pairs, a task and resource pair indicating a task performed by the identity and a resource on which the task was performed (Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); determine, for a particular candidate access control assignment of a plurality of candidate access control assignments, an over-privileging cost based on a permitted task and resource scope granted by the particular candidate access control assignment and the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle); determine, for the identity, a set of recommended access control assignments as a subset of the plurality of candidate access control assignments with a lowest aggregate over-privileging cost whose combined permissions and resource scopes cover at least a predetermined [percentage] of the paired activity data (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject. Paragraph [0082] of Aciicmez discloses an overall cost associated with a type enforcement configuration is represented by the equation Cost = aCs + bCp) wherein a and b are pre-determined for meeting specific performance and security requirements of the computing system); generate, based on the set of recommended access control assignments, a recommended assignment state for the particular candidate access control assignment (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject); and perform a responsive action based on the recommended assignment state (Paragraph [0037] of Aciicmez discloses When a subject makes an access attempt on an object, the access control module 150 determines whether to allow or deny the access attempt based on the type of the object, the type of the subject, and the security policy information 151 maintained). Aciicmez does not explicitly disclose percentage. However, Gacek discloses this. Column 2 lines 1-10 of Gacek disclose generate candidate access control policies, rank those candidate access control policies based on a coverage percentage of access request logs included in the data set, and select a candidate access control policy with a highest coverage score as an access control policy for an access control policy set. Examiner recites the same rationale to combine used for claim 1. As to Claim 10, Aciicmez-Gacek discloses the system of claim 9, wherein the recommended assignment state comprises at least one of: excepting the particular candidate access control assignment from being assigned to the identity, assigning the particular candidate access control assignment to the identity on a permanent basis, or assigning the particular candidate access control assignment to the identity on an on-demand basis (Paragraph [0045] of Aciicmez discloses the automated security policy generation system 200 will revise the recommended security policy information 151 using the monitoring and analysis module 210 and/or the policy generation module 220. Therefore, the process of generating recommended security policy information 151 may be iterative). As to Claim 11, Aciicmez-Gacek discloses the system of claim 9, wherein, to determine, for the particular candidate access control assignment, the over-privileging cost, the program code is further structured to cause the processor to: determine, for the particular access control assignment, a first over-privileging cost based on permissions and a resource scopes granted by the particular candidate access control assignment on a permanent basis, and the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); and determine, for the particular access control assignment, a second over-privileging cost based on the permitted tasks and the resource scopes granted by the particular candidate access control assignment on an on-demand basis, and a frequency or pattern of task and resource pairs in the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); wherein, to determine the set of recommended access control assignments, the program code is further structured to cause the processor to: determine, based on the first over-privileging cost and the second over-privileging cost, that a recommended access control assignment of the set of recommended access control assignments should be assigned on at least one of a permanent basis or an on-demand basis (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject. Paragraph [0082] of Aciicmez discloses an overall cost associated with a type enforcement configuration is represented by the equation Cost = aCs + bCp) wherein a and b are pre-determined for meeting specific performance and security requirements of the computing system). As to Claim 12, Aciicmez-Gacek discloses the system of claim 11, wherein, to determine, for the particular access control assignment, the first over-privileging cost, the program code is further structured to cause the processor to perform at least one of: determine the first over-privileging cost based on a permission type of the permitted tasks granted by the particular candidate access control assignment; determine the first over-privileging cost based on a data type of the resource scopes granted by the particular candidate access control assignment; determine the first over-privileging cost based on a data size of the resource scopes granted by the particular candidate access control assignment; or determine the first over-privileging cost based on a presence of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle.). As to Claim 13, Aciicmez-Gacek discloses the system of claim 11, wherein, to determine, for the particular access control assignment, the second over-privileging cost, the program code is further structured to cause the processor to perform at least one of: determine the second over-privileging cost based on a frequency of occurrence of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment; or determine the second over-privileging cost based on a pattern of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100). As to Claim 14, Aciicmez-Gacek discloses the system of claim 9, wherein, to perform the action, the program code is further structured to cause the processor to perform at least one of: provide, to a user, a recommendation to keep a current access control assignment currently assigned to the identity; provide, to a user, a recommendation to reassign, on an on-demand basis, a current access control assignment currently assigned to the identity on a permanent basis; provide, to a user, a recommendation to reassign, on a permanent basis, a current access control assignment currently assigned to the identity on an on-demand basis; provide, to a user, a recommendation to replace a current access control assignment currently assigned to the identity with at least a portion of the set of recommended access control assignments on a permanent basis; provide, to a user, a recommendation to assign a recommended access control assignment in the set of recommended access control assignments on a permanent basis; provide, to a user, a recommendation to assign a recommended access control assignment in the set of recommended access control assignments to the identity on an on-demand basis; automatically reassign, on an on-demand basis, a current access control assignment currently assigned to the identity on a permanent basis; automatically reassign, on a permanent basis, a current access control assignment currently assigned to the identity on an on-demand basis; automatically replace a current access control assignment currently assigned to the identity with at least a portion of the set of recommended access control assignments; automatically assign a recommended access control assignment in the set of recommended access control assignments to the identity on a permanent basis; or automatically assign a recommended access control assignment in the set of recommended access control assignments to the identity on an on-demand basis (Paragraph [0045] of Aciicmez discloses the automated security policy generation system 200 will revise the recommended security policy information 151 using the monitoring and analysis module 210 and/or the policy generation module 220. Therefore, the process of generating recommended security policy information 151 may be iterative). As to Claim 15, Aciicmez discloses a computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, cause the processor to: determine, from historical activity data, paired activity data associated with an identity, the paired activity data comprising task and resource pairs, a task and resource pair indicating a task performed by the identity and a resource on which the task was performed (Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); determine, for a particular candidate access control assignment of a plurality of candidate access control assignments, an over-privileging cost based on a permitted task and resource scope granted by the particular candidate access control assignment and the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle); determine, for the identity, a set of recommended access control assignments as a subset of the plurality of candidate access control assignments with a lowest aggregate over-privileging cost whose combined permissions and resource scopes cover at least a predetermined percentage of the paired activity data (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject. Paragraph [0082] of Aciicmez discloses an overall cost associated with a type enforcement configuration is represented by the equation Cost = aCs + bCp) wherein a and b are pre-determined for meeting specific performance and security requirements of the computing system); generate, based on the set of recommended access control assignments, a recommended assignment state for the particular candidate access control assignment (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject); and perform a responsive action based on the recommended assignment state (Paragraph [0037] of Aciicmez discloses When a subject makes an access attempt on an object, the access control module 150 determines whether to allow or deny the access attempt based on the type of the object, the type of the subject, and the security policy information 151 maintained). Aciicmez does not explicitly disclose percentage. However, Gacek discloses this. Column 2 lines 1-10 of Gacek disclose generate candidate access control policies, rank those candidate access control policies based on a coverage percentage of access request logs included in the data set, and select a candidate access control policy with a highest coverage score as an access control policy for an access control policy set. Examiner recites the same rationale to combine used for claim 1. As to Claim 16, Aciicmez-Gacek discloses the computer-readable storage medium of claim 15, wherein the recommended assignment state comprises at least one of: excepting the particular candidate access control assignment from being assigned to the identity, assigning the particular candidate access control assignment to the identity on a permanent basis, or assigning the particular candidate access control assignment to the identity on an on-demand basis (Paragraph [0045] of Aciicmez discloses the automated security policy generation system 200 will revise the recommended security policy information 151 using the monitoring and analysis module 210 and/or the policy generation module 220. Therefore, the process of generating recommended security policy information 151 may be iterative). As to Claim 17, Aciicmez-Gacek discloses the computer-readable storage medium of claim 15, wherein, to determine, for the particular candidate access control assignment, the over-privileging cost, the computer-executable instructions, when executed by the processor, further cause the processor to: determine, for the particular access control assignment, a first over-privileging cost based on permissions and a resource scopes granted by the particular candidate access control assignment on a permanent basis, and the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); and determine, for the particular access control assignment, a second over-privileging cost based on the permitted tasks and the resource scopes granted by the particular candidate access control assignment on an on-demand basis, and a frequency or pattern of task and resource pairs in the paired activity data (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100); wherein, to determine the set of recommended access control assignments, the computer-executable instructions, when executed by the processor, further cause the processor to: determine, based on the first over-privileging cost and the second over-privileging cost, that a recommended access control assignment of the set of recommended access control assignments should be assigned on at least one of a permanent basis or an on-demand basis (Paragraph [0006] of Aciicmez discloses generating a security recommendation for a computing system including at least one resource and at least one subject. Paragraph [0082] of Aciicmez discloses an overall cost associated with a type enforcement configuration is represented by the equation Cost = aCs + bCp) wherein a and b are pre-determined for meeting specific performance and security requirements of the computing system). As to Claim 18, Aciicmez-Gacek discloses the computer-readable storage medium of claim 17, wherein, to determine, for the particular access control assignment, the first over-privileging cost, the computer-executable instructions, when executed by the processor, further cause the processor to perform at least one of: determine the first over-privileging cost based on a permission type of the permitted tasks granted by the particular candidate access control assignment; determine the first over-privileging cost based on a data type of the resource scopes granted by the particular candidate access control assignment; determine the first over-privileging cost based on a data size of the resource scopes granted by the particular candidate access control assignment; or determine the first over-privileging cost based on a presence of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle.). As to Claim 19, Aciicmez-Gacek discloses the computer-readable storage medium of claim 17, wherein, to determine, for the particular access control assignment, the second over-privileging cost, the computer-executable instructions, when executed by the processor, further cause the processor to perform at least one of: determine the second over-privileging cost based on a frequency of occurrence of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment; or determine the second over-privileging cost based on a pattern of task and resource pairs in the paired activity data that correspond to permissions and resource scopes granted by the particular candidate access control assignment (Paragraph [0078] of Aciicmez discloses different objects 420 and different subjects 410 are grouped into types and domains, respectively, based on the similarity of their access characteristics and access control requirements. For example, two cost factors/metrics may be considered when evaluating a type enforcement configuration: (1) a performance cost representing the effect of the type enforcement configuration on overall system performance of the computing system 100, and (2) a security cost representing deviations from the least-privilege principle. Paragraph [0049] of Aciicmez discloses the monitoring module 211 monitors the computing system 100 by capturing and recording each time a subject of the computing system 100 accesses an object of the computing system 100, and with what access permissions. For example, the monitoring module 211 captures and records system traces like system calls, access attempts, etc. The information captured and recorded by the monitoring module 211 may be maintained in the memory module 215 in the form of log data. The labeling module 214 may be used to generate a unique label for each object of the computing system 100, thereby facilitating the logging of every access/access attempt in the computing system 100). As to Claim 20, Aciicmez-Gacek discloses the computer-readable storage medium of claim 16, wherein, to perform the action, the computer-executable instructions, when executed by the processor, further cause the processor to perform at least one of: provide, to a user, a recommendation to keep a current access control assignment currently assigned to the identity; provide, to a user, a recommendation to reassign, on an on-demand basis, a current access control assignment currently assigned to the identity on a permanent basis; provide, to a user, a recommendation to reassign, on a permanent basis, a current access control assignment currently assigned to the identity on an on-demand basis; provide, to a user, a recommendation to replace a current access control assignment currently assigned to the identity with at least a portion of the set of recommended access control assignments on a permanent basis; provide, to a user, a recommendation to assign a recommended access control assignment in the set of recommended access control assignments on a permanent basis; provide, to a user, a recommendation to assign a recommended access control assignment in the set of recommended access control assignments to the identity on an on-demand basis; automatically reassign, on an on-demand basis, a current access control assignment currently assigned to the identity on a permanent basis; automatically reassign, on a permanent basis, a current access control assignment currently assigned to the identity on an on-demand basis; automatically replace a current access control assignment currently assigned to the identity with at least a portion of the set of recommended access control assignments; automatically assign a recommended access control assignment in the set of recommended access control assignments to the identity on a permanent basis; or automatically assign a recommended access control assignment in the set of recommended access control assignments to the identity on an on-demand basis (Paragraph [0045] of Aciicmez discloses the automated security policy generation system 200 will revise the recommended security policy information 151 using the monitoring and analysis module 210 and/or the policy generation module 220. Therefore, the process of generating recommended security policy information 151 may be iterative). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin S Mai whose telephone number is (571)270-5001. The examiner can normally be reached Monday to Friday 9AM to 5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KEVIN S MAI/Primary Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499
Read full office action

Prosecution Timeline

Dec 29, 2023
Application Filed
Apr 01, 2026
Non-Final Rejection mailed — §103
Jun 08, 2026
Interview Requested
Jun 16, 2026
Applicant Interview (Telephonic)
Jun 16, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12657306
BMC BASED HROT IMPLEMENTATION ESTABLISHING CHAIN OF TRUST IN A SECURED SERVER SYSTEM
3y 5m to grant Granted Jun 16, 2026
Patent 12506731
Conference Data Sharing Method and Conference Data Sharing System Capable of Communicating with Remote Conference Members
4y 8m to grant Granted Dec 23, 2025
Patent 12413610
ASSESSING SECURITY OF SERVICE PROVIDER COMPUTING SYSTEMS
3y 9m to grant Granted Sep 09, 2025
Patent 12406064
PRE-BOOT CONTEXT-BASED SECURITY MITIGATION
3y 3m to grant Granted Sep 02, 2025
Patent 12363200
PROVIDING EVENT STREAMS AND ANALYTICS FOR ACTIVITY ON WEB SITES
3y 2m to grant Granted Jul 15, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
29%
Grant Probability
56%
With Interview (+26.3%)
4y 8m (~2y 2m remaining)
Median Time to Grant
Low
PTA Risk
Based on 430 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month