/DETAILED ACTION
This Office Action is in response to the Amendment filed on 11/28/2025.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the instant Amendment, filed on 11/28/2025, claims 1, 13, and 20 have been amended; claim 10 is cancelled; claim 21 have been newly added.
Claims 1-9 and 11-21 have been examined and are pending; claims 1, 13 and 20 are independent. This Action is made FINAL.
Response to Arguments/Remarks
Applicant’s arguments with respect to prior-art rejections to claims 1-9 and 11-20, filed on 11/28/2025, have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection, where a new ground of rejection is applied with new art that is necessitated based on the amendment.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the Examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the Examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-9, 11-14, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Scott et al (“Scott,” US 11,044,255, patented on 06/22/2021), in view of Caves et al (“Caves,” US 2012/0310870, published on 05/06/2012), and further in view of Shtar et al (“Shtar,” US 2019/0158513, published on 12/23/2019).
As to claim 1, Scott teaches a method (Scott: col 1, lines 60-col 3, lines 22, method and system for structuring members/users of an organization in plurality of security groups, and managing members/users’ permission and access to protected/secure data/file/resource) comprising:
retrieving a set of organizational data for an organization, the set of organizational data comprising user data for each individual within the organization, the user data comprising at least access permissions and attributes of the individuals (Scott: col 1, lines 60-col 3, lines 22, col 7, lines 21-23 identifying (via one or more processors) a plurality of users, wherein each user [i.e., individual] has a job function related to a role [i.e. access permission information] of the user within an organization and/or is associated with an organizational network. Where the users/members have account with the organization, and password protected access [i.e. attributes of individuals]);
[ ] deploying [ ] model using the retrieved set of organizational data to output responsibilities of each individual within the organization (Scott: col 1, lines 60-col 3, lines 22, col 7, computing instructions, that when executed by the one or more processors, causes the system to identify a plurality of users, wherein each user may have a job function related to a role of the user within an organization and/or may be associated with an organizational network which contains a plurality of secure data assets);
[ ] deploying [ ] model to identify and classify individuals with similar responsibilities and establish a plurality of distinct roles within the organization associated with the individuals within the organization (Scott: col 1, lines 60-col 3, lines 22, col 7, computing instructions, that when executed by the one or more processors, further causes the system to associate each user with a plurality of security groups [i.e., classifying with similar responsibilities] within the organizational network. Where each security group may have permission to access at least one secure data asset, and a member/user may be associated with more than one security groups);
for each individual within the organization, comparing the access permissions of the individual with the roles and responsibilities of the individual to determine a list of one or more outlier individuals whose access permissions do not align with their roles and responsibilities (Scott: col 1, lines 60-col 3, lines 22, col 7; Fig 3-5, automatically recognize which users are likely to have unauthorized access to secure data assets, and identify, and users most likely to have unauthorized [i.e., permissions do not align with their roles]).
generating, [ ], human-comprehensible role descriptions and names for roles within the organization (Scott: col 1, lines 60-col 3, lines 22, col 7, generating and displaying graph data structure on the user interface. For each of a plurality of subsets of the plurality of nodes, the system clusters the subset on the user interface to indicate that users in the subset belong to a same security group; a system administrator and/or security analyst may see or visualize the users' “connections.”); and
presenting the list of one or more outliers and a list of the individuals within the organization, the list of the individuals comprising human-comprehensible roles and names for each individual (Scott: col 1, lines 60-col 3, lines 22, col 7; Fig 3-5, users are highlighted in the display who are likely to have unauthorized access, providing a ranking of the users most likely to have unauthorized access on the display).
While Scott teaches of structuring members/users of an organization in plurality of security groups, and managing members/users’ permission using computing process, as described above, and describe a part of the process to be and an automatic process (see above limitation mapping, and col 2, lines 12-15), Scott does not explicitly teach training [ ] a first machine learning (ML) model; based on the output of the first ML model, training [ ] a second ML model; and using a generative artificial intelligence (AI) language model.
However, in an analogous art, Caves teaches training [ ] a first machine learning (ML) model; based on the output of the first ML model, training [ ] a second ML model; and using a generative artificial intelligence (AI) language model (Caves: abstract, pars 0033-0034, 0043, 0047, discloses machine learning techniques in creating models of systems to determine optimal configurations. A classifier is configured to generate a model based at least in part on analysis of data. The classifier trainer trains a multi-layer perceptron (MLP) or other artificial neural network (ANN). As an example of technical implementation, the disclosure teaches of using two statistical models. Where the first model is used to find an optimal set of simulations to employ in order to collect data that is used to create the second mode [i.e., first model’s output is used as an input to the second model, as whole, application of generative AI]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Caves with the method/system of Scott to include the limitation(s), training [ ] a first machine learning (ML) model; based on the output of the first ML model, training [ ] a second ML model; and using a generative artificial intelligence (AI) language model, where one would have been motivated for the benefit of applying machine learning and AI technology techniques for performing the automated computing process (Caves: pars 0033-0034, 0043).
While, Caves teaches of machine learning model, as addressed above, Scott or Caves does not explicitly teach organization, wherein the generative AI model generates the human-comprehensible role descriptions within the organization based on access patterns associated with said roles and adapts the role descriptions responsive to learning new access patterns.
However, in an analogous art, Shtar teaches wherein the generative AI model generates the human-comprehensible role descriptions within the organization based on access patterns associated with said roles and adapts the role descriptions responsive to learning new access patterns (Shtar: pars 0111, 0117, generating a model (or updating an existing model) based on the a set of resource groups associated with the user's user group and/or in a set of resource groups associated with nearby user groups, and user’s access pattern, and detect and analyzes data object patterns for addressing user’s access issues. Utilizes continual (or periodic) discovery to adapt the changes in such data object patterns over time to adjust to the natural changes of an organization).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shtar with the method/system of Scott and Caves to include the limitation(s), wherein the generative AI model generates the human-comprehensible role descriptions within the organization based on access patterns associated with said roles and adapts the role descriptions responsive to learning new access patterns, where one would have been motivated for the benefit applying the analyzing access pattern of a user associated with user’s resource group/role access and adapt to the changes in such data object patterns over time to adjust the model to reflect the changes of the organization role and access pattern (Shta: pars 0111, 0117).
As to claim 2, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Scott further teaches wherein the retrieved set of user data comprises one of more of: user attributes, access permissions, job descriptions, and organizational data (Scott: col 1, lines 60-col 3, lines 22, a plurality of users, wherein each user has a job function related to a role of the user within an organization and/or is associated with an organizational network. Where the users/members have account with the organization, and password protected access [i.e. attributes of users/individuals]).
As to claim 3, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Scott and Caves further teaches wherein generating the human-comprehensible role descriptions comprises the generative AI language model differentiating the roles of one or more individuals within the organization associated with the same job titles (Caves: abstract, pars 0033-0034, 0043, 0047, discloses machine learning techniques in creating models of systems to determine optimal configurations using a classifier [i.e., application of generative AI]. Scott: col 1, lines 60-col 3, lines 22, identifying a plurality of users, for classification and structuring security group, wherein each user has a job function related to a role of the user within an organization and/or is associated with an organizational network).
As to claim 4, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Scott further teaches wherein the set of organizational data further comprises human resources information and location details (Scott: col 1, lines 60-col 3, lines 22, identifying a plurality of users, for classification and structuring security group, wherein each user has a job function related to a role of the user within an organization and/or is associated with an organizational network [i.e., human resource information]. Col 28, lines 18-35, the system component is employed distributed across a number of locations, including number of geographic locations).
As to claim 5, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Caves further teaches wherein the generative AI language model utilizes one or more summarization methods to condense role descriptions into concise labels (Caves: pars 0033-0034, 0043, 0047, discloses machine learning techniques in creating models of systems to determine optimal configurations using a classifier [i.e., application of generative AI]. The process/system combines and adapts a number of algorithms for optimization, machine learning, and statistical analysis; fine tuning the automated process).
As to claim 6, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Caves further teaches wherein the first ML model uses supervised learning techniques to define responsibilities based on predefined roles and permissions (Caves: pars 0033-0034, 0043, 0047, discloses machine learning techniques uses two statistical models. Where the first model is used to find an optimal set of simulations to employ in order to collect data that is used to create the second mode, and the model creator creates the model using supervised learning with the application's configurations and workload as the model's input [i.e., the first model input can be supervised learning]).
As to claim 7, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Scott and Caves further teaches wherein the second ML model employs unsupervised learning to identify and classify individuals into roles without predefined role definitions (Caves: pars 0033-0034, 0043, 0047, discloses machine learning techniques uses two statistical models. Where the first model is used to find an optimal set of simulations to employ in order to collect data that is used to create the second mode, [i.e., the second model input is unsupervised learning]. Scott: col 1, lines 60-col 3, lines 22, identifying a plurality of users, for classification and structuring security group, wherein each user has a job function related to a role of the user within an organization and/or is associated with an organizational network).
As to claim 8, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Scott further teaches further comprising: identifying candidates for further access audits among the one or more outlier individuals (Scott: col 1, lines 60-col 3, lines 22, col 7; Fig 3-5, users are highlighted in the display who are likely to have unauthorized access, providing a ranking of the users for identifying most likely [i.e., further audit] to have unauthorized access on the display).
As to claim 9, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Scott and Caves further teaches wherein the generative AI language model utilizes entity extraction to categorize roles based on detailed attributes (Caves: abstract, pars 0033-0034, 0043, 0047, discloses machine learning techniques uses two statistical models. Where the first model is used to find an optimal set of simulations to employ in order to collect data that is used to create the second mode. Scott: col 1, lines 60-col 3, lines 22, identifying a plurality of users, for classification and structuring security group, wherein each user has a job function related to a role of the user within an organization and/or is associated with an organizational network).
As to claim 11, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Caves further teaches wherein the generative AI language model adapts role descriptions to one or more evolving organizational responsibilities (Caves: pars 0033-0034, 0043, 0047, the machine learning techniques in creating models of systems to determine optimal configurations. A classifier is configured to generate a model based at least in part on analysis of data. The classifier trainer trains a multi-layer perceptron (MLP) or other artificial neural network (ANN). The first model is used to find an optimal set of simulations to employ in order to collect data that is used to create the second model).
As to claim 12, the combination of Scott, Caves, and Shtar teaches the method of claim 1,
Scott and Caves further teaches further comprising: tracking changes in roles and permissions over time to update the role descriptions (Scott: col 1, lines48-58, considers user change permissions for security groups to access secure data assets, and places and/or removes user accounts from security groups for managing users’ account).
As to claim 13, the claim is directed to a system, and the scope of the claim limitations is similar to the method claim 1, and therefore, rejected for the same reasons set forth for claim 1.
As to claim 14, the combination of Scott, Caves, and Shtar teaches the system of claim 13,
Scott and Caves further teaches wherein the generative AI language model integrates job descriptions, organizational data, and access patterns to generate the role descriptions (Caves: pars 0033-0034, 0043, 0047, discloses machine learning techniques in creating models of systems to determine optimal configurations using a classifier [i.e., application of generative AI]. Scott: col 1, lines 60-col 3, lines 22, identifying a plurality of users, for classification and structuring security group, wherein each user has a job function related to a role of the user within an organization and/or is associated with an organizational network).
As to claim 17, the combination of Scott, Caves, and Shtar teaches the system of claim 13,
Caves further teaches wherein the generative AI language model utilizes natural language processing for role description generation (Caves: pars 0033-0034, 0043, 0047, discloses machine learning techniques uses two statistical models. Where the first model is used to find an optimal set of simulations to employ in order to collect data that is used to create the second mode, and the model creator creates the model using supervised learning with the application's configurations and workload as the model's input [i.e., the first model of the process use input that is natural language]).
As to claim 18, the combination of Scott, Caves, and Shtar teaches the system of claim 13,
Caves further teaches wherein the system is further configured to perform the operation of: periodically reevaluating access permissions to enable continued alignment with roles and responsibilities (Caves: pars 0055, 0064, the model’s optimal performance is measured based at least in part on latency, throughput, calculations per time period [i.e., periodically reevaluating]. System's performance is performed several times to improve the accuracy of the measurement).
As to claim 19, the combination of Scott, Caves, and Shtar teaches the system of claim 13,
Caves further teaches wherein the generative AI language model adapts role descriptions to specific organizational contexts (Caves: abstract, pars 0033-0034, 0043, 0047, the machine learning techniques in creating models of systems to determine optimal configurations. A classifier is configured to generate a model based at least in part on analysis of data. The classifier trainer trains a multi-layer perceptron (MLP) or other artificial neural network (ANN). The first model is used to find an optimal set of simulations to employ in order to collect data that is used to create the second mode).
As to claim 20, the claim is directed to a computer-readable medium, and the scope of the claim limitations is similar to the method claim 1, and therefore, rejected for the same reasons set forth for claim 1.
As to claim 21, the claim is directed to a computer-readable medium, and the scope of the claim limitations is similar to the system claim 14, and therefore, rejected for the same reasons set forth for claim 14.
Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Scott et al (“Scott,” US 11,044,255, patented on 06/22/2021), in view of Caves et al (“Caves,” US 2012/0310870, published on 12/06/2012), and further in view of Shtar et al (“Shtar,” US 2019/0158513, published on 12/23/2019) and Maguire et al (“Maguire,” US 2016/0021116, published on 01/21/2016).
As to claim 15, the combination of Scott, Caves, and Shtar teaches the system of claim 13,
Scott or Caves does not explicitly teach wherein the generative AI language model refines role descriptions based on user feedback.
However, in an analogous art, Maguire teaches wherein the generative AI language model refines role descriptions based on user feedback (Maguire: par 0102, machine-learning algorithms uses various factors/variables in calculation, including user feedback).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Maguire with the method/system of Scott, Caves, and Shtar to include the limitation(s), wherein the generative AI language model refines role descriptions based on user feedback, where one would have been motivated for the benefit of applying a user’s feedback information in to a machine-learning algorithms for calculating a comprehensive output (Maguire: par 0102).
As to claim 16, the combination of Scott, Caves, and Shtar teaches the system of claim 13,
Scott or Caves does not explicitly wherein the system is further configured to perform the operation of: integrating access permissions with one or more work shift patterns to generate the role descriptions.
However, in an analogous art, Maguire teaches wherein the system is further configured to perform the operation of: integrating access permissions with one or more work shift patterns to generate the role descriptions (Maguire: par 0025, differing access permissions may be granted to different service providers depending on their different roles, some access permissions are based at least in part on particular times or dates [i.e., work shift pattern]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Maguire with the method/system of Scott, Caves, and Shtar to include the limitation(s), wherein the system is further configured to perform the operation of: integrating access permissions with one or more work shift patterns to generate the role descriptions, where one would have been motivated for the benefit of applying a user’s work shift pattern incorporated in user’s access permission to associated user’s role descriptions for appropriate secure role categorization (Maguire: par 0025).
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355. The examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/JAHANGIR KABIR/ Primary Examiner, Art Unit 2439