DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication received on 11/14/2025.Clasim 1-21 are pending of which claims 1, 8, and 17 are amended the remaining claims as originally filed.
The Examiner recommends filing a written authorization for Internet communication in response to the present action. Doing so permits the USPTO to communicate with Applicant using Internet email to schedule interviews or discuss other aspects of the application. Without a written authorization in place, the USPTO cannot respond to Internet correspondence received from Applicant. The preferred method of providing authorization is by filing form PTO/SB/439, available at: https://www.uspto.gov/patent/forms/forms. See MPEP § 502.03 for other methods of providing written authorization.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10, 862,928, view of Anderson US 2020/0059476 and Rice 2019/0230088. The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,862,928 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10.862,928 is different in it does not teach determination of a common and/or unique item. Anderson in the same field of endeavor teaches determining of common or unique/outlier permissions. It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,862,928
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions, when executed by the processor, cause the system to perform the steps of: obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of roles, a set of entitlements, and a set of identities, wherein the set of roles, set of entitlements and set of identities are utilized in identity management in the distributed enterprise computing environment;
Anderson teaches, grouping employee into clusters based on role in a business… ie. job title ¶70
(Anderson teaches in ¶34 the system trains a neural network, such training further using the associating f users that have the same job role(i.e. clustering) and determining a outlier ratio( i.e. popularity) which isa ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user., ¶6 )
Rice teaches ¶06 an outlier ratio threshold is user is authorized for the outlier permission.
Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of 1-24 U.S. Patent No. 10,681,056 view of Anderson US 2020/0059476and Rice . The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,681,056 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10,681,056 is different in it does not teach obtaining roles data or determination of a common and/or unique item. Anderson in the same field of endeavor teaches obtaining roles (¶42)determining of common or unique/outlier permissions(¶47). It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,681,056
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
1. An identity management system of using property graphs for risk detection, comprising: a memory; a hardware processor; a non-transitory, computer-readable storage medium including computer instructions executable by the hardware processor for: obtaining first identity management data, at a first time, which is obtained from one or more identity management systems in a distributed enterprise computing environment;
(ANDERSON ROLES ¶42)
Anderson teaches, grouping employee into clusters based on role in a business… ie. job title ¶70
(Anderson teaches in ¶34 the system trains a neural network, such training further using the associating f users that have the same job role(i.e. clustering) and determining a outlier ratio( i.e. popularity) which is a ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user., ¶6 )
Rice teaches ¶06 an outlier ratio threshold is user is authorized for the outlier permission.set of edges to generate a second property graph; storing the second property graph in a data store; analyzing the second property graph to identify an outlier node of the graph; and identifying an identity management artifact associated with the outlier node as a high risk identity management artifact.
Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of 1-21 U.S. Patent No. 10,554,665 view of Anderson US 2020/0059476 and Rice US 2019/0230088. The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,554,665 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10,554,665 is different in it does not teach determination of a common and/or unique item. Anderson in the same field of endeavor teaches determining of common or unique/outlier permissions(¶47). It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,554,665
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
1. An identity management system, comprising: a graph data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions for: obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment;
Anderson teaches, grouping employee into clusters based on role in a business… ie. job title ¶70
(Anderson teaches in ¶34 the system trains a neural network, such training further using the associating f users that have the same job role(i.e. clustering) and determining a outlier ratio( i.e. popularity) which is a ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user., ¶6 )
Rice teaches ¶06 an outlier ratio threshold is user is authorized for the outlier permission.set of edges to generate a second property graph; storing the second property graph in a data store; analyzing the second property graph to identify an outlier node of the graph; and identifying an identity management artifact associated with the outlier node as a high risk identity management artifact.
Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of 1-21 U.S. Patent No. 10,938,828 view of Anderson US 2020/0059476. The instant application 18/456,560 independent claims recite obtaining identity data to include identity, role, entitlement and performing a evaluation of identity data to identify unique and common access items. US 10,938,828 teaches the same system performing the obtaining of identity data and performing an evaluation. US 10,938,828 is different in it does not teach determination of a common and/or unique item. Anderson in the same field of endeavor teaches determining of common or unique/outlier permissions(¶47). It would have been obvious to a person of ordinary skill in the art at the time of the invention to modify the 18,456,560 with determination common and unique permissions as taught by Anderson. The reason for such a modification would be to detect anomalies, over or under provisioning of access rights where appropriate action can be taken in response.
18/456,560
US 10,938,828
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment, the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment;
clusterinq job titles associated with the set of identities to determine a plurality of job title clusters;
training a machine learning model to generate a predictive score for each of the identity management access items in the set of identity management access items, wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
1. An identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions for: obtaining identity management data from one or more source systems in a distributed enterprise computing environment of an enterprise, the identity management data comprising data on a set of roles, a set of entitlements, and a set of identities, the set of roles, set of entitlements and set of identities utilized in identity management in the distributed enterprise computing environment;
Anderson teaches, grouping employee into clusters based on role in a business… ie. job title ¶70
(Anderson teaches in ¶34 the system trains a neural network, such training further using the associating f users that have the same job role(i.e. clustering) and determining a outlier ratio( i.e. popularity) which is a ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user., ¶6 )
Rice teaches ¶06 an outlier ratio threshold is user is authorized for the outlier permission.set of edges to generate a second property graph; storing the second property graph in a data store; analyzing the second property graph to identify an outlier node of the graph; and identifying an identity management artifact associated with the outlier node as a high risk identity management artifact.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Anderson US 2020/0059476 and further in view of Rice US 2019/0230088.
Regarding claims 1, 8 and 15, Anderson teaches a method and non-transitory CRM and an identity management system, comprising: a data store; a processor; a non-transitory, computer-readable storage medium including computer instructions for: obtaining identity management data from one or more source systems in an enterprise computing environment, the identity management data comprising data on a set of identity management access items associated with the enterprise computing environment(enterprise access data is obtained from database and analyzed such data includes access privilege data, ¶42),
[0042] The memory 108 may include a data analysis and transformation unit 120 and a business role identification unit 122. The data analysis and transformation unit 120 may receive and/or obtain access privileges data of an enterprise (via processor 104 and/or database(s) 112) and transform said data into data sets as will be further described below. The business role identification unit 122 may identify one or more business roles based on common patterns of the access privileges data. The business role identification unit 122 may include a function role factorization unit 124 for factoring out function roles associated with the access privileges common to at least two employees, and a business role generation unit 126 for generating business roles based on the function roles. The function role factorization unit 124 and business role generation unit 126 will be further described below.
the identity management access items comprising a set of identities, a set of entitlements associated with the set of identities, or a set of roles associated with the set of entitlements, wherein the set of identities, set of entitlements or set of roles are utilized in identity management for the enterprise computing environment; and(capture information include user identifier/logins, roles of the user and permission/entitlements of an business organization , ¶40,42,43)
[0040] The platform 100 can be operable to register and authenticate users (using a login, unique identifier, and password for example) prior to providing access to applications, a local network, network resources, other networks and network security devices. The platform 100 can connect to different machines or entities.
[0042] The memory 108 may include a data analysis and transformation unit 120 and a business role identification unit 122. The data analysis and transformation unit 120 may receive and/or obtain access privileges data of an enterprise (via processor 104 and/or database(s) 112) and transform said data into data sets as will be further described below. The business role identification unit 122 may identify one or more business roles based on common patterns of the access privileges data. The business role identification unit 122 may include a function role factorization unit 124 for factoring out function roles associated with the access privileges common to at least two employees, and a business role generation unit 126 for generating business roles based on the function roles. The function role factorization unit 124 and business role generation unit 126 will be further described below.
[0043] In one embodiment, the scope of the business role mining project is focused on capital markets where permissions fall under one of four main categories: application roles, trade book entitlements, database entitlements and infrastructure entitlements. Access data is spread across: applications, trading books, databases and infrastructure, herein referred to as access points. Depending on the nature of the business, employees are granted unique permissions to either of the access points. These are referred to as additional entitlements and are used to represent unique permissions.
clusterinq job titles associated with the set of identities to determine a plurality of job title clusterander(Anderson teaches grouping employee into clusters having the same business role i.e. job tittle, ¶70);
[0070] Table 4 shows an example of the feature vector for a clustering algorithm. The first few columns correspond to HR data and the last 10 columns correspond to function roles generated from the first step of the approach. The motivation behind concatenating these columns together is to include access patterns of each of the employees and also the effect of other attributes like transit and city which are currently being used in the enterprise to mine these roles manually. The algorithm groups employees with similar features or attributes as clusters 908. These clusters correspond to business roles. While the algorithm produces an index of clusters, domain expertise of business users may be leveraged to name the function roles.
training a machine learning mode to generate a similarity score( a machine learning model can be received or trained to detect outliers, using a similarity score ¶34)
[0034] The platform 100 may include at least one processor 104 (herein referred to as “the processor 104”) and a memory 108 storing machine executable instructions to configure the processor 104 to receive a neural network (from e.g., data sources 160). The processor 104 can receive a trained neural network and/or can train a neural network using training engine 124. The platform 100 can include an I/O Unit 102, communication interface 106, and data storage 110. The processor 104 can execute instructions in memory 108 to implement aspects of processes described herein.
Anderson does no teach generate a predictive score for each of the identity management access items in the set of identity management access items
wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters;
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold.
Rice in the same field of endeavor as the invention teaches a system for identifying users with outlier access permission for the purpose of authorizing or not authorizing such permissions.
Rice teaches generate a predictive score for each of the identity management access items in the set of identity management access items( generate an outlier ratio which is predictive of how many other users have the same outlier permission as the user versus all users with that role,m ¶6)
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
wherein the machine learning model is trained based on a popularity of respective entitlements for respective job title clusters(outlier ratio is a ratio of users with a job role with an outlier permission as compared to all users that have that role…. Outlier ratio is a measure of how popular the outlier access permission with respect to the all users in the role, ¶6) ;
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
and determining a common or unique access item based on the generated predictive scores by comparing the predictive scores to a threshold(identify outlier access permission to no be granted if below a predetermined threshold, ¶6).
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Anderson training of a machine learning model with method identifying outlier permissions with using a ratio(i.e. popularity) of the permission in relation to all users in a role as taught by Rice. The reason for this modification would be to implement a simple substitution of a the similarity score of Anderson with outlier ratio as alternate metric for identifying users with outlier permissions
Regarding claims 2, 9 and 16, Anderson teaches wherein determining the common or unique access item comprises: determining concurrency of the set of identity management access items(access data of user over a period of time(concurrency , ¶s 47, 85)
[0047] FIG. 5A illustrates, in a component diagram, an example of a visualization 300 of the steps of outlier identification 220 (in some embodiments performed by the data analysis and transformation unit 120) and function role factorization 230 for an enterprise (in some embodiments performed by the function role factorization unit 124), in accordance with some embodiments. In this example, employees 302, application roles 304, books 306 and additional entitlements 308 are shown as nodes in graphs. A current access cluster 310 shows 733 lines of access for 11 employees. After outlier identification 220, 658 common permissions (cluster 320) and 75 unique permissions (cluster 325) were located. After function role factorization 230, a function role access cluster 330 shows the 658 common permissions reduced to 90 lines of access. The function role access cluster 330 graph shows employees 302, function roles 334 and additional entitlements 308 as nodes. Thus, in this example, the original 733 lines of access for has been reduced to 165 total lines of access.
[0085] In some embodiments, existing bundles of roles and their respective access rights may be read and analysed by the model to find access changes that occurred in the past time period (e.g., past year). Such changes may then be applied to other employees that have similar roles.
determining a distribution of the set of identity management access items based on the concurrency; and( clustering of user access data is analyzed to determine a pattern(i.e. distribution) of the user access, ¶s27,45)
[0027] Embodiments described herein relate to machine learning which is a field of computer science that configures computing devices to process data using programming rules and code that can dynamically update over time. Machine learning involves programming rules and code that can detect patterns and generate output data that represents predictions or forecasting. Role mining is the process of using machine learning techniques to find and extract patterns in existing access data in pursuit of minimizing effort required for access management, and to minimize risk associated with access. By clustering permissions into common patterns that can be packaged into business roles, managers may review and approve a single business role for an employee, rather than reviewing every granular instance of access that that employee requires to do their job.
[0045] In some embodiments, another step employs various techniques from machine learning, data mining visualization clustering and matrix factorization, and principles from graph theory to identify common patterns of access. These patterns are used to establish business roles, which are packages of common accesses that can be assigned to enterprise employees. These business roles are then stored in an internal database to be interoperable with an array of existing systems across the access control ecosystem.
determining the common or unique access item based on the distribution of the set of identity management access items(identifying common patterns and outliers with respect to such common patterns, ¶47)
[0047] FIG. 5A illustrates, in a component diagram, an example of a visualization 300 of the steps of outlier identification 220 (in some embodiments performed by the data analysis and transformation unit 120) and function role factorization 230 for an enterprise (in some embodiments performed by the function role factorization unit 124), in accordance with some embodiments. In this example, employees 302, application roles 304, books 306 and additional entitlements 308 are shown as nodes in graphs. A current access cluster 310 shows 733 lines of access for 11 employees. After outlier identification 220, 658 common permissions (cluster 320) and 75 unique permissions (cluster 325) were located. After function role factorization 230, a function role access cluster 330 shows the 658 common permissions reduced to 90 lines of access. The function role access cluster 330 graph shows employees 302, function roles 334 and additional entitlements 308 as nodes. Thus, in this example, the original 733 lines of access for has been reduced to 165 total lines of access.
Regarding claims 3, 10 and 17, Anderson teaches wherein the instructions further comprise instructions for: generating a network identity graph from the identity management data, wherein the concurrency of the set of identity management access items is based on the network identity graph(user access pattern represented as a user access /entitlement graph, ¶53 fig. 5B)
[0053] FIG. 5B illustrates, in a graph, an example of an access graph 400 showing access privileges, in accordance with some embodiments. The access privilege cluster graph 400 comprises nodes for employees 302, application role 304, book 306, and additional entitlements 308. Each edge is an instance of access to which a manager is to attested. FIG. 5B represents a visualization of a current access of an employee. Each edge comprises an instance of access that is to be attested.
Regarding claims 4, 11 and 18, Rice teaches wherein the instructions further comprise instructions for: training a machine learning model to generate a predictive score for each of the set of identity management access items(generate an outlier ratio witch is a measure of how popular the outlier permission is with respect to all other users with the same role, ¶s6 8)
and determining the common or unique access item based on the predictive scores for each of the set of identity management access items by comparing the predictive scores to a threshold(outlier ratio compare to a predetermined threshold to identify outlier access permission that should not be allowed, ¶s6, 8).
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
[0008] Furthermore, the system may be configured to compile a compliance database comprising the plurality of access permissions and compliance criteria associated with each access permission of the plurality of access permissions. Subsequently, the system may receive a request from the user to access an outlier access permission that is not in the set of access permissions associated with the job role of the user. The system can identify a set of compliance criteria associated with the outlier access permission from the compliance database and determine whether compliance information associated with the user meets the compliance criteria associated with the outlier access permission. The system may then either authorize the user for the outlier access permission when the compliance information associated with the user does meet the compliance criteria associated with the outlier access permission, or reject the user for the outlier access permission when the compliance information associated with the user does not meet the compliance criteria associated with the outlier access permission.
Regarding claims 5, 12 and 19, Rice teaches wherein the machine learning model is trained based on a popularity of each of the set of identity management access items(generate an outlier ratio witch is a measure of how popular the outlier permission is with respect to all other users with the same role, ¶s 6 )
[0006] The system may, in some embodiments, compare current authorized access permissions of the user to the set of access permissions associated with the job role of the user. The system can then identify an outlier access permission of the user that is not in the set of access permissions associated with the job role of the user and identify one or more other users that are associated with the job role of the user. The system may next identify an outlier ratio of a number of the one or more other users that are authorized for the outlier access permission of the user versus a total number of the one or more other users that are associated with the job role of the user. The system can then determine whether the outlier ratio is greater than a predetermined threshold ratio and either authorize the user for the outlier access permission in response to determining that the outlier ratio is greater than the predetermined threshold ratio, or not authorize the user for the outlier access permission in response to determining that the outlier ratio is not greater than the predetermined threshold ratio.
Regarding claims 6, 13 and 20, Rice teaches wherein the threshold is determined based on the predictive scores for each of the set of identity management access items(.predetermined threshold is different for each outlier access permission, ¶85)
[0085] The system then determines whether the outlier ratio is greater than a predetermined threshold ratio. The predetermined threshold ratio may be different for each access permission, each type of business component associated with the access permissions (e.g., a database storing client information may have a very high predetermined threshold ratio while a read-only database with published marketing images may have a low predetermined threshold ratio), and the like. In some embodiments, an outlier access permission may require manual approval from a manager or executive, and therefore could not be approved through this process.
Regarding claims 7, 14 and 21, Anderson teaches wherein the instructions further comprise instructions for determining a top set of features that resulted in the determination of the common or unique access item(determine a common permission cluster and or a unique permission cluster, ¶47).
[0047] FIG. 5A illustrates, in a component diagram, an example of a visualization 300 of the steps of outlier identification 220 (in some embodiments performed by the data analysis and transformation unit 120) and function role factorization 230 for an enterprise (in some embodiments performed by the function role factorization unit 124), in accordance with some embodiments. In this example, employees 302, application roles 304, books 306 and additional entitlements 308 are shown as nodes in graphs. A current access cluster 310 shows 733 lines of access for 11 employees. After outlier identification 220, 658 common permissions (cluster 320) and 75 unique permissions (cluster 325) were located. After function role factorization 230, a function role access cluster 330 shows the 658 common permissions reduced to 90 lines of access. The function role access cluster 330 graph shows employees 302, function roles 334 and additional entitlements 308 as nodes. Thus, in this example, the original 733 lines of access for has been reduced to 165 total lines of access.
Applicant Remarks
Applicant’s arguments with respect to claims 1-21 have been considered but are moot because the new ground of rejection does not rely on the references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
11 Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tom Y. Chang whose telephone number is 571-270-5938. The examiner can normally be reached on Monday-Friday from 9am to 5pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise , can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/TOM Y CHANG/
Primary Examiner, Art Unit 2442