MANAGING ACCESS CHANGES TO ENTERPRISE RESOURCES

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed with respect to rejections under 35 USC 101 have been fully considered but they are not persuasive. Applicant argues the claimed invention does not fall within one of the enumerated subject matter groupings of abstract ideas. Applicant merely states the claimed invention is not a mathematical concept, a method of organizing human activity or a mental process. This amounts to a general allegation that the claims define a patentable invention without specifically pointing out how the claims present a patent eligible invention. Examiner disagrees and upholds the assertion that the claims recite an abstract idea. Managing resource ownership based on a scoring process and access control change patterns is certain methods of organizing human activity and mental process as set forth the in the rejection below. Next, and with respect to prong two of Step 2A, Applicant alleges the claims recite additional elements that integrate the judicial exception into a practical application, which can include one or more improvements to a computer or computer technology. Applicant, however, does not point to any claim limitation specifically the provides support for this allegation. Examiner disagrees. The computer, as claimed, merely functions in its ordinary capacity to implement the abstract idea. The Guidance does not require a claimed mental process to be performed exclusively within a person’s mind. Rather, the Guidance shows that the involvement of non-human components (e.g., generic computer hardware) is not prohibited in a claim reciting a mental process. See MPEP 2106.04(a)(2)(III)(C) (“Claims can recite a mental process even if they are claimed as being performed on a computer” (citing Gottschalk v. Benson, 409 U.S. 63 (1972))); see October 2019 Update at 8 (“The courts have found claims requiring a generic computer or nominally reciting a generic computer may still recite a mental process even though the claim limitations are not performed entirely in the human mind.”) With respect to Step 2B, Applicant points to the most recent amendment to support the assertion that the claims go beyond abstract ideas and conventional activities by providing specificity of the operations by assigning individual scores for multiple score types, determining a relationship… and determining a pattern… Examiner points out that each of these referenced limitations are abstract ideas and do not include additional elements that amount to an inventive concept (aka significantly more) than the recited judicial exception. Therefore, under step 2B there is no evidence of any recitation of significantly more than the abstract idea. Applicant’s arguments with respect to claim(s) rejected under 35 USC 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim(s) 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claim(s) 1-20 is/are directed to a method, system, and computer program product [paragraph 0064 specifies the storage medium is not to be construed as storage in the form of transitory signals per se]. Thus, all the claims are within the four potentially eligible categories of invention (a process, a machine and an article of manufacture, respectively), satisfying Step 1 of the Subject Matter Eligibility (SME) test. As per Prong One of Step 2A of the §101 eligibility analysis set forth in MPEP 2106, the Examiner notes that the claims recite mental processes. More specifically, independent claim(s) recite: A retrieving, based on the status change, determining, determining, responsive to determining the user is the owner of the at least one resource, retrieving, based on the employee hierarchy, assigning, assigning individual scores for multiple score types to each of multiple candidate users; [evaluation – mental process] adding the scores of the multiple score types to determine one of the multiple candidate users with a score that meets a threshold to be a trusted potential owner of a resource; [evaluation – mental process] and when multiple candidate users qualify, based on the scores of each of the multiple candidate users, granting ownership access to one of the multiple candidate users with a highest score. [pen/paper – mental process] determining a relationship between access for users and the one or more enterprise resources, and clustering the users based on attributes, roles, and access level to the one or more enterprise resources; [pen/paper, evaluation – mental process] determining a pattern of access control changes based on clusters of resource types and user characteristics to predict new access control privileges; [evaluation – mental process] using the pattern, determining computing confidence for an access control change using the applying an access control update that modifies ownership, wherein the access control update is executed responsive to the confidence meeting the threshold, and in response to applying the access control update which changes resource ownership, transmitting using an enterprise resource access manager, a notification of the resource ownership change. [evaluation] Each of the claimed limitations, but for the computer implementation and machine learning, can be practically performed by a human in the mind or with pen and paper through observation and evaluation steps. The nominal recitation of computer implementation by one or more computer processors does not necessarily preclude the claim from reciting an abstract idea as evidenced by the analysis at Prong 2 of Step 2A. Regarding Prong Two of Step 2A, a claim reciting an abstract idea must be analyzed to determine whether any additional elements in the claim integrate the judicial exception into a practical application. Limitations that are indicative of integration into a practical application include: Improvements to the functioning of a computer, or to any other technology or technical field, as discussed in MPEP 2106.05(a); Applying or using a judicial exception to effect a particular treatment or prophylaxis for disease or medical condition – see Vanda Memo; Applying the judicial exception with, or by use of, a particular machine, as discussed in MPEP 2106.05(b); Effecting a transformation or reduction of a particular article to a different state or thing, as discussed in MPEP 2106.05(c); and Applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception, as discussed in MPEP 2106.05(e) and the Vanda Memo issued in June 2018. In this case, the independent claims do not include limitations that meet the criteria listed above, thus the abstract idea is not integrated into a practical application. Independent claim 1 recites each claim limitation performed “by one or more computer processors” and “by a machine learning model” which amounts to using a computer as a tool to perform the abstract idea and does not integrate the abstract idea into a practical application. Independent claim 8 recites a computer program product comprising one or more computer readable storage media; and program instructions stored on the computer readable storage media to implement each of the claim limitations and a machine learning model. This amounts to instructions to perform the abstract idea on a computer and does not integrate the abstract idea into a practical application. Independent claim 15 recites a computer system comprising computer processors; computer readable memories; and computer readable storage media to implement the abstract idea and a machine learning model which amounts to mere instructions to implement the abstract idea on a computer and does not integrate the abstract idea into a practical application. The dependent claims further limit the abstract idea and some recite additional elements that do not integrate the abstract idea into a practical application. Dependent claims 2, 9, 16 recite: determination steps to transfer ownership including assigning a new owner and revoking ownership access. These are mental process steps that include evaluation steps that can be practically performed in the mind or with pen and paper. The one or more computer processors amount to using a computer as a tool to perform the abstract idea and do not integrate the abstract idea into a practical application. Dependent claims 3, 10, 17 recite: a determination step that amounts to a mental process evaluation. The computer processor amounts to using a computer as a tool to perform the abstract idea and do not integrate the abstract idea into a practical application. Dependent claims 4, 11, 18 recite: notification of ownership with which is an abstract mental process that can be practically performed with pen and paper. The computer processor amounts to using a computer as a tool to perform the abstract idea and do not integrate the abstract idea into a practical application. Dependent claims 5, 12, 19 recite: evaluation steps to determine and modify access level changes which are mental processes that can be practically performed with pen and paper. The use of a computer processor amounts to using a computer as a tool to perform the abstract idea and do not integrate the abstract idea into a practical application. Dependent claims 6, 13 recite: wherein the status change of the employment of the user in the enterprise is selected from the group consisting of: a role change, a job change, a department change, a team change, a title change, a level change, a name change, and leaving the enterprise. These are mental process observation steps that can be performed in the mind or with pen and paper. The claims are not integrated into a practical application. Dependent claims 7, 14, 20 recite: observation and evaluation mental process steps. responsive to determining the access level of the user associated with at least one of the one or more enterprise resources needs to change, determining, by one or more computer processors, a confidence in the determination of the needed access level change exceeds a pre-defined threshold. The use of a computer processor amounts to using a computer as a tool to perform the abstract idea and do not integrate the abstract idea into a practical application. The claims do not include limitations beyond generally linking the use of the abstract idea to a particular technological environment. When considered individually, the system and software claim elements only contribute generic recitations of technical elements to the claims. It is readily apparent, for example, that the claim is not directed to any specific improvements of these elements. The invention is not directed to a technical improvement. When the claims are considered individually and as a whole, the additional elements noted above appear to merely apply the abstract concept to a technical environment in a very general sense. Lastly and in accordance with Step 2B, the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instruction to apply the exception using generic computer component. Mere instruction to apply an exception using generic computer components cannot provide an inventive concept. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cudmore et al, US 9,465,951, Broderson et al, US 2002/0029161, and Carao et al, US 2024/0362346, in view of Simske et al, US 2011/0209214. As per claims 1, 8, 15 Cudmore et al discloses a computer-implemented method comprising: detecting, by one or more computer processors, a status change of an employment of a user in an enterprise (column 5, lines 25-35 – monitors status change of resource owners); retrieving, by one or more computer processors, an access level of the user associated with one or more enterprise resources (column 5, lines 25-35 – monitors access level of resource users); based on the status change, determining, by one or more computer processors, the access level of the user associated with at least resource one of the one or more enterprise resources needs to change (column 5, line 54 – column 6, line 7 – as roles/profiles change access levels are also modified); determining, by one or more computer processors, whether the user is an owner of the at least one resource (column 5, lines 14-24 – ownership status); responsive to determining the user is the owner of the at least one resource, retrieving, by one or more computer processors, an employee hierarchy (column 5, lines 14-35 – system tracks users and can transfer to a manager or successor upon termination); and based on the employee hierarchy, assigning, by one or more computer processors, temporary ownership of the at least one resource to a first employee of the enterprise (column 5, lines 14-35 – system tracks users and can transfer to a manager or successor upon termination and column 7, lines 47-52 – temporary access identifiers can be provided); Cudmore et al describes a scoring process to certify users based on past performance and to assess trust in a user for granting access to a resource [(column 6, lines 44-67)]. Cudmore et al does not explicitly teach, however Broderson et al discloses an assignment process comprising: assigning individual scores for multiple score types to each of multiple candidate users ([0118 – 0124] – individual scores for each candidate employee); adding the scores of the multiple score types to determine one of the multiple candidate users with a score that meets a threshold to be a trusted potential owner of a resource ([0125] – total score is a sum of scores for each criteria); and when multiple candidate users qualify, based on the scores of each of the multiple candidate users, [choose] one of the multiple candidate users with a highest score ([0125-0126] – assignment engine will either assign the highest scoring employee or display a ranked list). It would have been obvious to one of ordinary skill in the art at the time of the invention to include in the system of Cudmore et al the ability to choose a candidate user as taught by Broderson et al since the claimed invention is merely a combination of old elements and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Cudmore et al and Broderson et al fail to explicitly disclose while Carao et al determining a relationship between access for users and the one or more enterprise resources, and clustering the users based on attributes, roles, and access level to the one or more enterprise resources ([0016, 0019 and 0039] – clustering of users based on similarity of users; associated data includes roles, access rights and other digital characteristics); determining a pattern of access control changes based on clusters of resource types and user characteristics to predict new access control privileges ([0020] – access patterns are observed and stored for use with machine learning and [0031, 0038, 0039] for use in modifying access rights for specific users; and using the pattern, determining by a machine learning model, when to apply new access control privileges to the resource ([0031] – access rights are determined based on output of the machine learning model; [0055] – a situation when access modification component transmits to have access be given to a user). It would have been obvious to one of ordinary skill in the art at the time of the invention to include in the system of Cudmore et al and Broderson et al the ability to cluster users and determine access control patterns to apply new privileges as taught by Carao et al since the claimed invention is merely a combination of old elements and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Cudmore et al in view of Carao et al discloses using machine learning to apply new access control privileges, but fails to explicitly disclose while Simske et al discloses computing confidence for the access control change and applying an access control update that modifies ownership, wherein the access control update is executed responsive to the confidence meeting the threshold, and in response to applying the access control update which changes resource ownership, transmitting, using an enterprise resource access manager, a notification of the resource ownership change ([0037-0043] – confidence level is generated representative of identification of ownership to grant access level privileges). It would have been obvious to one of ordinary skill in the art at the time of the invention to include in the system of Cudmore et al and Carao et al the ability to determining confidence for access control as taught by Simske et al since the claimed invention is merely a combination of old elements and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. As per claim 2, 9, 16 Cudmore et al discloses the computer-implemented method of claim 1, further comprising: determining, by one or more computer processors, whether the user is an only owner of the at least one resource (column 5, lines 14-24 – ownership information); responsive to determining the user is the only owner of the at least one resource, determining, by one or more computer processors, one or more ownership candidates (column 5, lines 14-24 – transfer of ownership); based on the determined one or more ownership candidates, assigning, by one or more computer processors, a new owner to the at least one resource (column 5, lines 14-24 – transfer of ownership); revoking, by one or more computer processors, ownership access of the user to the at least one resource (column 5, lines 14-24 – transfer of ownership); and transmitting, by one or more computer processors, a notification of a change of ownership of the at least one resource (column 5, lines 14-24 – ownership assignment). As per claims 3, 10, 17, Cudmore et al discloses the computer-implemented method of claim 2, wherein determining the one or more ownership candidates further comprises: determining, by one or more computer processors, a semantic equivalence between attributes of one or more potential owners and one or more properties of the at least one resource (column 5, lines 14-24 – transfer of ownership to a successor – inherent semantic equivalence given that the successor would be replacing the previous owner). As per claim 4, 11, 18, Cudmore et al discloses the computer-implemented method of claim 2, wherein the notification of a change of ownership of the at least one resource includes at least one of a notification to the user, a notification to the new owner, and a notification to a manager of the user (column 7, lines25-32 – reporting service provide on-demand and off-line reporting regarding access management, ownership, etc.). As per claim 5, 12, 19 Cudmore et al discloses the computer-implemented method of claim 1, further comprising: responsive to determining the user is not the owner of the at least one resource, determining, by one or more computer processors, changes to the access level of the user to the at least one resource (column 4, lines 49-60; column 5, lines 4-24 – ownership service determines if owner has been terminated); and modifying, by one or more computer processors, the access level of the user to the at least one resource (column 5, lines 4-35 ownership is updated once owner is terminated or transferred (access revoked) and access given to successor or manager, for example). As per claims 6, 13, Cudmore et al discloses monitoring changes in status, role, termination, etc., but does not expressly teach the specific status change data as claimed; however, these differences are only found in the non-functional descriptive material and are not functionally involved in the steps recited nor do they alter the recited structural elements. The recited method steps would be performed the same regardless of the specific data. Further, the structural elements remain the same regardless of the specific data. Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP [WP TypographicSymbols font/0x27] 2106. As per claims 7, 14, 20, Cudmore et al discloses the computer-implemented method of claim 1, further comprising: responsive to determining the access level of the user associated with at least one of the one or more enterprise resources needs to change, determining, by one or more computer processors, a confidence in the determination of the needed access level change exceeds a pre-defined threshold (column 4, lines 49-60 – ownership data is correlated to find the highest probability owner of an application). With respect to claims 8-14, Cudmore et al discloses a computer program product comprising: one or more computer readable storage media; program instructions, stored on at least one of the one or more computer readable storage media (at least column 9, line 51 – column 10, lines 37). With respect to claims 15-20, Cudmore et al discloses a computer system comprising: one or more computer processors; one or more computer readable memories; and one or more computer readable storage media; program instructions, stored on at least one of the one or more computer readable storage media for execution by at least one of the one or more computer processors via at least one of the one or more memories (at least column 9, line 51 – column 10, lines 37). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHNNA LOFTIS whose telephone number is (571)272-6736. The examiner can normally be reached M-F 7:00am-3:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Epstein can be reached at 571-270-5389. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. JOHNNA LOFTIS Primary Examiner Art Unit 3625 /JOHNNA R LOFTIS/Primary Examiner, Art Unit 3625