PRIORITIZATION AND APPROVAL AUTOMATIONS FOR EFFECTIVE USER ACCESS RIGHTS MANAGEMENT

DETAILED ACTION Claims 1-20 are presented for consideration. Response to Arguments Applicant's arguments filed 11/13/2025 have been fully considered but they are not persuasive. As per remarks, Applicants argued that (1) nowhere in Futty, paragraphs 0046, 0048, and 0050, disclose assigning a critically level (e.g. low, medium, high, critical) to a user’s access request based on their access risk score, as required by amended claim 1. As to point (1), Examiner respectfully disagrees because Futty discloses the administrator may use the interactive report to determine how the access risk score of user was calculated and to determine whether user has access to certain resources that user should not have access to, by analyzing and generating data visualization for one or more users or one or more groups of users, ARCM facilitates an administrator easily assessing group permissions and rights to determine whether there is an overlap in access rights, and thus whether any consolidation in access rights is available [ i.e. broadly interpreted as assign a critically level to user’s access request as in claim 1 ] [ paragraphs 0033, and 0034 ]. Furthermore, Futty discloses the claimed limitation of assigning a critically level to a user’s access request [ i.e. allows manager to determine whether any changes in access rights need to be made, and allows the enterprise to take a proactive approach to ensure the access risk is reasonable and to limit the ability for user to have too much access to any particular resource of the enterprise ] [ paragraphs 0012, and 0046 ]. As per remarks, Applicants’ argued that (2) nowhere does Benayed paragraphs disclose determining whether to automatically or manually process a user’s access request based on a critically level assigned to the user’s access request, as required by claim 1. As to point (2), Benayed discloses risk assessment comprises a consideration of one or both (i) one or more request characteristics associated with the request to access the computer program and (ii) one or more computer program access criteria, and a determination that risk assessment is negative, the end user is prompted to perform an authentication activity [ i.e. manually process a user’s access request ] [ Abstract; and paragraphs 0048-0050 ], and in paragraph 0058 of Benayed discloses the end user may be seamlessly and automatically access all the applications needed throughout his work day, without having to log-in/authenticate again, assuming the risk engine makes that determination in accordance with its assessment [ i.e. broadly interpret as automatically process a user’s access request based on a critically level assigned to the user’ access request as claimed ]. In addition, Benayed discloses the risk engine determines the risk score according and indicates to the authentication server whether the user should be permitted access to the application or whether another authentication step is required [ paragraph 0049 ]. As such, the claims as written, are unpatentable over the cited prior art. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Futty [ US Patent Application No 2016/0065608 ] in view of Benayed [ US Patent Application No 2018/0343246 ]. As per claim 1, Futty discloses the invention as claimed including a system for managing a user access request [ i.e. allow users access to certain critical resources ] [ paragraph 0012 ], the system comprising an access critical module; and access critically evaluation computation engine; server computer comprising a processor and a memory coupled to the processor [ Figure 1 ], the memory storing thereon machine executable instructions that when executed cause the processor to: determine, by the access critical module, information associated with a user access request [ i.e. access information may include access type, access level, platform, individual access, contractor access, system ID access ] [ paragraphs 0027, and 0029 ]; determine, by the access criticality evaluation computation engine, a risk score associated with the user access request based on the determined information [ i.e. calculate an access risk score for the asset based on one or more risk factors ] [ Abstract; Table 1; and paragraphs 0021, 0026, and 0031 ]; assign, by the access critically evaluation computation engine, a criticality level to the user access request based on the determined risk score [ i.e. immediately determine a change was made based on the new permission to user, in order to avoid any issue or risk that may be related to user gaining improper access to resource ] [ paragraph 0046, 0048, and 0050 ]. Futty does not specifically disclose an automation and prioritization integrator, determine, by the automation and prioritization integrator, whether to automatic or manual processing of the user access request based on the assigned critically level; and an access management module, automatically or manually process, by the access management module, the user access request based on a determination of the automation and prioritization integrator. Benayed discloses an automation and prioritization integrator, determine, by the automation and prioritization integrator, whether to automatic or manual processing of the user access request based on the assigned critically level [ i.e. the risk engine may be used to determine whether the desired activity can be permitted or if further validation of credentials is required ] [ paragraph 0040, 0052 and 0062 ]; and an access management module, automatically or manually process, by the access management module, the user access request based on a determination of the automation and prioritization integrator [ i.e. the end user may be able seamlessly and automatically access all the applications needed through his work day, without having to log-in/authenticate again, assuming the risk engine makes that determination in accordance with its assessment ] [ paragraphs 0058, 0064 and 0065 ]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Futty and Benayed because the teaching of Benayed would provide a platform that allows users to log on to any of multiple distinct clients and access computer programs using single sign-on functionality [ Benayed, paragraph 0027 ]. As per claim 2, Futty discloses wherein the access criticality module further comprises: an entitlement criticality model, determine, by the entitlement critically model, information associated with an access type of the user access request [ i.e. retrieve information from resource reference database ]; a user criticality model, determine, by the user critically model, information associated with an identity of the user access request [ i.e. user reference database ] [ paragraphs 0013, 0019, and 0042 ]; and a dynamic criticality model, determine, by the dynamic critically model, information associated with a combination of the access type and the identity of the user access request [ i.e. communicate a notification corresponding to the change based at least in part upon the determination of the change in the access right ] [ paragraphs 0019, 0030, and 0050 ]. As per claim 3, Futty discloses wherein the access criticality evaluation computation engine further comprises: an entitlement risk scorer, determine, by the entitlement risk scorer, a risk score associated with an access type of the user access request; a user risk scorer, determine, by the user risk scorer, a risk score associated with an identity of the user access request: and a dynamic risk scorer, determine, by the dynamic risk scorer, a risk score associated with a combination of the access type and the identity of the user access request [ i.e. update risk score to reflect the changes ] [ Table 1; and paragraphs 0035, and 0049 ]. As per claim 4, Futty discloses a repository and automation policy module comprising a repository and an automation policy [ 136, 131, 140, Figure 1; and paragraph 0013 ]. As per claim 5, Benayed discloses wherein the repository stores a processing history for the user access request [ i.e. previous authentication/login ] [ paragraph 0040 ], and wherein the automation policy defines how the determination of the automation and prioritization integrator is to be made [ i.e. rule/weight storage/database used by risk engine ] [ paragraphs 0028, and 0043 ]. As per claim 6, Benayed discloses generate a prioritization for the user access request based on the assigned criticality level and based on a determination that the user access request is to be manually processed [ i.e. authentication should be revalidated or further validation required ] [ paragraphs 0050, and 0052 ]. As per claim 7, Futty discloses wherein the generated prioritization comprises a visual indicator visible to a user access request reviewer, and wherein the visual indicator corresponds to the assigned criticality level [ i.e. allow the administrator to click on user to view one or more pieces of information, the admin may use the interactive report to determine how the access risk score of user was calculated and to determine whether user has access to certain resources that use should not have access to ] [ Figure 2; and paragraph 0033 ]. As per claim 8, Futty discloses the invention as claimed including a computer-implemented method for managing a user access request [ i.e. allow users access to certain critical resources ] [ paragraph 0012 ], the computer- implemented method comprising: determining, based on an entitlement criticality model and entitlement metadata, an entitlement risk score of a user access request, wherein the entitlement risk score relates to a risk associated with an access type of the user access request [ i.e. access information may include access type, access level, platform ] [ Table 1; paragraphs 0027-0029 ]; determining, based on a user criticality model and user metadata, a user risk score of the user access request, wherein the user risk score relates to a risk associated with an identity of the user access request [ i.e. retrieve the access information of a user, a group, team member ] [ Table 1; paragraphs 0018, 0019, and 0028 ]; determining an overall risk score of the user access request based on a combination of the entitlement risk score and the user risk score [ i.e. overall access risk score ] [ paragraphs 0031, and 0045 ]. Futty does not specifically disclose assigning, based on the overall risk score, a criticality level to the user access request, wherein the criticality level is one of a first criticality level or a second criticality level that is greater than the first criticality level; automatically processing, based on the first criticality level being assigned to the user access request, the user access request by an access management system; and processing, based on the second criticality level being assigned to the user access request, the user access request by an access management system based on an external input received by the access management system. Benayed discloses assigning, based on the overall risk score, a criticality level to the user access request, wherein the criticality level is one of a first criticality level or a second criticality level that is greater than the first criticality level [ i.e. critical computer programs/applications may be associated with a higher minimum authentication weight than non-critical computer programs/applications ] [ paragraphs 0043, 0045, and 0062 ]; automatically processing, based on the first criticality level being assigned to the user access request, the user access request by an access management system [ i.e. the end user may be able seamlessly and automatically access all the applications needed through his work day, without having to log-in/authenticate again, assuming the risk engine makes that determination in accordance with its assessment ] [ paragraphs 0058, 0064 and 0065 ]; and processing, based on the second criticality level being assigned to the user access request, the user access request by an access management system based on an external input received by the access management system [ i.e. authentication should be revalidated or further validation required ] [ paragraphs 0050, and 0052 ]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Futty and Benayed because the teaching of Benayed would provide a platform that allows users to log on to any of multiple distinct clients and access computer programs using single sign-on functionality [ Benayed, paragraph 0027 ]. As per claim 9, Futty discloses wherein the determining the entitlement risk score comprises: collecting data from at least one of a configuration management database, an identity and access management database, or a target application, wherein the data comprises at least one of entitlement data or application data; sending the data to a rule engine to generate the entitlement metadata; and calculating the entitlement risk score based on the entitlement metadata [ i.e. rules refers to policies or directions for determining one or more risk categories ] [ paragraphs 0023, 0026, and 0030 ]. As per claim 10, Futty discloses wherein the determining the user risk score comprises: collecting data from a human resources system, wherein the data comprises at least one of a user type, a user hierarchy level, a user location, or a user length of service of a user associated with the user access request; and calculating the user risk score based on the data [ i.e. human resource ] [ paragraph 0019 ]. As per claim 11, Futty discloses wherein determining the overall risk score further comprises: determining that the user access request is an outlier compared to a plurality of user access requests associated with a plurality of users of a peer group; or determining that the user access request violates segregation of duty; or determining that the user access request has been previously processed by an external input received by the access management system; and calculating the overall risk score based on a combination of each determination [ i.e. excessive outlier access ] [ paragraphs 0031, and 0045 ]. As per claim 12, Futty discloses determining an updated entitlement risk score of the user access request: determining an updated user risk score of the user access request; determining an updated overall risk score of the user access request based on a combination of the updated entitlement risk score and the updated user risk score; assigning, based on the updated overall risk score, an updated criticality level to the user access request, wherein the updated criticality level is one of the first criticality level or the second criticality level; generating a user access re-processing request based on the updated criticality level being different than the criticality level; and maintaining user access based on the updated criticality level being identical to the criticality level [ i.e. when user changes roles, user may receive higher access level, the information may be updated to reflect those changes ] [ paragraphs 0019, 0030, and 0035 ]. As per claim 13, Benayed discloses automatically processing, based on the updated criticality level being the first criticality level and the criticality level being the second criticality level, the user access re-processing request by the access management system; and processing, based on the updated criticality level being the second criticality level and the criticality level being the first criticality level, the user access re-processing request by the access management system based on an external input received by the access management system [ i.e. authentication weight is calculated based on this new authentication request ] [ paragraphs 0036, 0042, and 0053 ]. As per claim 14, Benayed discloses storing the user access request in a processing history repository based on the user access request being processed [ i.e. previous authentication/login ] [ paragraph 0040 ]. As per claims 15-18, they are rejected for similar reasons as stated above in claims 8-11. As per claim 19, Benayed discloses prioritizing each user access request of the second set of requests based on at least one of the criticality level or a process history associated with each user access request, wherein processing each user access request of the second set of requests by an access management system based on an external input received by the access management system is further based on the prioritization of each user access request [ i.e. authentication weight is calculated based on this new authentication request ] [ paragraphs 0036, 0042, and 0053 ]. As per claim 20, it is rejected for similar reasons as stated above in claim 14. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUSTIN NGUYEN whose telephone number is (571)272-3971. The examiner can normally be reached Monday-Friday 9-6 PST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached at 571-2727952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DUSTIN NGUYEN/Primary Examiner, Art Unit 2446