DETAILED ACTION
Notice of AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed 11/13/2025 have been fully considered.
Applicant argues that the amendments to the claims overcome the 112(b) rejections. In response to the argument, Examiner respectfully agrees in-part. Most of the 112(b) rejections are overcome. Claim 5 is still unclear and Claim 11 now has an 112(b) issue introduced with the amendments.
Examiner note: most of the claims no longer invoke 112(f) claim interpretation. Claim 4 still invokes 112(f) claim interpretation.
Applicant argues that the amendments to Claim 14 overcome the 101 software per se rejection. In response to the argument, Examiner respectfully agrees. The 101 software per se rejection is withdrawn.
Applicant argues that the amendments to the claims overcome the PEG rejection.
In response to the argument, Examiner respectfully disagrees.
I. Step 2A, Prong one: Applicant argues that the claimed invention is a technological improvement in information technology infrastructure that enables continuous operation of the infrastructure despite the absence of an original administrator and that the continuous monitoring of a user cannot be performed as mental steps.
In response to the argument, Examiner respectfully disagrees. The claimed invention falls into the category of mental processes. The claimed invention is about determining if a user is absent based on user activity. The monitoring of user activity is not defined at a level where a person using mental steps/processes could not accomplish them. The steps claimed can be done by human using mental processes as monitoring of workers is a well-known task of managers. The claimed technology is generic and the claim recites these steps at a very broad level.
I. Step 2A, Prong two: Applicant argues that the claimed invention is a technological improvement in information technology infrastructure that enables continuous operation of the infrastructure despite the absence of an original administrator and that the claimed invention is integrated into a practical application.
In response to the argument, Examiner respectfully disagrees. Although the use of a computer system is incorporated in the recited claim, there is no level of detail recited in the claim to overcome that the steps may be performed mentally. There is a plurality of users recited, however the amount of users that may be tracked (on the low range) as recited in the claim is two users. To determine if two users/workers are absent is not a mental hardship.
II. Step 2B, Significantly More than the judicial exception: Applicant argues that the claimed invention recites elements that are significantly more than the judicial exception.
In response to the argument, Examiner respectfully disagrees. The recited elements in the claim do not provide significantly more than the judicial exception. The recited limitations can be performed mentally. The limitations allow for a rule to be applied to determine if a user is absent – based on user activity. This rule could be a mental step rule, for example, if a person is not responsive to phone calls or doesn’t show up to work a certain number of times then this “rule” is applied and determines that the user is absent and the work must be assigned to another worker. The set of authorities that are assigned can be the tasks that are assigned/transferred to another user. The claim does not recite further details to define or further limit what assigning a set of authorities requires or entails.
Applicant argues that the prior art of record does not teach on the amendments to the claims. In particular, that the prior art of record does not teach on determining if an administrator is absent, choosing a successor based on this determination and assigning a set of authorities to the successor.
In response to the argument, Examiner respectfully disagrees. The amendment to the claims changes the scope of the invention. Applicant included new amendments (assigning the user a set of authorities automatically) and incorporated the limitations of Claim 12 into the independent claims. Claim 12 has been cancelled. Gopinathapai teaches on users that will change roles or move away and on assigning/changing access (a set of authorities) to systems based on the user’s role. However, Gopinathapai is silent on the term “absent”. Ferrara teaches on the determination if a user is “absent”. The claim does not require that the same position or authorities of the administrator being reassigned to the successor. The claim assigns a new administrator (ie. successor) with a new set of authorities (ie. permissions/access). Gopinathapai teaches on this concept but, as mentioned above, is silent on the term “absent”. Gopinathapai still teaches on most of the limitations of the independent claims.
Gopinathapai teaches that the access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions ([0018]). However, Gopinathapai is silent on that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information.
Ferrara teaches that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information. See Ferrara, Col 8 ln 13-28, When the access tool receives a notice of a role change or a position change, the access tool 118 may automatically modify some of the user access to the restricted assets 110-116. For example, when the employee database 120 indicates that Vicky 108 is transferred from the finance department to the accounting department, the access tool 118 removes Vicky's user maintenance role for the finance application 116, but retains approval of Vicky's administrator role for the network analysis application for the finance department manager to review. The frame 300 may be displayed on the asset manager interface 128 or another asset manager interface, such as when an asset manager is on vacation and designates another asset manager to manage access to the assets of the vacationing asset manager during the vacationing asset manager's absence.
It would have been obvious to modify Gopinathapai per Ferrara as this would allow the modified system to ensure security of resources, such that access of a user that is absent is properly managed (revoked, suspended).
Please see update rejection in view of:
Claim(s) 1-9, 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0358778 A1 (Gopinathapai) in view of US 8327457 B1 (Ferrara).
Claim(s) 10-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0358778 A1 (Gopinathapai) in view of US 8327457 B1 (Ferrara) further in view of US 2015/0371031 A1 (Ueno).
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: Claim 4 recites “an activity history acquisition unit configured to” in line 5.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Support can be found in the specification: structure, Figs 1-2 & 20, pp 52-52 and algorithm Figs 2-19, pp 10-52.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
35 U.S.C. 112(b):
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claim(s) 5-11 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 5 recites the limitation “acquire the activity history for each user having a role that is an evaluation target of the activity history” in 3-5. This renders the claim unclear as there is insufficient antecedent basis for this limitation in the claim. It is unclear as to what “that” refers to. For example, for clarity, should the claim read “acquire the activity history for each user having a role, wherein the role is an evaluation target of the activity history” ?
Claim 11 recites the limitation “the ranking acquisition unit” in line 11. This renders the claim unclear as there is insufficient antecedent basis for this limitation in the claim. Claim 11 depends on Claim 10 and previous limitations do not recite “a ranking acquisition unit”. {amendment to Claim 10 removed “a ranking acquisition unit”}
All dependents are also rejected as having the same deficiencies as the claims from which they depend.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
PEG:
Claims 1-11, 13-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claim(s) recite(s):
“accessing a successor selection rule management table in which a successor selection rule is managed, the successor selection rule being usable to select a successor of an administrator of infrastructure management information when the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information;
monitoring activity history of users in a resource and evaluating the activity history for each user; monitoring activity of the administrator for determining whether the administrator is absent by applying the administrator absence determination rule;
based on application of the administrator absence determination rule indicating that the administrator is absent, applying an evaluation result of the activity history of each user to the successor selection rule to select a user to be automatically assigned a set of authorities corresponding to an administrator role as a successor of the administrator following detection of absence of the administrator;
based on application of the administrator absence determination rule indicating that the administrator is absent, automatically assigning, to the selected user, the set of authorities corresponding to the administrator role to set the selected user as the successor.”
These limitations are directed to the abstract idea: “Mental Processes: concepts performed in the human mind (including an observation, evaluation, judgment, opinion)”. This is explained in detail below. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea.
The 2019 Revised Patent Subject Matter Eligibility Guidance (hereinafter “2019 PEG”) published in January 2019 requires a three step analysis to determine if the claims are directed to a judicial exception that is not “significantly more.” Step 1 asks whether the claims are directed to one of the four statutory categories of invention. Step 2A: Sets forth new procedure for Step 2A (called “revised Step 2A”) under which a claim is not “directed to” a judicial exception unless the claim satisfies a two-prong inquiry. Step 2B determines whether the claim recites additional elements that amount to significantly more than the judicial exception.
Step 1: Claims 1-11 are directed to “A successor setting system”. Claim 13 is directed to “A successor setting method” and Claim 14 is directed to “A non-transitory storage medium storing a program”. Claims 1-11, 13-14 fall under statutory categories of invention.
Step 2A: The claimed invention is directed to the abstract idea: Mental Processes: concepts performed in the human mind (including an observation, evaluation, judgment, opinion).
Independent claims 1, 13, 14 recite features: … monitoring activity history of users in a resource and evaluating the activity history for each user; monitoring activity of the administrator for determining whether the administrator is absent by applying the administrator absence determination rule;
based on application of the administrator absence determination rule indicating that the administrator is absent, applying an evaluation result of the activity history of each user to the successor selection rule to select a user to be automatically assigned a set of authorities corresponding to an administrator role as a successor of the administrator following detection of absence of the administrator;
based on application of the administrator absence determination rule indicating that the administrator is absent, automatically assigning, to the selected user, the set of authorities corresponding to the administrator role to set the selected user as the successor.
There is no technical detail in the limitations above to describe further the method of selecting a successor if an IT manager is found to be no longer able to manage. The monitoring of user activity, the determination (based on the user activity and application of a rule) that the user is absent – is recited very broadly with no limits as to the number of users that are being monitored, nor is the administrator absence determination rule and its application further defined. The newly amended feature of automatically assigning a set of authorities to the new user (successor) is also recited without further definition/limiting of what this might entail beyond mental steps of assigning a new user the tasks that were previously managed by the previous user. These steps can be performed mentally as these features are recited at a high level of generality which does not transform the abstract idea above into a patentable invention.
The limitations above, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation by mental processes but for recitation of generic computer components. Accordingly, the claims recite abstract idea.
Further, the abstract idea is not integrated into a practical application. In particular, the claims recite additional elements – using a computer processor and a non-transitory computer memory to perform the collecting, storing, defining, defining, and storing steps. The computer processor and non-transitory computer memory in these steps is related at a high-level of generality (i.e., as a generic device performing a generic computer function of performing an action based on received input) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. Generic computer components recited as performing generic computer functions that are well-understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system.
As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a computer processor and a non-transitory computer memory to perform the collecting, storing, processing, receiving, applying, and assessing steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Since all of the elements fail to provide an inventive concept when considered alone, and in combination the claimed invention is directed towards a judicial exception of an abstract idea and claims 1, 13, 14 are not patent eligible.
Additionally, the dependent claims 2-12 have been considered and found to be directed towards the same abstract idea, mental processes, without significantly more as indicated above.
Dependent Claims:
Claim 2: wherein an evaluation method for the activity history, and processing performed on a corresponding user by the evaluation method for the activity history are defined for each user in the successor selection rule management table.
Claim 3: wherein in the infrastructure management information, in addition to a user who operates the resource, the resource and an authority for the user to operate the resource are managed, and in the successor selection rule management table, the evaluation method for the activity history and the processing performed on the corresponding user are defined for each piece of the infrastructure management information and for each role by which the authority for the user to operate the resource is defined.
Claim 4: wherein the computer is further configured by the executable program to: associate the infrastructure management information with the evaluation method for the activity history, and change an activity history acquisition unit configured to acquire the activity history of the user in the resource where the user is active.
Claim 5: wherein based on the infrastructure management information defined in the successor selection rule, the computer is further configured by the executable program to: acquire the activity history for each user having a role that is an evaluation target of the activity history.
Claim 6: wherein the computer is further configured by the executable program to: change an activity history evaluation unit defined in the evaluation method for the activity history and evaluate the activity history of the resource where the user is active.
Claim 7: wherein at least one of the following actions is changeable: processing for selecting a user having a highest evaluation result as the successor; or processing for notifying the user selected as the successor as the processing performed on the corresponding user by the evaluation method for the activity history.
Claim 8: wherein the computer is further configured by the executable program to: calculate a ranking of the evaluation result for the required activity history.
Claim 9: wherein the computer is further configured by the executable program to: calculate a plurality of the evaluation results by a combination of four arithmetic operation symbols or a logical operation symbol defined in the successor selection rule.
Claim 10: wherein the computer is further configured by the executable program to: acquire a result of the ranking and output the result of the ranking to another system or device that issues an instruction to acquire the result of the ranking.
Claim 11: wherein the computer is further configured by the executable program to: monitor whether a current date and time exceed a date and time defined by a schedule for selecting the successor, wherein when the current date and time exceed the date and time defined by the schedule for selecting the successor, execute an action on the user, and select the selected user as the successor based on the result of the ranking acquired by the ranking acquisition unit for the selected user being highest.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-9, 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0358778 A1 (Gopinathapai) in view of US 8327457 B1 (Ferrara).
Regarding Claim 1:
Gopinathapai teaches A successor setting system comprising a computer configured by an executable program for enabling continuous operation of an information technology infrastructure, the executable program configuring the computer to:
access a successor selection rule management table in which a successor selection rule is managed, ([0024] The role discoverer 102 may be configured to retrieve the access right data stored at the data store 104. [0026] the data store 104 may store its access right data in the table(s) and column(s) of a relational database that is accessible using a database management system (DBMS).)
the successor selection rule being usable to select a successor of an administrator of infrastructure management information by which users who operate a resource are managed when the administrator is determined to be changed based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information; ([0018] In order to ensure the computing system remains secure, periodic reviews of those access rights are performed to reconcile the access rights provisioned for the users and the access rights those users are authorized to possess. The access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions. [0016] As discussed above, enterprises may provision users with various access rights to the computing resources of its computing systems. Computing resources may include hardware, software, data, interfaces, and other components of a computing system.)
monitor activity history of the users in the resource; ([0018] In order to ensure the computing system remains secure, periodic reviews of those access rights are performed to reconcile the access rights provisioned for the users and the access rights those users are authorized to possess. The access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions.)
monitor activity of the administrator for determining whether the administrator is changed by applying the administrator absence determination rule; based on application of the administrator absence determination rule indicating that the administrator is changed, apply an evaluation result obtained by evaluating the activity history for each user to the successor selection rule to select a user who is to be automatically assigned a set of authorities corresponding to an administrator role as the successor of the administrator following detection of change of the administrator; ([0024] The role discoverer 102 may be configured to retrieve the access right data stored at the data store 104, identify frequent patterns of access rights based on the access right data retrieved, determine potential bundles of access rights based on the frequent patterns identified, evaluate the potential bundles of access rights determined, and determine roles based on the evaluations of the potential bundles of access rights.)
and based on application of the administrator absence determination rule indicating that the administrator is changed, automatically assign, to the selected user, the set of authorities corresponding to the administrator role to set the selected user as the successor. ([0025] The access right provisioner 106 may also be configured to update the access right data stored in the data store 104 when provisioning a role to a user of an RBAC computing system. Such updates may include creating and/or modifying access right data that indicates a user is assigned to the defined role. Such updates may also include modifying or deleting access right data to remove the access right(s) of the user that the defined role is intended to replace.)
Gopinathapai teaches that the access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions ([0018]). However, Gopinathapai is silent on that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information.
Ferrara teaches, in the same field of endeavor, a system for managing asset access, Abstract.
Ferrara also teaches that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information. (Col 8 ln 13-28, When the access tool receives a notice of a role change or a position change, the access tool 118 may automatically modify some of the user access to the restricted assets 110-116. For example, when the employee database 120 indicates that Vicky 108 is transferred from the finance department to the accounting department, the access tool 118 removes Vicky's user maintenance role for the finance application 116, but retains approval of Vicky's administrator role for the network analysis application for the finance department manager to review. The frame 300 may be displayed on the asset manager interface 128 or another asset manager interface, such as when an asset manager is on vacation and designates another asset manager to manage access to the assets of the vacationing asset manager during the vacationing asset manager's absence.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Gopinathapai per Ferrara to include that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information. This would have been advantageous as discussed above, as this would allow the modified system to ensure security of resources, such that access of a user that is absent is properly managed (revoked, suspended).
Regarding Claim 13:
Gopinathapai teaches A successor setting method for enabling continuous operation of an information technology infrastructure, the method comprising:
accessing a successor selection rule management table in which a successor selection rule is managed, the successor selection rule being usable to select a successor of an administrator of infrastructure management information when the administrator is determined to be changed based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information; ([0024] The role discoverer 102 may be configured to retrieve the access right data stored at the data store 104. [0026] the data store 104 may store its access right data in the table(s) and column(s) of a relational database that is accessible using a database management system (DBMS).)
monitoring activity history of users in a resource and evaluating the activity history for each user; ([0018] In order to ensure the computing system remains secure, periodic reviews of those access rights are performed to reconcile the access rights provisioned for the users and the access rights those users are authorized to possess. The access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions. [0016] As discussed above, enterprises may provision users with various access rights to the computing resources of its computing systems. Computing resources may include hardware, software, data, interfaces, and other components of a computing system.)
monitoring activity of the administrator for determining whether the administrator is changed by applying the administrator absence determination rule; based on application of the administrator absence determination rule indicating that the administrator is changed, applying an evaluation result of the activity history of each user to the successor selection rule to select a user to be automatically assigned a set of authorities corresponding to an administrator role as a successor of the administrator following detection of change of the administrator; ([0024] The role discoverer 102 may be configured to retrieve the access right data stored at the data store 104, identify frequent patterns of access rights based on the access right data retrieved, determine potential bundles of access rights based on the frequent patterns identified, evaluate the potential bundles of access rights determined, and determine roles based on the evaluations of the potential bundles of access rights.)
based on application of the administrator absence determination rule indicating that the administrator is changed, automatically assigning, to the selected user, the set of authorities corresponding to the administrator role to set the selected user as the successor. ([0025] The access right provisioner 106 may also be configured to update the access right data stored in the data store 104 when provisioning a role to a user of an RBAC computing system. Such updates may include creating and/or modifying access right data that indicates a user is assigned to the defined role. Such updates may also include modifying or deleting access right data to remove the access right( s) of the user that the defined role is intended to replace.)
Gopinathapai teaches that the access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions ([0018]). However, Gopinathapai is silent on that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information.
Ferrara teaches that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information. (Col 8 ln 13-28, When the access tool receives a notice of a role change or a position change, the access tool 118 may automatically modify some of the user access to the restricted assets 110-116. For example, when the employee database 120 indicates that Vicky 108 is transferred from the finance department to the accounting department, the access tool 118 removes Vicky's user maintenance role for the finance application 116, but retains approval of Vicky's administrator role for the network analysis application for the finance department manager to review. The frame 300 may be displayed on the asset manager interface 128 or another asset manager interface, such as when an asset manager is on vacation and designates another asset manager to manage access to the assets of the vacationing asset manager during the vacationing asset manager's absence.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Gopinathapai per Ferrara to include that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information. This would have been advantageous as discussed above, as this would allow the modified system to ensure security of resources, such that access of a user that is absent is properly managed (revoked, suspended).
Regarding Claim 14:
Gopinathapai teaches A non-transitory storage medium storing a program which, when executed by a computer, causes the computer to perform operations for enabling continuous operation of an information technology infrastructure, ([0089] Software may be stored within memory 515 and/or storage to provide instructions to processor 503 for enabling role discoverer 501 to perform various functions as discussed herein) causing a computer (Fig 5, Role Discoverer 501, Fig 2, The role discoverer 102.) the operations comprising:
accessing a successor selection rule management table in which a successor selection rule is managed, the successor selection rule being usable to select a successor of an administrator of infrastructure management information when the administrator is determined to be changed based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information; ([0024] The role discoverer 102 may be configured to retrieve the access right data stored at the data store 104. [0026] the data store 104 may store its access right data in the table(s) and column(s) of a relational database that is accessible using a database management system (DBMS).)
monitoring activity history of users in a resource and evaluating the activity history for each user; ([0018] In order to ensure the computing system remains secure, periodic reviews of those access rights are performed to reconcile the access rights provisioned for the users and the access rights those users are authorized to possess. The access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions. [0016] As discussed above, enterprises may provision users with various access rights to the computing resources of its computing systems. Computing resources may include hardware, software, data, interfaces, and other components of a computing system.)
monitoring activity of the administrator for determining whether the administrator is changed by applying the administrator absence determination rule; based on application of the administrator absence determination rule indicating that the administrator is changed, applying an evaluation result of the activity history of each user to the successor selection rule used to select a user to be automatically assigned a set of authorities corresponding to an administrator role as a successor of the administrator following detection of change of the administrator; ([0024] The role discoverer 102 may be configured to retrieve the access right data stored at the data store 104, identify frequent patterns of access rights based on the access right data retrieved, determine potential bundles of access rights based on the frequent patterns identified, evaluate the potential bundles of access rights determined, and determine roles based on the evaluations of the potential bundles of access rights.)
based on application of the administrator absence determination rule indicating that the administrator is changed, automatically assigning, to the selected user, the set of authorities corresponding to the administrator role to set the selected user as the successor. ([0025] The access right provisioner 106 may also be configured to update the access right data stored in the data store 104 when provisioning a role to a user of an RBAC computing system. Such updates may include creating and/or modifying access right data that indicates a user is assigned to the defined role. Such updates may also include modifying or deleting access right data to remove the access right(s) of the user that the defined role is intended to replace.)
Gopinathapai teaches that the access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions ([0018]). However, Gopinathapai is silent on that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information.
Ferrara teaches that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information. (Col 8 ln 13-28, When the access tool receives a notice of a role change or a position change, the access tool 118 may automatically modify some of the user access to the restricted assets 110-116. For example, when the employee database 120 indicates that Vicky 108 is transferred from the finance department to the accounting department, the access tool 118 removes Vicky's user maintenance role for the finance application 116, but retains approval of Vicky's administrator role for the network analysis application for the finance department manager to review. The frame 300 may be displayed on the asset manager interface 128 or another asset manager interface, such as when an asset manager is on vacation and designates another asset manager to manage access to the assets of the vacationing asset manager during the vacationing asset manager's absence.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Gopinathapai per Ferrara to include that the administrator is determined to be absent based on an administrator absence determination rule and thereby unable to continue managing the infrastructure management information. This would have been advantageous as discussed above, as this would allow the modified system to ensure security of resources, such that access of a user that is absent is properly managed (revoked, suspended).
Regarding Claim 2:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 1 as described.
Gopinathapai teaches wherein an evaluation method for the activity history, and processing performed on a corresponding user by the evaluation method for the activity history are defined for each user in the successor selection rule management table. ([0024] The role discoverer 102 may be configured to retrieve the access right data stored at the data store 104, identify frequent patterns of access rights based on the access right data retrieved, determine potential bundles of access rights based on the frequent patterns identified, evaluate the potential bundles of access rights determined, and determine roles based on the evaluations of the potential bundles of access rights.)
Regarding Claim 3:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 2 as described.
Gopinathapai teaches wherein in the infrastructure management information, in addition to a user who operates the resource, the resource and an authority for the user to operate the resource are managed, ([0018] In order to ensure the computing system remains secure, periodic reviews of those access rights are performed to reconcile the access rights provisioned for the users and the access rights those users are authorized to possess. The access rights users are authorized to possess may change over time, for example, as those users change job roles, move to new business divisions.)
and in the successor selection rule management table, the evaluation method for the activity history and the processing performed on the corresponding user are defined for each piece of the infrastructure management information and for each role by which the authority for the user to operate the resource is defined. ([0018] Periodic reviews of such access rights thus allow an enterprise to identify access rights a user is not authorized to possess as well as access rights a user should, but does not currently, posses. Based on these access right reviews, the enterprise may take remedial measures to align the users' access rights with what they are authorized to possess. Such remedial measures may include granting and/or revoking permissions to computing resources of the computing system. [0025] The access right provisioner 106 may also be configured to update the access right data stored in the data store 104 when provisioning a role to a user of an RBAC computing system. Such updates may include creating and/or modifying access right data that indicates a user is assigned to the defined role. Such updates may also include modifying or deleting access right data to remove the access right(s) of the user that the defined role is intended to replace.)
Regarding Claim 4:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 3 as described.
Gopinathapai teaches wherein the computer is further configured by the executable program to: associate the infrastructure management information with the evaluation method for the activity history, and change an activity history acquisition unit (ie. modify roles) configured to acquire the activity history of the user in the resource where the user is active (ie. users’ current access rights). ([0025] The access right provisioner 106 may also be configured to update the access right data stored in the data store 104 when provisioning a role to a user of an RBAC computing system. Such updates may include creating and/or modifying access right data that indicates a user is assigned to the defined role. Such updates may also include modifying or deleting access right data to remove the access right(s) of the user that the defined role is intended to replace.)
Regarding Claim 5:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 4 as described.
Gopinathapai teaches wherein based on the infrastructure management information defined in the successor selection rule, the computer is further configured by the executable program to: acquire the activity history for each user having a role that is an evaluation target of the activity history. ([0018] Periodic reviews of such access rights thus allow an enterprise to identify access rights a user is not authorized to possess as well as access rights a user should, but does not currently, posses. Based on these access right reviews, the enterprise may take remedial measures to align the users' access rights with what they are authorized to possess. Such remedial measures may include granting and/or revoking permissions to computing resources of the computing system.)
Regarding Claim 6:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 5 as described.
Gopinathapai teaches wherein the computer is further configured by the executable program to: change an activity history evaluation unit defined in the evaluation method for the activity history (ie. modify permissions) and evaluate the activity history of the resource where the user is active (ie. users’ current access rights). ([0018] Periodic reviews of such access rights thus allow an enterprise to identify access rights a user is not authorized to possess as well as access rights a user should, but does not currently, posses. Based on these access right reviews, the enterprise may take remedial measures to align the users' access rights with what they are authorized to possess. Such remedial measures may include granting and/or revoking permissions to computing resources of the computing system.)
Regarding Claim 7:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 5 as described.
Gopinathapai teaches wherein at least one of the following actions is changeable: processing for selecting a user having a highest evaluation result (ie. highest threshold similarity) as the successor; ([0068] The similarity evaluation may thus be used to determine which users and, in turn, how many users of the computing system may be eligible to be assigned to a role corresponding to a particular candidate bundle of permissions if defined as a role. The role discoverer may also apply a minimum similarity constraint to determine whether a user would be eligible to be assigned a role. The minimum similarity constraint may indicate a threshold similarity x or x % (e.g., 0.8 or 80%) between a candidate permission bundle and a user's currently assigned set of permissions in order for that user to be eligible to be assigned to a role corresponding to that bundle of permissions. [0072] An eligibility evaluation may, for example, determine the number of users that would be eligible to be assigned a role based on a particular candidate access right bundle.)
Regarding Claim 8:
Gopinathapai (as modified by Ferrara)teaches on the invention of Claim 6 as described.
Gopinathapai teaches wherein the computer is further configured by the executable program to: calculate a ranking of the evaluation result for the required activity history. ([0043] At step 208, the role discoverer 102 may evaluate one or more of the generated candidate permission bundles according to various criteria. Such criteria may include a confidence that a particular candidate permission bundle should include one or more particular permissions, whether the candidate permission bundle includes a threshold number of permissions, the similarity between a particular candidate permission bundle and the existing set of access rights assigned to a user, a determination of the impact a role based on the candidate permission bundle would have on the existing access rights assigned to users of a computing system if that role replaced at least some of those existing access rights, and the like. Evaluation of the generated candidate permission bundles may also include ranking the generated bundles and/or selecting one or more of the generated bundles to use for defining a corresponding role of an RBAC computing system.)
Regarding Claim 9:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 8 as described.
Gopinathapai teaches wherein the computer is further configured by the executable program to: calculate a plurality of the evaluation results by a combination of four arithmetic operation symbols or a logical operation symbol defined in the successor selection rule. ([0052]-[0059] The role discoverer may generate the tree data structure 308 in accordance with an PP-Growth algorithm. Symbols: counts (+), percentage (%), equal to (=), not equal (≠), less than (<). [0052] To reduce the potential sets of access rights to consider for possible role definition, the role discoverer may apply one or more constraints to the access rights identified from the access right data obtained. For instance, the role discoverer may use the ordered item set table 304 to determine which access rights correspond to the lowest x % of frequencies.)
Claim(s) 10-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0358778 A1 (Gopinathapai) in view of US 8327457 B1 (Ferrara) further in view of US 2015/0371031 A1 (Ueno).
Regarding Claim 10:
Gopinathapai (as modified by Ferrara) teaches on the invention of Claim 8 as described.
Gopinathapai teaches wherein the computer is further configured by the executable program to: acquire a result of the ranking and output the result of the ranking to another system or device ([0040] In FIG. 2, at step 202, the role discoverer 102 may retrieve access right data from the data store 104. Such retrieval may be triggered by user input received from an operator of the role discoverer 102 ( e.g., an IT administrator), by an instruction received from another computing device, or by the expiration of a time period. In other words, the role discoverer 102 may retrieve access right data in response to receipt of a request (e.g., from an operator or other computing device) and/or automatically ( e.g., a regular or irregular intervals). [0043] Evaluation of the generated candidate permission bundles may also include ranking the generated bundles and/or selecting one or more of the generated bundles to use for defining a corresponding role of an RBAC computing system. [0045] At step 212, the role discoverer 102 may provide the defined roles to the access right provisioner 106. The role discoverer 102 may also provide the access right provisioner 106 with an indication of which user(s) the provided role(s) should be assigned to (or otherwise associated with).)
Gopinathapai teaches on acquiring a result of the ranking ([0043][0068]) and that the role discoverer 102 is triggered to create the evaluation result (which includes ranking) based on a request from another computing device and outputs the results to the access right provisioner 106. However, Gopinathapai (as modified by Ferrara) is silent on wherein the computer is further configured by the executable program to: acquire a result of the ranking and output the result of the ranking to another system or device that issues an instruction to acquire the result of the ranking.
Ueno teaches, in the same field of endeavor, a method including receiving a request for processing which is preceded by an authorization process for a source of the request, where the authorization process is performed based on authorization information, Abstract.
Ueno also teaches acquire a result of the authorization processing and output the result of the authorization processing to another system or device that issues an instruction to acquire the result of the authorization processing. ([0092] Processing 808 of receiving operation results from a management device is performed. In processing 808, the management server device 210 receives results of the operations requested in processing 806. [0093] Processing 810 of notifying the user of a processing result is performed. In processing 810, based on the operation results received in processing 808, the user is notified of a result of processing. The notification tells the user that the requested processing has been performed as expected and thus the desired virtual system becomes available, or the desired virtual system is not available.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Gopinathapai (as modified by Ferrara) by modifying Gopinathapai per Ueno to include acquire a result of the ranking and output the result of the ranking to another system or device that issues an instruction to acquire the result of the ranking. This would have been advantageous and expected as discussed above, as this would allow the modified system to ensure that the requestor of the information would receive results for the particular query as well other devices/systems as required/desired.
Regarding Claim 11:
Gopinathapai (as modified by Ferrara & Ueno) teaches on the invention of Claim 10 as described.
Gopinathapai teaches wherein the computer is further configured by the executable program to: monitor whether a current date and time exceed a date and time defined by a schedule for selecting the successor, ([0040] In FIG. 2, at step 202, the role discoverer 102 may retrieve access right data from the data store 104. Such retrieval may be triggered by user input received from an operator of the role discoverer 102 ( e.g., an IT administrator), by an instruction received from another computing device, or by the expiration of a time period. In other words, the role discoverer 102 may retrieve access right data in response to receipt of a request (e.g., from an operator or other computing device) and/or automatically ( e.g., a regular or irregular intervals).
wherein when the current date and time exceed the date and time defined by the schedule for selecting the successor, execute an action on the user, and select the selected user as the successor based on the result of the ranking acquired by the ranking acquisition unit for the selected user being highest. ([0068] The similarity evaluation may thus be used to determine which users and, in turn, how many users of the computing system may be eligible to be assigned to a role corresponding to a particular candidate bundle of permissions if defined as a role. The role discoverer may also apply a minimum similarity constraint to determine whether a user would be eligible to be assigned a role. The minimum similarity constraint may indicate a threshold similarity x or x % (e.g., 0.8 or 80%) between a candidate permission bundle and a user's currently assigned set of permissions in order for that user to be eligible to be assigned to a role corresponding to that bundle of permissions.)
Conclusion & Contact Information
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RACHEL J HACKENBERG whose telephone number is (571)272-5417. The examiner can normally be reached 9am-5pm M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached at (571)272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RACHEL J HACKENBERG/Primary Examiner, Art Unit 2454