Office Action Predictor
Last updated: April 15, 2026
Application No. 18/656,727

Intelligent Creation of Secure Roles for Role-Based Access Control

Final Rejection §103
Filed
May 07, 2024
Examiner
MIAN, MOHAMMAD YOU A
Art Unit
2457
Tech Center
2400 — Computer Networks
Assignee
Sap Se
OA Round
2 (Final)
66%
Grant Probability
Favorable
3-4
OA Rounds
3y 2m
To Grant
99%
With Interview

Examiner Intelligence

Grants 66% — above average
66%
Career Allow Rate
179 granted / 273 resolved
+7.6% vs TC avg
Strong +35% interview lift
Without
With
+35.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 2m
Avg Prosecution
23 currently pending
Career history
296
Total Applications
across all art units

Statute-Specific Performance

§101
6.0%
-34.0% vs TC avg
§103
57.6%
+17.6% vs TC avg
§102
9.9%
-30.1% vs TC avg
§112
16.1%
-23.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 273 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment This action is responsive to an amendment filed on 12/19/2025. Claims 1-3, 6, 8-10, 13, 15-17 and 20 have been amended. Claims 1-20 are pending for examination. Response to Arguments Applicant’s arguments, see Applicant Arguments/Remarks, filed on 12/19/2025, with respect to the rejection of the pending claims under 35 U.S.C. §103 have been fully considered. However, the current rejection relies on Cowan for the disputed limitation. Accordingly, applicant’s arguments are moot because they do not address the reference applied in the present rejection. See the newly crafted rejection, infra. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 8214398 (Cowan et al.) in view of US 2025/0291327 (Visoky et al.), and further in view of US 2025/0272314 (Melamed et al.). Regarding Claim 1, Cowan teaches a computer implemented method for creating a tailored access profile for improving security of an access control system ([C.2:L.26-38] a system having role based access controls. Roles can be created, managed, allocated to users, and removed as organizational needs dictate), comprising: extracting, by at least one computer processor, application access requirements for a role from a role description ([C.3:L.4-8] a role shell is selected for creation and profiled to create profile. A profile can describe the ability to access files and can also describe permission to do a complex set of operations, and may be specific to the enterprise. [C.3:L.37-53] Profile is created by starting with a default profile and refining the profile by …logging the access requests that role shell makes in a log. … profile is generated at least in part by having a user knowledgeable about the legitimate tasks a user having a role with which the profile is associated is and/or may be required to perform, … an administrator using a predetermined set of operations identified as being associated with the role, etc., and have such a user perform such tasks using role shell. Analyzer evaluates log and interacts with an administrator to determine an appropriate set of rules to cover the logged behavior. [C.4:L.18-22], the profile is created by observing authorized behavior and/or use associated with the role and generating one or more rules to ensure that such observed behavior and/or use are permitted); obtaining a first access profile and a second access profile from a data store ([C.4:L.37-41], determine which roles should be profiled. …a suggested list of common roles (e.g., basic user, junior administrator, super user) can be presented to an administrator for potential profiling. [C.5:L.30-40], profiles for roles are presented…an HR role, a helpdesk role); in response to obtaining the first access profile, generating a third access profile based on the application access requirements ([C.3:L.37-40] Profile is created in some embodiments by starting with a default profile and refining the profile by executing commands and logging the access requests that role shell makes in a log. [C.4:L.18-22] the profile is created and/or refined at least in part by observing authorized behavior and/or use associated with the role and generating one or more rules to ensure that such observed behavior and/or use are permitted. It would have been understood from Cowan that a refined [i.e. the claimed third profile] is generated based on an existing default or common profile [i.e., the claimed first profile]. Cowan expressly teaches beginning with a baseline profile and subsequently refining or modifying that profile to produce a more tailored set of access control), ...and, in response to obtaining the second access profile, generating a fourth access profile based on the second access profile ([C.5:L.19-36], the profile is updated if it is subsequently determined that additional functionality should be permitted (or denied) to a user associated with a role with which the profile is associated. For example, if a person working for the HR department were assigned a new function or task, such as performing helpdesk services, such as password resetting, in some embodiments the profile for the user's role would be updated to expressly allow access to the resources required to perform the new function or task. …features of multiple roles can be combined in assorted ways. …profiles for roles are presented …The first is an HR role that can add and delete user accounts, but not manipulate them. The second is a helpdesk role that can change user passwords and perform other helpdesk functions but cannot add or delete users. The third is a composition of the HR and helpdesk roles. Here, Cowan further teaches generating new profile [i.e., the claimed fourth profile] through composition of existing profile [i.e., the claimed second profile]); selecting an access profile of the first access profile, third access profile, or fourth access profile based on the application access requirements ([C.4:L.53-61], after a profile is created …it is determined whether the profile being generated is sufficient. …the profile is determined to be sufficient if the profile permits most to all of the activities that a user having the role is legitimately supposed to perform. …one way of verifying whether a profile is sufficient is to run role shell and perform assorted legitimate tasks, and then confirm that log is free of access violations attributable to role shell. … determined that the profile being generated is sufficient. As discussed above, Cowan teaches generating first, third and fourth profile. Cowan therefore discloses multiple instances in which a system creates or derives new profiles from pre-existing profiles. Since Cowan describes generation multiple profiles and determine whether the generated profile is sufficient, therefore under the broadest reasonable interpretation, Cowan is reasonably interpreted as teaching selection profile from among the first, third, or fourth profile as claimed); and tailoring the selected access profile based on feedback, thereby creating the tailored access profile ([C.5:L.19-27], the profile is updated if it is subsequently determined that additional functionality should be permitted (or denied) to a user associated with a role with which the profile is associated. … the profile for the user's role would be updated to expressly allow access to the resources required to perform the new function or task). Cowan does not explicitly teach, however, Visoky teaches …using a large language model; …generating a third access profile… generating a fourth access profile…using the large language model ([¶ 0058], an large language model (LLM)-based operational technology (OT) network security assistant may be utilized to help secure OT networks. Specifically, the LLM-based OT network security assistant may be configured to generate configuration files (“config” files) that can be used to configure industrial automation devices and OT network devices, policies (e.g., security policies). [¶ 0065] Based on the natural language request and the supplemental data/files, the LLM-based OT network security assistant may utilize the one or more LLM(s) to generate an output in response to the request. [¶¶ 0067-0068] the natural language request may be a request for security policies to be implemented in an OT network. the supplemental data/files may include an OT network topology, a component list, an industry, a process being performed or product being made, specifications, standards, regulations to follow, region/country, target production quantity, target operational parameters, goals, etc., or some combination thereof. In response, the LLM-based OT network security assistant may generate one or more security policies [i.e., access profile for security] to be deployed within the OT network based on the natural language request and/or the supplemental data/files. …the policies may be displayed via a GUI, which may provide a user with the option to select policies to implement. A policy is a set of one or more rules or procedures that govern access and use of an organization's OT assets. A policy may govern management of OT assets, access to such assets, security of such assets, operation of such assets, management of data used and/or generated by such assets, and the like. For example, a policy may define data usage, email/messaging protection policies, user identity and access management). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Visoky's one or more LLM(s) to generate security policies to the teachings of Cowan, because such incorporation would have resulted in an increased efficiency through task automation using Large Language Model (LLM). Cowan in view of Visoky do not explicitly teach, however, Melamed teaches generating an embedding …using a second large language model; obtaining for access profile in a data store based on the embedding ([¶ 0016], To produce a prospective list of content items for a user, embeddings can be used as proxies for raw data about users and content items. Embedding may refer to a concise or compressed numerical representation of information. An embedding may encode information associated with a user and/or a content item relative to an embedding space. Embeddings and embedding spaces can be generated by artificial intelligence (AI) models. [¶¶ 0018-0019], Embedding-based retrieval (EBR) is a method of searching for matching digital content, such as content items that match a user's current preferences and interests. Embedding-based retrieval involves converting data to embeddings and then using a similarity algorithm, such as nearest-neighbor search or cosine similarity, to identify embeddings that match one another in accordance with the applicable matching criteria or parameters. EBR can be used to search for, identify, and retrieve content item embeddings that most closely match user embeddings. For example, embeddings can be generated for users and content items, and then EBR can be used to identify, for each user, a prospective set of content items based on the respective content item embeddings. [¶ 0022], generate skill-centric user embeddings and skill-centric document embeddings, and perform matching and ranking based on the skill-centric embeddings. A large language model (LLM) is used to generate skill embeddings and the skill embeddings generated by the LLM are incorporated into the user and document embeddings in a way that optimizes the use of the LLM by reducing the number of calls that need to be made to the LLM). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Melamed's generation of embeddings to the combined teachings of Cowan and Visoky, because such incorporation would have provided ability to capture the nuanced context and semantic relationships between words and concepts, enabling more accurate understanding of language. Regarding Claim 2, Cowan in view of Melamed do not explicitly teach, however, Visoky teaches the computer implemented method of claim 1, wherein the first large language model and the second large language model are trained using a common training data set ([¶ 0087] …one or more LLMs are trained. …the one or more LLMs may be trained using training data that may include user data, digested OT network security logs, user-specific policies, user-specific guidelines, and so forth. …the one or more LLMs may be trained by a service provider that provides OT network security services to multiple users, collects data from those users in the provision of the OT network security services, and trains and/or retrains the one or more LLMs based on the collected data). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Visoky's training of LLM(s) to generate security policies to the combined teachings of Cowan and Melamed, because such incorporation would have resulted in leading to more robust and accurate predictions. Regarding Claim 3, Cowan in view of Visoky do not explicitly teach, however, Melamed teaches the computer implemented method of claim 1, wherein the first large language model is trained using a first training data set and the second large language model is trained using a second training data set, and the first training data set is different from the second training data set ([¶¶ 0044-0046], an LLM 132 is a general-purpose LLM that has been trained on a large corpus of data that might not be specific to any particular domain or application (e.g., the LLM 132 may be a general purpose and/or open source LLM that has not been specifically trained on data pertaining to a PSN). During the fine tuning process 170, model tuner 164 creates a set of training data. …Supervised learning is a method of training a machine learning model, such as an LLM, given input-output pairs). [Fig. 2, ¶ 0056] One or more Large language models 218, 220 can be implemented as components of LLMs 132, or as other types of large language models. LLMs 218, 220 can be implemented as the same LLM or as different LLMs, depending upon the requirements of a particular design or implementation of the skill-centric embedding and ranking system). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Melamed's teaching of training one or more Large language models to the combined teachings of Cowan and Visoky, because such incorporation would have provided ability to create a diverse suite of models for a wider range of tasks. Regarding Claim 4, Cowan teaches the computer implemented method of claim 1, wherein the tailoring comprises: receiving additional feedback, wherein the additional feedback specifies how to edit the selected access profile according to the application access requirements; and regenerating the selected access profile based on the additional feedback ([C.5:L.19-27], the profile is updated if it is subsequently determined that additional functionality should be permitted (or denied) to a user associated with a role with which the profile is associated. … the profile for the user's role would be updated to expressly allow access to the resources required to perform the new function or task). Regarding Claim 5, Cowan in view of Visoky do not explicitly teach, however, Melamed teaches the computer implemented method of claim 1, further comprising: generating an embedding corresponding to the selected access profile using the second large language model ([¶ 0040-0041], retrieve, from one or more searchable data stores (e.g., skill data store, user data store, content data store) input data for embedding generator component, from which embeddings may be created. The embedding generator may interact with one or more large language models (LLMs) to produce one or more embeddings); and storing the embedding corresponding to the selected access profile in the data store ([¶ 0050] The embeddings produced by embedding generator may be stored in one or more embedding stores). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Melamed's generation of embeddings using large language model to the combined teachings of Cowan and Visoky, because such incorporation would have provided ability to capture the nuanced context and semantic relationships between words and concepts, enabling more accurate understanding of language. Regarding Claim 6, Cowan in view of Visoky do not explicitly teach, however, Melamed teaches the computer implemented method of claim 1, wherein the obtaining from the data store comprises: calculating a similarity value between the embedding corresponding to the application access requirements and a first embedding stored in the data store; retrieving the first embedding stored in the data store based on the similarity value being above a similarity threshold; determining the first access profile that corresponds to the retrieved first embedding; and returning the first access profile as a result of the obtaining ([¶ 0015-0016] Given a pair of entities, such as a user and a prospective content item, match as used herein can refer to a machine-determined predicted or estimated degree of relevance, similarity or compatibility between those entities that satisfies a threshold level of relevance, similarity or compatibility, where the threshold level of relevance, similarity or compatibility is variable based on the requirements of a particular design or implementation. …a matching threshold may be set to a higher value to identify users as prospective article contributors or to a lower value to match users with educational articles that address gaps in the users' skill sets. To produce a prospective list of content items for a user, embeddings can be used as proxies for raw data about users and content items. Embedding as used herein may refer to a concise or compressed numerical representation of information. An embedding may encode information associated with a user and/or a content item relative to an embedding space. Embeddings and embedding spaces can be generated by artificial intelligence (AI) models). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Melamed's teachings of predict or estimate degree of relevance, similarity or compatibility to the combined teachings of Cowan and Visoky, because such incorporation would have provided ability to find the similarity relevance, or compatibility. Regarding Claim 7, Cowan in view of Visoky do not explicitly teach, however, Melamed teaches the computer implemented method of claim 4, further comprising: generating a few-shot prompt based on the regenerated access profile; and storing the few-shot prompt in the data store ([¶ 0063], Prompt engineering is a technique used to optimize the structure and/or content of the prompt input to the generative model. Some prompts can include examples of outputs to be generated by the generative model (e.g., few-shot prompts), …the generative model performs the task described in the prompt using a series of steps and outputs reasoning as to each step performed.[¶ 0082], few-shot examples can include sample skill descriptions that have been obtained from one or more reference sources, such as user profiles, job postings, dictionaries, and/or other sources. Alternatively or in addition, few-shot examples can include skill descriptions that have been previously generated by the LLM that have resulted in high quality embeddings, as determined based on, e.g., historical engagement data). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Melamed's teachings of few-shot prompts to the combined teachings of Cowan and Visoky, because such incorporation would have reduced need for large datasets, allowing for high accuracy on new tasks with minimal data. Regarding Claim 8, the claim limitations are identical and/or equivalent in scope to claim 1, therefore, Claim 8 is rejected under the same rationale as claim 1. Examiner further notes, Cowan also teaches a system comprising; one or more memories; at least one processor each coupled to at least one of the memories and configured to perform operations... [C.2:L.3-7] Regarding Claims 9-14, the claim limitations are identical and/or equivalent in scope to claims 2-7, therefore, Claims 9-14 are rejected under the same rationale as claims 2-7. Regarding Claim 15, the claim limitations are identical and/or equivalent in scope to claim 1, therefore, Claim 15 is rejected under the same rationale as claim 1. Examiner further notes, Cowan also teaches a non-transitory computer-readable medium having instructions stored thereon that, when executed... [C.1:L.65-67] Regarding Claims 16-20, the claim limitations are identical and/or equivalent in scope to claims 2-6, therefore, Claims 16-20 are rejected under the same rationale as claims 2-6. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD YOUSUF A MIAN whose telephone number is (571)272-9206. The examiner can normally be reached Monday-Friday 9am-5:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ARIO ETIENNE can be reached at 571-272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000 /MOHAMMAD YOUSUF A. MIAN/ Examiner, Art Unit 2457 /ARIO ETIENNE/ Supervisory Patent Examiner, Art Unit 2457
Read full office action

Prosecution Timeline

May 07, 2024
Application Filed
Sep 25, 2025
Non-Final Rejection — §103
Dec 19, 2025
Response Filed
Mar 31, 2026
Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12598236
OWNER CONTROLLED AND INCENTIVISED SMARTPHONE PLATFORM BASED ON MICROSERVICES
2y 5m to grant Granted Apr 07, 2026
Patent 12587550
DETECTING COMPROMISED CLOUD USERS
2y 5m to grant Granted Mar 24, 2026
Patent 12574281
SECURE MANAGEMENT OF ACCESS TO HOST DEVICE REMOTE MANAGEMENT FUNCTIONALITY
2y 5m to grant Granted Mar 10, 2026
Patent 12568280
IMAGE PROCESSING APPARATUS AND METHOD FOR POSTING SCANNED DOCUMENT DATA TO CHAT THREADS
2y 5m to grant Granted Mar 03, 2026
Patent 12550228
Systems and Methods for Collaborative Edge Computing
2y 5m to grant Granted Feb 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
66%
Grant Probability
99%
With Interview (+35.2%)
3y 2m
Median Time to Grant
Moderate
PTA Risk
Based on 273 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month