DETAILED ACTION
Claims 1-20 are pending in this action.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-7, 11-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ankrom et al. (US PGPUB No. 2024/0126922) [hereinafter “Ankrom”] in view of Yaghoobi et al. (US PGPUB No. 2021/0303714) [hereinafter “Yaghoobi”].
As per claim 1, Ankrom teaches a system comprising: one or more memories; and at least one processor coupled to at least one of the one or more memories and configured to perform operations comprising: receiving an access request from a user, the access request specifying one or more computing resources to be accessed by the user ([0025], request from vetted entity, i.e. “the requesting user”); retrieving a user profile associated with the user ([0023], retrieving scope definition of role of vetted entity to determine access rights to user information – vetted entity identity can be entered via user input see [0024]); identifying a policy document specifying one or more user rights policies for the one or more computing resources ([0023], scope definition for access rights and duration for particular roles and particular vetted entities defined by user see [0024]); and determining, using a machine learning model ([0051], system can be implemented using Oracle’s artificial intelligence platform) whether to grant or deny the access request based on the user profile and the policy document ([0023], scope definition used to determine whether to grant or deny access request by vetted entity).
Ankrom does not explicitly teach a policy document that includes natural language text and the machine learning model configured to dynamically infer access permissions based on the user profile and the policy document, whether to grant or deny an access request, wherein the machine learning model is trained using historical access logs including outcomes and corresponding policy document text. Yaghoobi teaches a policy document that includes natural language text ([0041], policy document can be unstructured with natural language information) and the machine learning model configured to dynamically infer access permissions based on the user profile and the policy document, whether to grant or deny an access request, wherein the machine learning model is trained using historical access logs including outcomes and corresponding policy document text ([0071], training ML model using access monitoring logs which includes processed natural language from policy document and event results).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Ankrom with the teachings of Yaghoobi, a policy document that includes natural language text and the machine learning model configured to dynamically infer access permissions based on the user profile and the policy document, whether to grant or deny an access request, wherein the machine learning model is trained using historical access logs including outcomes and corresponding policy document text, to implement and train access control for policy concerns composed in a common format but processed in another.
As per claim 2, the combination of Ankrom and Yaghoobi teaches the system of claim 1, wherein the at least one processor is configured to perform operations comprising: revising the policy document to generate an updated policy document (Ankrom; [0025], user is capable of changing the scope definition which is considered an update) also (Ankrom; [0029], vetted status of an entity can be changed in the changing the vetted status of an entity by the secure information manager see [0011]); and determining, by the machine learning model (Ankrom; [0051], system can be implemented using Oracle’s artificial intelligence platform), whether to grant or deny the access request based on the updated policy document (Ankrom; [0023], scope definition used to determine whether to grant or deny access request by vetted entity).
As per claim 3, the combination of Ankrom and Yaghoobi teaches the system of claim 1, wherein the at least one processor is configured to perform operations comprising: determining a degree of accessibility of the user in response to a determination that the access request is granted (Ankrom; Abstract, scope of access will be limited when a particular entity is authenticated and granted access).
As per claim 4, the combination of Ankrom and Yaghoobi teaches the system of claim 1, wherein the at least one processor is configured to perform operations comprising: determining a duration of accessibility of the user in response to a determination that the access request is granted (Ankrom; Abstract and [0003], access granted is limited in time/duration based on particular vetted entity and its role).
As per claim 5, the combination of Ankrom and Yaghoobi teaches the system of claim 4, wherein the duration of the accessibility is configured based on at least one of a security level of the one or more computing resources (Examiner Note: to expedite prosecution, Examiner notes that this is an optional feature but could overcome the current rejection if included as a required feature), a role of the user (Ankrom; Abstract and [0011], role of the a vetted entity changes scope), and a scope of a task that requires access to the one or more computing resources (Examiner Note: optional feature but a potential citation is provided to expedite prosecution) (Ankrom; [0017] and [0107], user status, which affects task to be performed on user, will influence access scope and duration).
As per claim 6, the combination of Ankrom and Yaghoobi teaches the system of claim 1, wherein the access request for the one or more computing resources is for completing a task, and the at least one processor is configured to perform operations comprising: determining that the task is completed (Ankrom; [0107], determining that a patient is no longer incapacitated or has been discharged from a hospital); and revoking the access request of the user to the one or more computing resources in response to the determination that the task is completed (Ankrom; [0107], termination of access when these scenarios change or no longer apply).
As per claim 7, the combination of Ankrom and Yaghoobi teaches the system of claim 1, wherein the user profile includes at least one of user credentials (Ankrom; [0003], vetted entity and associated credentials are authenticated to gain access to data), a history of access patterns of the user (Ankrom; [0028], history of access requests logged for a particular vetted entity for later scrutiny where timestamps are used to determine inconsistent patterns of access), a history of the user’s access to the one or more computing resources (Ankrom; [0027], logging vetted entity’s access requests for later audit and scrutiny), a task given to the user (Ankrom; [0017], vetted entity with provided services), a role of the user (Ankrom; [0023], role of the vetted entity), and an expertise of the user (Ankrom; [0017], services provided implies expertise).
As per claim 11, the substance of the claimed invention is identical or substantially similar to that of claim 1. Accordingly, this claim is rejected under the same rationale.
As per claim 12, the substance of the claimed invention is identical or substantially similar to that of claim 2. Accordingly, this claim is rejected under the same rationale.
As per claim 13, the substance of the claimed invention is identical or substantially similar to that of claim 3. Accordingly, this claim is rejected under the same rationale.
As per claim 14, the substance of the claimed invention is identical or substantially similar to that of claim 4. Accordingly, this claim is rejected under the same rationale.
As per claim 15, the substance of the claimed invention is identical or substantially similar to that of claim 5. Accordingly, this claim is rejected under the same rationale.
As per claim 16, the substance of the claimed invention is identical or substantially similar to that of claim 6. Accordingly, this claim is rejected under the same rationale.
As per claim 17, the substance of the claimed invention is identical or substantially similar to that of claim 7. Accordingly, this claim is rejected under the same rationale.
As per claim 20, the substance of the claimed invention is identical or substantially similar to that of claim 1. Accordingly, this claim is rejected under the same rationale.
Claims 8, 10, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ankrom and Yaghoobi in view of Yu et al. (US PGPUB No. 2025/0209101) [hereinafter “Yu”].
As per claim 8, the combination of Ankrom and Yaghoobi teaches the system of claim 1.
The combination of Ankrom and Yaghoobi does not explicitly teach examining, using the machine learning model, access rights for a plurality of users based on the policy document. Yu teaches examining, using the machine learning model, access rights for a plurality of users based on the policy document ([0023], large language model examining user profile in the context of permission regulations).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Ankrom and Yaghoobi with the teachings of Yu, examining, using the machine learning model, access rights for a plurality of users based on the policy document, to take advantage of the collective power of a large language model in formulating the proper response to an access request by an end user.
As per claim 10, the combination of Ankrom and Yaghoobi teaches the system of claim 1.
The combination of Ankrom and Yaghoobi does not explicitly teach wherein the machine learning model includes a large language model (LLM). Yu teaches wherein the machine learning model includes a large language model (LLM) ([0023], large language model using user profile and permission regulations to formulate a response that can grant or deny access see [0008] and [0032] where access can be denied or moderated response can be given).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Ankrom and Yaghoobi with the teachings of Yu, wherein the machine learning model includes a large language model (LLM), to take advantage of the collective power of a large language model in formulating the proper response to an access request by an end user.
As per claim 18, the substance of the claimed invention is identical or substantially similar to that of claim 8. Accordingly, this claim is rejected under the same rationale.
As per claim 19, the substance of the claimed invention is identical or substantially similar to that of claim 10. Accordingly, this claim is rejected under the same rationale.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Ankrom and Yaghoobi in view of Stauber et al. (US PGPUB No. 2024/0028310) [hereinafter “Stauber”].
As per claim 9, the combination of Ankrom and Yaghoobi teaches the system of claim 1.
The combination of Ankrom and Yaghoobi does not explicitly teach determining a validity of the policy document with respect to the one or more computing resources; and generating an alert in response to determining that the policy document is invalid. Stauber teaches determining a validity of the policy document with respect to the one or more computing resources; and generating an alert in response to determining that the policy document is invalid ([0041]-[0042], detecting improper access permissions and validating rules and generating alerts for the user requests see [0150]).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Ankrom and Yaghoobi with the teachings of Stauber, determining a validity of the policy document with respect to the one or more computing resources; and generating an alert in response to determining that the policy document is invalid, to ensure that the underlying rules and permissions do not conflict with each other or policies that could cause anomalies and cause performance issues.
Response to Arguments
Applicant’s arguments with respect to the rejection of claims 1-20 under 35 U.S.C. 102 and 103 have been fully considered. In light of the new amendments, a new prior art reference has been introduced and cited to, Yaghoobi.
To expedite prosecution, Examiner is open to conducting an after-final interview to discuss claim amendments to overcome the current rejection and/or place the application in condition for allowance.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Satake et al. (US PGPUB No. 2023/0129276), Chari et al. (US PGPUB No. 2016/0352778), Maichikov et al. (US PGPUB No. 2020/0349527), Lawal et al. ("Translating Natural Language Specifications into Access Control Policies by Leveraging Large Language Models," Washington, DC, USA, 2024, pp. 361-370, doi: 10.1109/TPS-ISA62245.2024.00048), Martin et al. ("Inferring access-control policy properties via machine learning," Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06), London, ON, Canada, 2006, pp. 4 pp.-238, doi: 10.1109/POLICY.2006.19) and Slankas ("Implementing database access control policy from unconstrained natural language text," 2013 35th International Conference on Software Engineering (ICSE), San Francisco, CA, USA, 2013, pp. 1357-1360, doi: 10.1109/ICSE.2013.6606716) all disclose various aspects of the claimed invention including validating user access rights with role and task filters using machine learning.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER C SHAW whose telephone number is (571)270-7179. The examiner can normally be reached Max Flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PETER C SHAW/Primary Examiner, Art Unit 2493 February 16, 2026