Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefore, subject to the conditions and requirements of this title.
1. Claims 1 – 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
The independent claims describe an access control concept: determining when a user needs access they currently lack, evaluating the urgency of that need, obtaining approval from an authorizing agent, and granting temporary access. This is a fundamental organizational practice – managing permissions and approvals – applied in a particular technological environment. A careful review of the specification does not help because it characterizes the technical problem as organizational agility and business process limitations and also frames the invention as solving organizational efficiency and business process problems not technical/computer security functionality (see as-filed para 0003, 0033, 0035 – 0037) which directly supports an abstract idea characterization.
The Examiner further asserts Applicant does not have other limitations in the claim that are more than known in the art ways of using generic technology to apply the abstract ideas – accordingly, the claim is not statutory. The Examiner’s analysis for representative claim 1 is as follows.
PNG
media_image1.png
538
914
media_image1.png
Greyscale
(Pertaining to claim 1) A computer-implemented method for dynamically controlling access to confidential data, the method comprising:
using a number of processors to perform: [generic technology [generic technology component executing abstract steps]
receiving input of a user security profile that specifies data access privileges for a user; [method of organizing human activity – data management, credential handling]
analyzing, through natural language processing, a number of documented communications among authorized personnel regarding work related to the confidential data; [mental process – observation, evaluation, judgement; NLP limitation is result-oriented functional language that describes what is done but now how it is technically accomplished]
identifying, from the analysis of the documented communications, a task for the user that requires access privileges to the confidential data that the user security profile does not authorize; [mental process – evaluation, judgement, opinion]
calculating, from the analysis of the documented communications, an urgency score for the task; [mathematical concept – calculation; mental process - evaluation]
responsive to a determination that the urgency score exceeds a specified threshold, [mathematical concept – comparison operation]
automatically [generic computer automation] initiating an access control workflow that is routed to an authorizing agent; and [method of organizing human activity – managing approval processes]
receiving, from the authorizing agent, authorization in near real-time, [method of organizing human activity – receiving approval; near real-time is purely functional language/desired outcome without technical specificity regarding how near-real-time performance is achieved]
wherein the user security profile is updated to allow access to the confidential data for a specified duration. [method of organizing human activity – permission management; and generic technology implementation of data manipulation]
STEP 1: YES.
STEP 2A Prong One: YES, a mental process and mathematical concepts. The abstract idea are limitations (ii) – (ix).
STEP 2A Prong Two: No
STEP 2B: NO
When viewed either as individual limitations or as an ordered combination, the claim as a whole lacks any element that: improves computer functionality, provides unconventional technical solution, provide algorithmic detail for NLP or scoring; or contains specific implementation details beyond the generic technology application to the abstract ideas.
Conclusion:
There are no meaningful limitations in the claim that transform the exception into a patent-eligible application, such that the claim does not amount to significantly more than the exception itself,
the claim is not patent-eligible (Step 2B: NO) and should be rejected under 35 U.S.C. 101.
A similar analysis is relied upon for claims 8 and 15. Any amendment to the claim should be commensurate with its corresponding disclosure.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1 – 3, 6 – 10, 13 – 17 and 19 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Price (US Pub. No. 2022/0321570 A1) in view of Chen (US Pub. No. 2025/0202899 A1).
Per claim 1, Price (US Pub. No. 2022/0321570 A1) is relied upon to teach a computer-implemented method for dynamically (reads on modify the privileges for a recipient, if the current privileges are insufficient, see Price Figure 2 blocks 250 and 260) controlling access to (reads on modifying privileges for the content, see Price Abstract) confidential data (reads on the shared content that requires access control, see Price Figure 2 block 220, Abstract and para 0016), the method comprising: using a number of processors to perform (see Price Figure 3 block 302 and para 0057 – 0060): receiving input (reads on obtaining the existing privileges for the recipients, see Price para 0023) of a user security profile (reads on existing privileges for each of the recipients, see Price para 0023 and 0041 – 0043 and Figure 2 block 230) that specifies data access privileges for a user (reads on existing privileges for each of the recipients, see Price para 0023); analyzing (reads on analyzing the communication, see Price Abstract), through natural language processing (reads on using natural language processing, see Price Abstract), a number of documented communications (reads on receiving electronic messages, see Price Abstract and para 0036 and 0062) among authorized personnel (reads on the recipients of the electronic communication, see Price Figure 2 block 230, Abstract and para 0036) regarding work related to (reads on specific content actions that may be restricted based on privileges assigned to the users, see Price para 0016) the confidential data (reads on the shared content that requires access control, see Price Figure 2 block 220, Abstract and para 0016); identifying (reads on using natural language processing to determine requested actions with regard to the shared content, see Price Abstract, para 0041 and Figure 2), from the analysis of the documented communications (reads on the electronic messages are analyzed using NLP to identify actions requested of the recipients with regards to the shared content, see Price Abstract, para 0041 and Figure 2), a task for (reads on actions requested of the recipients with regards to the shared content, see Price Abstract, para 0041 and Figure 2) the user (reads on each of the recipients, see Price Abstract, para 0041 and Figure 2) that requires access privileges (reads on the privileges required to perform the requested actions, see Price para 0041 – 0043) to the confidential data (reads on the shared content that requires access control, see Price Figure 2 block 220, Abstract and para 0016) that the user security profile (reads on existing privileges for each of the recipients, see Price para 0023 and 0041 – 0043 and Figure 2 block 230) does not authorize (reads on the existing privileges are not sufficient for the recipient to complete the requested actions, see Price Figure 2 block 230 – 260 and para 0041 – 0043); calculating (The Examiner asserts in the context of a requested action identifying a time limitation such as “Please handle this week” and determining a corresponding end time at least implicitly quantifies/determines/calculates urgency because a task/action requiring completion “this week” has higher urgency than one requiring completion “next month”. The Examiner further asserts one of ordinary skill in the art would consider it obvious that tasks/actions with strict deadlines to have higher urgency scores than those that can wait. The at least Implicit time-to-deadline is the calculated urgency score/metric, see Price para 0030), from the analysis of the documented communications (reads on the electronic messages are analyzed using NLP to identify actions requested of the recipients with regards to the shared content, see Price Abstract, para 0041 and Figure 2), an urgency score for the task (The Examiner asserts in the context of a requested action identifying a time limitation such as “Please handle this week” and determining a corresponding end time at least implicitly quantifies/determines/calculates urgency because a task/action requiring completion “this week” has higher urgency than one requiring completion “next month”. The Examiner further asserts one of ordinary skill in the art would consider it obvious that tasks/actions with strict deadlines to have higher urgency scores than those that can wait. The at least implicit time-to-deadline is the calculated urgency score/metric, see Price para 0030); responsive to (reads on automatically initiating an access control workflow by determining start/end times and modifying privileges by sending an instruction to the content management service or the owner of the content, see Price para 0030 – 0031 and 0043) a determination that the urgency score exceeds a specified threshold (The Examiner construes “please handle this week” as urgency requiring time-bounded access. The Examiner further construes this urgency requiring time-bounded access to be the same as the specified threshold, see Price para 0030), automatically initiating an access control workflow that is routed to (read on automatically modifying privileges by sending an instruction to the content management service or the owner of the content, see Price para 0030 – 0031 and 0043) an authorizing agent (reads on the content management service or the owner of the content, see Price para 0030 – 0031 and 0043); and receiving (reads on the content management service or owner of the content performs one or more operations to modify privileges after, or in parallel with, communication of the message, see Price para 0012, 0021, 0028, 0029, 0031 and 0043), from the authorizing agent (reads on the content management service or owner of the content, see Price para 0012, 0021, 0028, 0029, 0031 and 0043), authorization in near real-time (reads on the privileges are modified immediately after determining the existing privileges are not sufficient, see Price Figure 2 blocks 250 and 260 which at least imply any time period that meets the needs of the business to perform the workflow operations), wherein the user security profile (reads on existing privileges for each of the recipients, see Price para 0023 and 0041 – 0043 and Figure 2 block 230) is updated to allow access (reads on privileges are modified to allow the requested actions, see Price Figure 2, Abstract and para 0021, 0029 – 0031 and 0043) to the confidential data (reads on the shared content that requires access control, see Price Figure 2 block 220, Abstract and para 0016) for a specified duration (reads on for a time limitation corresponding to starting time for the modified privileges and/or an end time for the modified privilege, see Price para 0030 – 0031). The prior art of record is silent on explicitly stating calculating an urgency score for the task; and the urgency score exceeds a specified threshold.
[Abstract]
Shared content privilege modification is provided. An electronic message is identified containing an address for accessing shared content, where the message is for communication to a set of recipients. Existing privileges are determined for the shared content for each recipient in the set of recipients. A requested action regarding the shared content is determined by analyzing the communication using natural language processing. Privileges for the shared content are modified for at least one recipient based on the existing privileges for the at least one recipient being insufficient to perform the requested action.
[0016] As used herein, shared content may be any electronic content that can be accessed via one or more networks by different users. Shared content includes, but is not limited to, documents, spreadsheets, videos, and images. Users may be able to read, download, modify, delete, replace with a new version, reshare, etc., the shared content depending on the shared content management service. Further, the shared content management service may restrict the ability of specific users or groups to perform these actions based on privileges assigned to the users or groups. Specific privileges may provide the ability to perform one or more actions with regards to shared content.
[0021] In some embodiments, the system may intercept the message. As used herein, intercepting the message includes preventing the message from being communicated while one or more actions are performed. For example, when a user clicks the “send” button to send an email, the email client may stop the email from being sent while the system determines whether user privileges should be modified based on the email. In some embodiments, the system does not intercept the message and performs one or more of the operations to modify privileges after, or in parallel with, communication of the message (i.e., the message is communicated as normal while the system determines whether user privileges should be modified).
[0023] After the system determines that the message contains an address for accessing shared content, the system may determine the existing privileges for the recipients of the message. The system may obtain the existing privileges for each of the recipients from the shared content management service. In some embodiments, the system may use browser access to obtain data from the shared content management service over the web. In some embodiments, the system requests privileges for each user using an application programming interface (API).
[0028] The system may modify the privileges if they are not sufficient to perform the requested action. The system may be configured to modify the privileges using an API. In some embodiments, the system may notify the sender when the privileges are insufficient and prompt the user to approve modifying the privileges before performing the modification.
[0029] If the sender does not have permission to modify the privileges for the shared content, the system may be configured to request permission from a user that is able to give access. In some embodiments, the system may identify one or more owners of the shared content and request permission to modify the privileges. For example, the system may identify an owner from a user list and prompt the owner to approve or disapprove the privilege modification. In some embodiments, the system may request a privilege modification from the shared content management service and the shared content management service may contact one or more owners to approve the privilege modification.
[0030] In some embodiments, the system may further identify time limitations with respect to the requested actions. The time limitation may correspond to a starting time for the modified privileges and/or an end time for the modified privileges. For example, the message could contain a statement such as “Please handle this week” or “Don't share this before Tuesday.” When the system identifies a time limitation corresponding to the requested action, the system may determine a corresponding start time and/or end time for the change in privileges for the shared content. In some embodiments, the system may simply use the period of time identified in the message. In some embodiments, the period of time identified in the message may be changed by a predetermined amount. For example, if the message requests that participants edit a shared document by Tuesday, the system may be configured to have the period of time to expire on Wednesday.
[0031] In some embodiments, the system may send an instruction to the shared content management service to modify the privileges at the start time and revert the privileges back to the existing privileges at the end time. For example, the system may instruct the shared content management service to modify the privileges at a specified time and include an expiration for the modified privileges. In some embodiments, the system may schedule a time for the system to modify the privileges. For example, the system may schedule a start time when the system will modify privileges through an API and the system may schedule an end time when the system will revert the privileges back to the existing privileges through the API.
[0032] In some embodiments, when a user attempts to perform an action that requires the modified privileges after the modification of privileges have expired, a request may be communicated to the sender to approve another modification of the privileges. For example, an initial email from the sender may request that the recipients provide their edits on a shared document by Tuesday. The system may modify the privileges to allow for editing and have the privileges expire on Tuesday. A recipient that tries to edit the document on Wednesday may initiate a request to the sender to modify the privileges to allow editing for the recipient.
[0033] In some embodiments, the predetermined amount for changing the period of time identified in a message may be determined using machine learning. The system may store historical information relating to the privilege modification, requests for modified privileges after the privileges have expired, and the results of the request. Based on this information, the system may determine appropriate changes to the period of time identified in the message. For example, if a sender consistently receives requests for modified privileges after the modification of privileges has expired and the sender consistently approves the requests, the system may learn to automatically approve an extension of the period of time. In some embodiments, the system may learn to modify the amount of the extension of the period of time based on the type of shared content and/or the recipients.
[0036] System 100 includes a receiving module 110, a privilege determining module 120, a requested action identifying module 130, a privilege modification module 140, an expiration request module 150, and a machine learning module 160. Receiving module 110 may receive an electronic communication containing an address for shared content. Privilege determining module 120 may determine existing privileges with regards to the shared content for the recipients of the electronic communication. Requested action identifying module 130 may identify requested actions in the electronic communication with regards to the shared content. Privilege modification module 140 may modify privileges for recipients when the existing privileges are insufficient to perform the requested actions. Expiration request module 150 may handle requests for privilege modification when a recipient attempts an action after expiration of their modified privileges. Machine learning module 160 may perform machine learning on historical expiration requests to determine appropriate expiration times for modified privileges.
[0041] At operation 240, the electronic message may be analyzed to determine requested actions with regards to the shared content. The electronic message may be analyzed using NLP to identify actions requested of the recipients. In some embodiments, when an action requested of the recipient is not identified, it is assumed that the recipients still need read access. In some embodiments, the electronic message is not analyzed to identify a requested action. In these embodiments, the action requested of the recipient may preconfigured. For example, the system may be configured to determine that the recipients need read access for the shared content without analyzing the message to find a specific request to view the shared content.
[0042] At operation 250, it is determined whether the existing privileges for each recipient of the electronic message are sufficient for the recipient to perform the requested actions. If the existing privileges are sufficient for each of the recipients, the electronic message may be communicated at operation 270.
[0043] If the existing privileges are not sufficient for one or more recipients of the message at operation 250, the privileges for the one or more recipients may be modified at operation 260. In some embodiments, the privileges may be directly modified. In other embodiments, a request may be made to the shared content management service or an owner of the shared content to modify the privileges. After, the privileges are modified, the electronic message may be communicated at operation 270.
[0053] The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
[0057] Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
[0062] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the various embodiments. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. “Set of,” “group of,” “bunch of,” etc. are intended to include one or more. It will be further understood that the terms “includes” and/or “including,” when used in this specification, specify the presence of the stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. In the previous detailed description of exemplary embodiments of the various embodiments, reference was made to the accompanying drawings (where like numbers represent like elements), which form a part hereof, and in which is shown by way of illustration specific exemplary embodiments in which the various embodiments may be practiced. These embodiments were described in sufficient detail to enable those skilled in the art to practice the embodiments, but other embodiments may be used and logical, mechanical, electrical, and other changes may be made without departing from the scope of the various embodiments. In the previous description, numerous specific details were set forth to provide a thorough understanding the various embodiments. But, the various embodiments may be practiced without these specific details. In other instances, well-known circuits, structures, and techniques have not been shown in detail in order not to obscure embodiments.
PNG
media_image2.png
1063
636
media_image2.png
Greyscale
Chen (US Pub. No. 2025/0202899 A1) is relied upon to teach
calculating an urgency score (reads on a numerical criticality level is determined based on the combination of processing history and risk scores, see Chen para 0002, 0029, 0037 – 0040 and 0044) for the task (reads on the user access request, see Chen para 0002, 0029, 0037 – 0040 and 0044); and the urgency score exceeds a specified threshold (reads on when the criticality level is greater than a lower criticality level processing to grant user access occurs, see Chen para 0002, 0029, 0037 – 0040, 0044 and 0096).
[0002] In part, in one aspect, the present disclosure provides a system for managing a user access request, the system including an access criticality module to determine information associated with a user access request; an access criticality evaluation computation engine to determine a risk score associated with the user access request based on the determined information and to assign a criticality level to the user access request based on the determined risk score; an automation and prioritization integrator to determine, based on the assigned criticality level, automatic or manual processing of the user access request; and an access management module to automatically or manually process the user access request based on the determination of the automation and prioritization integrator.
[0029] Altogether, the solution disclosed herein provides a user access rights management system that combines an automation and prioritization approach with continuous, or on-demand, user access revalidating requests. The disclosed user access rights management system may be utilized by any business entity to accurately manage a large number of user access requests, or revalidating requests, despite having relatively few reviewers, and further despite changes in several contributing factors. In short, the solution disclosed herein may first utilize an access criticality module and an access criticality evaluation computation engine. The access criticality module may determine an entitlement risk score, a user risk score, and a dynamic risk score, which may be referred to herein as an overall risk score and which is a combination of the entitlement risk score and the user risk score, of at least one user access request, or revalidating request. The access criticality evaluation computation engine may combine each of the entitlement risk score, the user risk score, and the dynamic risk score. The solution may further assign a criticality level to the at least one user access request, or revalidating request, based on the combined risk scores, and send information relating to the criticality level to at least one repository. An automation and prioritization integrator may then determine, based on the assigned criticality level, if the at least one user access request, or revalidating request, is to be automatically or manually processed (e.g., automatically or manually granted or denied). Finally, upon processing, user access may be granted or denied to a user associated with the at least one user access request, or revalidating request. Additional details and features relating to the solution disclosed herein are described in greater detail below.
[0037] In at least one aspect, after the access criticality evaluation computation engine 104 computes an entitlement risk score, a user risk score, and a dynamic risk score by way of the entitlement risk scorer 104a, the user risk scorer 104b, and the dynamic risk scorer 104c, respectively, the user access rights management system 100 may assign a criticality level to the user access request, or revalidating request. In at least one aspect, the criticality level may be at least one of a first criticality level or a second criticality level that is greater than the first criticality level. In another aspect, the criticality level may be at least one of a first criticality level, such as a “low” criticality level, a second criticality level, such as a “medium” criticality level, that is greater than the first criticality level, a third criticality level, such as a “high” criticality level, that is greater than the second criticality level, or a fourth criticality level, such as a “critical” criticality level, that is greater than the third criticality level. In yet another aspect, the criticality level may be any one of an infinite number of criticality levels, where each criticality level may correspond to a numerical value. The example number of criticality levels, as disclosed above, is not so limiting. In all aspects, the criticality level is assigned based on at least a combination of the entitlement risk score, the user risk score, and the dynamic risk score as computed by the access criticality evaluation computation engine 104.
[0038] After assigning a criticality level to the user access request, or revalidating request, the user access rights management system 100 stores the assigned criticality level in at least one repository 106a, which is included in the repository and automation policy module 106. The at least one repository 106a may further store additional users' user access request, or revalidating request, criticality levels. The at least one repository 106a may further store a processing history, including previously-granted, or previously-denied, user access requests, or revalidating requests, as well as the previously-granted, or previously-denied, user access requests', or revalidating requests', timestamps, for all users of any such business entity.
[0039] The repository and automation policy module 106 further includes automation policy 106b, which may define how automation and prioritization decisions should be made based on the assigned criticality level, as well as a processing history, associated with a user corresponding to a user access request, or revalidating request. A series of non-limiting examples is provided below with regard to at least one aspect where the user access rights management system 100 includes two criticality levels, such as first and a second criticality levels as disclosed above. Additionally, a series of non-limiting examples is provided below with regard to another aspect where the user access rights management system 100 includes four criticality levels, such as “low,” “medium,” “high,” and “critical” criticality levels as detailed above.
[0040] A first non-limiting example of an automation policy 106b including two criticality levels illustrates that a user access request, or revalidating request, that is assigned the second criticality level must always require manual review and processing. A second non-limiting example illustrates that a user access request, or revalidating request, that is assigned the first criticality level may be automatically reviewed and processed. However, this may further depend on each of, or a combination of, the criticality level and the processing history of the user access request, or revalidating request. For example, a user access request, or revalidating request, may not be automatically processed if it has not been manually reviewed and processed at least once in the past. A third non-limiting example illustrates that a user access request, or revalidating request, that is assigned the first criticality level may require frequent manual review and processing. The frequency of required manual review and processing may be determined by each of, or a combination of, the criticality level and the processing history of the user access request, or revalidating request.
[0044] In at least one aspect, the automation and prioritization integrator 108 may determine, based on information received from the repository and automation policy module 106, whether a user access request, or revalidating request, should be manually processed or automatically processed. Furthermore, for a user access request, or revalidating request, that is determined to require manual review and processing, the automation and prioritization integrator 108 may generate prioritization based on each of, or a combination of, a criticality level and a processing history corresponding to the user access request, or revalidating request. For example, in at least one aspect, a user access request, or revalidating request, having a high criticality level may be prioritized over another user access request, or revalidating request, having a low criticality level. In another aspect, a user access request, or revalidating request, having no processing history may be prioritized over another user access request, or revalidating request, that has been processed at least once previously. In yet another aspect, a user access request, or revalidating request, having a high criticality level and no processing history may be prioritized over another user access request, or revalidating request, having a low criticality level and which has been processed at least once previously. It should be noted that other combinations of a criticality level and a processing history are possible, though not all possible combinations are disclosed herein. As such, the examples disclosed above are not so limiting.
[0096] Clause 19: The computer-implemented method according to any of Clauses 15-18, further comprising: prioritizing each user access request of the second set of requests based on at least one of the criticality level or a process history associated with each user access request, wherein processing each user access request of the second set of requests by an access management system based on an external input received by the access management system is further based on the prioritization of each user access request.
[0097] Clause 20: The computer-implemented method according to any of Clauses 15-19, further comprising storing each user access request in a processing history repository based on each user access request being processed.
[0098] The foregoing detailed description has set forth various forms of the systems and/or processes via the use of block diagrams, flowcharts, and/or examples. Insofar as such block diagrams, flowcharts, and/or examples contain one or more functions and/or operations, it will be understood by those within the art that each function and/or operation within such block diagrams, flowcharts, and/or examples can be implemented, individually and/or collectively, by a wide range of hardware, software, firmware, or virtually any combination thereof. Those skilled in the art will recognize that some aspects of the forms disclosed herein, in whole or in part, can be equivalently implemented in integrated circuits, as one or more computer programs running on one or more computers (e.g., as one or more programs running on one or more computer systems), as one or more programs running on one or more processors (e.g., as one or more programs running on one or more microprocessors), as firmware, or as virtually any combination thereof, and that designing the circuitry and/or writing the code for the software and or firmware would be well within the skill of one of skill in the art in light of this disclosure. In addition, those skilled in the art will appreciate that the mechanisms of the subject matter described herein are capable of being distributed as one or more program products in a variety of forms, and that an illustrative form of the subject matter described herein applies regardless of the particular type of signal bearing medium used to actually carry out the distribution.
Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the authorization decision teachings of the prior art of record (see Price para 0041 – 0043) by integrating the authorization context decision teachings of Chen (see Chen para 0002, 0029, 0037 – 0040, 0044 and 0096) to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the art would have recognized that applying the known dynamic, context-aware, continuously reassessed and automatically triggered authorization teachings of Chen would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the ability to have authorizations be dynamic and continuously responsive to risk context to the adjusting of privilege/access teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such dynamic adjustment features into similar systems, resulting in an improved system that uses all available known in the art techniques to improve and tailor access to sensitive/confidential documents when user requirements or authorization status changes. The motivation to combine the references is applied to all claims below this heading.
Per claim 2, the prior art of record further suggests wherein identifying the task (reads on identifying an action requested in a message, see Price para 0026) is based on historical permission access granted (reads on processing history associated with a user corresponding to a user access request, see Chen para 0037 – 0040, 0044 and 0096) in similar contexts (reads on comparing the current request context against historical context of other members to determine if a request is an outlier, see Chen para 0034), subject to specified permission policies (reads on an automation policy which defines how automation and prioritization decisions should be made, see Chen para 0039) and parameters (reads on criticality levels, see Chen para 0040).
Per claim 3, the prior art of record further suggests wherein the user security profile (reads on existing privileges for each of the recipients, see Price para 0023 and 0041 – 0043 and Figure 2 block 230) comprises a security score (reads on the nature of the user’s identity impacts an associated risk score, see Chen para 0033) based on education (The Examiner asserts new user and pre-existing user are at least an implicit measures of a user’s education with regard to the organization, see Chen para 0034) and experience (The Examiner asserts new user and pre-existing user are direct measures of a user’s experience within the organization, see Chen para 0034), and wherein the authorization is subject to the security score meeting a specified threshold for the task (reads on a criticality level/score which may be at least one of a first/second criticality level and a gating logic where the user access request that is assigned the second criticality level must always require manual review, see Chen para 0037 and 0040).
Per claim 6, the prior art of record further suggests comprising generating a temporary access pause workflow based on natural language processing of new documented communications indicating the user will temporarily not need access to the confidential data due to an assignment change or calendar event (reads on the system determining from the content of a message to modify the privileges of a document between a specific start and end date and reverting the privileges back after the end date, see Price para 0030 – 0031 and 0052).
Per claim 7, the prior art of record further suggests generating a deprovision workflow (reads on revert the privileges back to the existing privileges at the end time of modified privileges indicated in the message, see Price para 0030 – 0031) based on natural language processing (reads on using natural language processing, see Price Abstract) of new documented communications indicating the task has been completed and the user no longer requires access to the confidential data (The Examiner construes this to be an obvious limitation of the teachings of Price that teach modifying privileges based on content of email communication. The art has explicit future time examples but one of ordinary skill in the art is also one of ordinary creativity and would consider it obvious to send an email communication indicating the specific project is over to give status to team members and in doing so, the system would perform the same function it currently performs of modifying privileges when it is determined those are no longer needed for a completed project, see Price para 0030 – 0031).
Claim 8 the system is analyzed with respect to claim 1. The prior art of record further suggests a storage device that stores program instructions (see Chen para 0075 – 0076); one or more processors operably connected to the storage device and configured to execute the program instructions (see Chen para 0075).
Claim 9 is analyzed with respect to claim 2.
Claim 10 is analyzed with respect to claim 3.
Claim 13 is analyzed with respect to claim 6.
Claim 14 is analyzed with respect to claim 7.
Claim 15 the computer program product is analyzed with respect to claim 8.
Claim 16 is analyzed with respect to claim 9.
Claim 17 is analyzed with respect to claim 10.
Claim 19 is analyzed with respect to claim 13.
Claim 20 is analyzed with respect to claim 14.
Claims 4 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Price in view of Chen in view of Duffie (US Pub. No. 2009/0077636 A1).
Per claim 4, the prior art of record further suggests responsive to a determination that the security score does not meet the specified threshold for the task (reads on if a request hits a certain criticality threshold it must always require manual review, see Chen para 0040, 0048): maintaining the authorization in a pending state (reads on the necessary neither approved nor immediately denied state of waiting for the manual review, see Chen para 0040 and 0048); wherein the security score meets the specified threshold for the task (reads on continuous updates to determine an updated risk score and process the user access request automatically based on a change between the updated criticality level and the previous criticality level, see Chen para 0049). The prior art of record is silent on explicitly stating providing access to the user to resources for required education; and completing the authorization upon completion of required education by the user.
Duffie (US Pub. No. 2009/0077636 A1) is relied upon to teach
providing access to the user to resources for required education (reads on users can be required to complete education assignments prior to being granted access, see Duffie para 0009 – 0010); and completing the authorization upon completion of required education by the user (reads on caching pending requests and subsequently granting access upon successful completion of educational assignments, see Duffie para 0009 – 0010 and 0026 – 0027).
Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the authorization teachings of the prior art of record (see Price para 0041 – 0043and Chen para 0002, 0029, 0037 – 0040, 0044 and 0096) by integrating the education requirement authorization teachings of Duffie (see Duffie para 0009 – 0010) to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the art would have recognized that applying the known educational requirement technique of Duffie would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the ability to dynamically adjust access privileges based on a user’s education to the adjusting of privilege/access teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such dynamic access adjustment features into similar systems, resulting in an improved system that uses all available known in the art techniques to improve and tailor access to sensitive/confidential documents when user requirements or authorization status changes. The motivation to combine the references is applied to all claims below this heading.
Claim 11 is analyzed with respect to claim 4.
Claims 5, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Price in view of Chen in view of Davis (US Pub. No. 2014/0047234 A1).
Per claim 5, the prior art of record further suggests authorization. The prior art of record does not explicitly state dynamically obfuscates subsets of the confidential data according to exfiltration risk scores associated with different locations of access.
Davis (US Pub. No. 2014/0047234 A1) is relied upon to teach
dynamically obfuscates (reads on each time a user attempts access the system evaluates the current location and selects the appropriate redacted version, see Davis para 0016, 0023, 0036, 0052) subsets of the confidential data (reads on different portions of the information in the original document, see Davis para 0036) according to exfiltration risk scores (reads on risk scores calculated based on location to determine access permissions, see Davis para 0003, 0006 and 0053 – 0057) associated with different locations of access (reads on each redacted document having a level of redaction corresponding to a viewing location, see Davis para 0010 and 0057).
Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the authorization teachings of the prior art of record (see Price para 0041 – 0043) by integrating the location authorization teachings of Davis (see Davis para 0003, 0006, 0016, 0036 and 0053 – 0057) to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the art would have recognized that applying the known technique of Davis would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the ability to dynamically adjust document access based on the user’s location to the privilege/access teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such access privilege features into similar systems, resulting in an improved system that uses all available known in the art techniques to improve and tailor access to sensitive/confidential documents when user requirements or authorization status changes. The motivation to combine the references is applied to all claims below this heading.
Claim 12 is analyzed with respect to claim 5.
Claim 18 is analyzed with respect to claim 12.
Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is ((571)270-5191. The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRIAN F SHAW/
Primary Examiner, Art Unit 2432