Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 18/806,934 is presented for examination by the examiner. Claims 2, 12, and 20 are canceled. Claims 1, 3, 11, 13, and 19 are amended. Claim 21 is added. Claims 1, 3-11, 13-19, and 21 are pending.
Claim Rejections - 35 USC § 101
The rejection under this statue is withdrawn.
Response to Arguments
Applicant’s arguments, filed 2/9/26, with respect to 35 USC §101 have been fully considered and are persuasive. The rejection of claims 1-20 has been withdrawn.
Applicant's arguments pertaining to the prior art rejections have been fully considered but they are not persuasive.
Applicant alleges the prior art does not explicitly teach generating an access request based on the differences of access levels or authorization tiers. Examiner respectfully disagrees. The arguments are directed to the Fig. 6 embodiment where the user is attempting to access an application for which he/she does not have access and needs further authentication and a new token. The point of contention seems to be where the does Morley teach the claim’s existing level of access. In the description of Fig. 6, Morley refers back to a past authentication mechanism used to authenticate the user and whether or not it is sufficient to grant the permissions and access level at the current time (0081). This refers back to the user login shown in paragraph 0061, in which the authentication method was used and the appropriate identity token is generated. The method of figure 6 starts upon receipt of an application specific user profile is received. This occurs after a user has previously logged in and had an identity token created. We know this because paragraph says there may need to be additional or different user authentications in order to access the currently requested application. So, in order to have an appropriate identity token that conveys the necessary level of access, the user needs to go through a different authentication mechanism. It is this initial level of access that maps to the existing level of access in the claim. After authenticating through an appropriate authentication mechanism, a new identity token is generated, which affords the user his/her desired level of access. The broad claim language does not require more than what is taught by this procedure. The user clearly has an existing level of access that was not adequate to the desired level. The system links the authentication mechanism to one that then grants the necessary permission to access the requested application.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1, 3, 5-8, 10, 11, 13, 15-19, and 21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by USP Application Publication 2023/0075296 to Morley, III et al., hereinafter Morley.
As per claims 1, 11, and 21, Morley teaches a method for managing access control to one or more resources, the method comprising:
receiving a permission request for a user to access the one or more resources [login to application generates an identity token; 0075 and 0079];
generating an access request based at least in part on the permission request [application service, according to identity token, identifies user attribute set relevant to the application for providing suitable permissions and access levels; 0079];
notifying one or more reviewers to review the access request [communicate with authentication service; 0081];
receiving an indication of the access request being approved [new identity token received; 0082]; and
automatically granting permission to the user to access the one or more resources [sends new token to identity provider to complete the login of the user; 0082];
wherein the generating an access request includes:
determining a desired level of access for the user to access the one or more resources [access level not sufficient for the request application; 0080];
determining a difference between the desired level of access and an existing level of access for the user [difference between what is sufficient and what was included with included identity token (0061); 0079-0081]; and
generating the access request based at least in part on the difference between the desired level of access and the existing level of access for the user [coordinates with authentication server when the access level of the identity token was insufficient for the required application per the authorization policy. An appropriate authentication mechanism is chosen that would allow a new identity token creation which contains the permission needed to access the desired application where the initial identity did not possess on account of the previous authentication mechanism; 0081];
wherein the method is performed by one or more processors (0039).
As per claims 3 and 13, Morley teaches the generating an access request includes:
determining a plurality of desired levels of access, wherein each desired level of access of the plurality of desired levels of access provides the user access to the one or more resources [the application profile identifies a user attributes set relevant to the application for providing suitable permissions and access levels to the user; 0079];
determining a plurality of differences between the plurality of desired levels of access and an existing level of access for the user, wherein each difference of the plurality of differences is a respective difference between a desired level of access of the plurality of desired levels of access and the existing level of access [the included token is used to retrieve the user attributes which constitutes the existing level of access; 0079];
selecting a minimum difference from the plurality of differences [system requires the user to bring up their level of access to meet the required levels of access for the application; 0080 and 0081]; and
generating the access request based at least in part on the minimum difference [authentication service handles authentication to the required level; 0081].
As per claims 5 and 15, Morley teaches prior to receiving the permission request: denying the user access to the one or more resources; and in response to the denying, displaying a user interface for the user to request permission to access the one or more resources, wherein the permission request is received via the displayed user interface [the process is interpreted as the user opening the application and receiving a login screen as shown in 0029. The user is then initially authenticated and an identity token is generated. This identity token is then utilized as described previously in 0079-0080. The user must login or everything after that is denied.]
As per claims 6 and 16, Morley teaches the notifying one or more reviewers to review the access request includes: prompting the user or the one or more reviewers to take one or more actions (0081).
As per claims 7 and 17, Morley teaches the one or more actions include uploading a document or completing a checkpoint [new identity token is received; 0082].
As per claims 8 and 18, Morley teaches the notifying one or more reviewers to review the access request comprises: asking the user or the one or more reviewers to update the permission request for the user to access the one or more resources (0081); and in response to the asking, receiving an updated permission request [new identity token; 0082].
As per claims 10 and 19, Morley teaches the permission request is a blind permission request and does not include a prompt indicating why the user should have access (0075 and 0079).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Morley hereinafter in view of USP Application Publication 2022/04054512 to Mustafi et al., hereinafter Mustafi.
As per claims 4 and 14, Morley is silent in explicitly teaching the one or more resources include a marking, and wherein the marking corresponds to at least one selected from a group consisting of a sensitivity level, a training level, a user type, and an organization type. Mustafi teaches the one or more resources include a marking, and wherein the marking corresponds to at least one selected from a group consisting of a sensitivity level (0011 and 0037) as a means to determine what access level is required for a given resource. Morley already determines this same idea in terms of access level requirement when a resource request is made. Marking the resource as taught by Mustafi is an obvious way to indicate the access level requirement. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which produce predictable results.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Morley hereinafter in view of USP Application Publication 2022/0164465 to Prettejohn et al., hereinafter Prettejohn.
As per claim 9, Morley is silent in explicitly teaching the permission request includes a prompt indicating why the user should have access. Prettejohn teaches the permission request includes a prompt indicating why the user should have access (0122). Specifically, Prettejohn teaches a user given a reason or justification as to why a user needs access to a data asset. Including this information could have assisted the decision making of Morley when the initial identity token lacks sufficient attributes to access the request resource. Morley even teaching AI overriding certain decisions of the access control process (0083). If justification was given as taught by Prettejohn, the system could detect times where access should be given if outside of the normal policy driven process. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which produce predictable results.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316. The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431