Prosecution Insights
Last updated: July 17, 2026
Application No. 18/807,474

ENABLING FINE-GRANULAR ROLE-BASED ACCESS CONTROL IN ENTERPRISE NETWORKS

Final Rejection §102§103
Filed
Aug 16, 2024
Examiner
REYNOLDS, DEBORAH J
Art Unit
2499
Tech Center
2400 — Computer Networks
Assignee
Cisco Technology Inc.
OA Round
2 (Final)
66%
Grant Probability
Favorable
3-4
OA Rounds
9m
Est. Remaining
80%
With Interview

Examiner Intelligence

Grants 66% — above average
66%
Career Allowance Rate
109 granted / 164 resolved
+8.5% vs TC avg
Moderate +14% lift
Without
With
+13.8%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
18 currently pending
Career history
187
Total Applications
across all art units

Statute-Specific Performance

§101
5.6%
-34.4% vs TC avg
§103
72.5%
+32.5% vs TC avg
§102
10.6%
-29.4% vs TC avg
§112
7.1%
-32.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 164 resolved cases

Office Action

§102 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . The following is a final office action in response to communications received April 14, 2026. Claims 1, 3, 10-11 and 18-20 have been amended. Claims 2, 6, 13-14 have been canceled. Claims 21-24 have been newly added. Therefore, claims 1, 3-5, 7-12 and 15-24 are pending and addressed below. Response to Arguments Applicant’s arguments filed April 14, 2026 have been fully considered but they are not persuasive for the following reasons: Applicant’s arguments with respect to the rejections of amended claims 1 under 35 U.S.C 102(a)(1) have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. A new ground of rejection under 35 U.S.C 103 is made in view of the combination of prior art of Erramilli et al (US PG-PUB No. 20250384157 A1) and Ahmed et al (US PG-PUB No. 20250077595 A1) (see below rejection details) Applicant’s arguments with respect to the rejections of amended claims 10 and 18 under 35 U.S.C 102(a)(1) have been fully considered but are moot because additional citations from the same prior art Erramilli et al (US PG-PUB No. 20250384157 A1) are added to support the examiner’s response. (see below rejection details) Therefore, claims 1 is rejected under 35 U.S.C 103, claims 10 and 18 are rejected under 35 U.S.C 102. As claims 3-5, 7-9 and 21-23 are dependent directly or indirectly on claim 1, claims 11-12 and 15-17 are dependent directly or indirectly on claim 10, claims 19-20 and 24 are dependent directly or indirectly on claim 18, applicant’s argument with respect to the rejections of claim 3-5, 7-9, 11-12 and 15-17, 19-24 are moot. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 10-11 and 15-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Erramilli et al (US PG-PUB No. 20250384157 A1). Regarding claim 10, Erramilli teaches a system comprising: one or more processors; and one or more computer-readable media storing instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, from a computing device, a user query including an identity token (Paragraph [0078]: “At 815, the method may include receiving, from a user and at an interface for accessing a large language model, a request (receiving, from a computing device, a user query) for a response from the large language model, the request including a prompt for the large language model and data access role information associated with the user (the user query including an identity token).”); generating, based on the user query, a first embedding (Paragraph [0079]: “At 820, the method may include converting the received request into one or more vectors (generating, based on the user query, a first embedding).”); receiving, from an authorization system, authorization data associated with the identity token (Paragraph [0039] teaches the authorization process can be done by an authorization module: “In some cases, the authorization module 235 may determine that the data access role information associated with the user satisfies the data access policy information associated with the one or more data objects.”), the authorization data indicating types of data, devices, or resources the identity token is authorized to access within a network (Paragraph [0036]: “The authorization module 235 may use the metadata to provide citations, and determine if one or more roles that can access the document/record associated with a particular query (the authorization data indicates types of data, devices, or resources the identity token is authorized to access within the enterprise network). For instance, upon receiving an input prompt, the authorization module 235 may check the associated metadata (stored in the vector database 240) to check whether the user making the query satisfies a policy.”; Paragraph [0011] further discloses: “ the cloud platform may have access to various types of data (authorization data indicates types of data).”); sending, to a vector store including a plurality of embeddings with individual ones of the plurality of embeddings being associated with an access control element indicative of access control to the respective embedding, a search request comprising the first embedding and metadata associated with the authorization data; receiving, from the vector store, network data for at least one embedding, from among the plurality of embeddings, that the identity token is authorized to access and that is relevant to the first embedding (Paragraph [0080]: “At 825, the method may include querying the data source using the one or more vectors to retrieve the one or more data objects (sending, to a vector store, a search request comprising the first embedding and metadata), where the one or more data objects are identified based on a comparison between the one or more vectors and the set of multiple data objects (metadata indicative of one or more constraints for data that the user is authorized to access)”; Paragraph [0081]: “At 830, the method may include retrieving, from a data source (receiving from the vector store) including a set of multiple data objects, one or more data objects (network data for a set of embeddings, from among the plurality of embeddings) for inputting to the large language model based on comparing the data access role information associated with the user with data access policy information associated with the one or more data objects (the data objects include network data associated with the first embedding and role information metadata).”; Paragraph [0104]: “augmenting the plurality of vectors stored in the data source with role information metadata associated with each data record of the plurality of data records (sending the first embedding and metadata to a vector store), wherein the data access policy information associated with the plurality of data objects is based at least in part on the role information metadata (metadata indicative of one or more constraints for data that the user is authorized to access).”); generating, based on the network data, context data (Paragraph [0081]: “At 830, the method may include retrieving, from a data source including a set of multiple data objects, one or more data objects for inputting to the large language model (the context data is generated based on the data and the metadata, and may be sent to the LLM) based on comparing the data access role information associated with the user with data access policy information associated with the one or more data objects.”); sending, to a large language model (LLM), the context data and the user query (Paragraph [0082]: “At 835, the method may include inputting, via a model interface, the one or more data objects (the context data and the user query) to the large language model (sending to a large language model (LLM)).”); and in response to receiving an output from the LLM, sending, to the computing device, the output for display via a user interface (Paragraph [0083]: “At 840, the method may include receiving, via the model interface, an output of the large language model (receiving an output from the LLM) based on the one or more data objects, the output including the response to the request including the prompt (the output including a context-specific response to the user query, the output is sent to the computing device for display via a model user interface).”). Regarding claim 11, Erramilli teaches all of the features with respect to claim 10, as outlined above. Erramilli further teaches the operations further comprising: generating, based on network inventory data, the plurality of embeddings; storing the plurality of embeddings in the vector store (Paragraph [0076]: “At 805, the method may include transforming a set of multiple data records into a set of multiple vectors, where the set of multiple vectors include the set of multiple data objects (generating, based on network inventory data, a plurality of embeddings).”; Paragraph [0077]: “At 810, the method may include storing, prior to receiving the request from the user, the set of multiple vectors in the data source (storing the plurality of embeddings in the vector store).”); determining key characteristics associated with individual embeddings of the plurality of embeddings; determining resource group metadata for each of the key characteristics; and storing, in association with the key characteristics of the individual embeddings, the resource group metadata in the vector store (Paragraph [0104]: “augmenting the plurality of vectors stored in the data source with role information metadata associated with each data record of the plurality of data records (with individual embeddings of the plurality of embeddings), wherein the data access policy information (determining key characteristics) associated with the plurality of data objects is based at least in part on the role information metadata.”; Paragraph [0105]: “wherein the augmented plurality of vectors comprise a plurality of key value pairs, and the role information metadata (determining resource group metadata for each of the key characteristics) associated with each data record of the plurality of data records is stored (storing, in association with the key characteristics of the individual embeddings, the resource group metadata in the vector store) in a key of each corresponding key value pair of the plurality of key value pairs.”). Regarding claim 15, Erramilli teaches all of the features with respect to claim 10, as outlined above. Erramilli further teaches the operations further comprising: determining, prior to sending the search request, a portion of the vector store to search based on the user query and the identity token, wherein the search request indicates the portion of the vector store (Paragraph [0034]: “In some examples, the retrieval augmented generation module 230 may transform a set of data records (user query and the identity token) into a set of vectors, where the set of vectors include the set of data objects. The retrieval augmented generation module 230 may store, prior to receiving the request from the user, the set of vectors in the data source (e.g., vector database 240) (determining a portion of the vector store to search prior to sending the search request). The transformed data may include a key-value pair (determining a portion of the vector store to search), with the key being the vector coordinates of the piece of text or data object in a high dimensional space and the value being the piece of text or data object.”). Regarding claim 16, Erramilli teaches all of the features with respect to claim 10, as outlined above. Erramilli further teaches wherein the vector store is configured to support metadata search requests (Paragraph [0035]: “In some examples, the cloud platform 215 may augment the set of vectors stored in the data source (e.g., vector database 240) (the vector store is configured to support) with role information metadata associated with each data record of the set of data records (metadata search requests).”). Regarding claim 17, Erramilli teaches all of the features with respect to claim 10, as outlined above. Erramilli further teaches wherein the system is implemented by an enterprise network that utilizes retrieval augmented generation based LLMs (Paragraph [0025]: “In some examples, one or more large language models (LLMs) may work with private enterprise data using a method called Retrieval Augmented Generation, where the large language model may be augmented by the private enterprise data by storing this data in a private data store (e.g., a vector database).”). Regarding claim 18, Erramilli teaches A method implemented by a network controller of an enterprise network, the method comprising: receiving, from a domain database of the enterprise network, data associated with a domain service; generating, based on the data, a plurality of vector embeddings representing the data; storing, in a vector store of the enterprise network, the plurality of vector embeddings (Paragraph [0034]: “The retrieval augmented generation module 230 may coordinate the retrieval and generation of data by transforming private data (e.g., retrieved from private database 250) (data associated with a domain service from a domain database). In some examples, the retrieval augmented generation module 230 may transform a set of data records into a set of vectors (generating, based on the data, vector embeddings representing the data), where the set of vectors include the set of data objects. The retrieval augmented generation module 230 may store, prior to receiving the request from the user, the set of vectors in the data source (e.g., vector database 240) (storing, in a vector store of the enterprise network, the vector embeddings).”); determining, for individual ones of the plurality of vector embeddings, a characteristic associated with the respective vector embedding, the characteristic being indicative of a network device; determining, for individual ones of the plurality of vector embeddings, an access control element indicative of access control to the characteristic of the respective vector embedding; and storing, in the vector store and for individual ones of the plurality of vector embeddings, metadata comprising the access control element for the respective vector embedding (Paragraph [0081] At 830, the method may include retrieving, from a data source including a set of multiple data objects, one or more data objects for inputting to the large language model based on comparing the data access role information associated with the user with data access policy information associated with the one or more data objects (wherein the data access role information associated with the user determines if the user has access to a characteristic of a network device; the data access policy information associated with the data objects determines the access control element indicative of access control to the characteristic of the network device); Paragraph [0039] further teaches “In some cases, the authorization module 235 may determine that the data access role information associated with the user satisfies the data access policy information associated with the one or more data objects. In some examples, inputting the one or more data objects to the large language model 220 may be based on the data access role information associated with the user satisfying the data access policy information associated with the one or more data objects (when the data access role information associated with the user satisfying the data access policy information associated with the data objects, associate the access control element with the respective embedding).”). Regarding claim 19, Erramilli teaches all of the features with respect to claim 18, as outlined above. Erramilli further teaches wherein the access control element is indicative of at least one of access control rules, an authorization rule, or access control policy (Paragraph [0081] At 830, the method may include retrieving, from a data source including a set of multiple data objects, one or more data objects for inputting to the large language model based on comparing the data access role information associated with the user with data access policy information associated with the one or more data objects (wherein the data access role information associated with the user determines if the user has access to a characteristic of a network device; the data access policy information associated with the data objects determines the access control element indicative of access control to the characteristic of the network device)”). Regarding claim 20, Erramilli teaches all of the features with respect to claim 18, as outlined above. Erramilli further teaches wherein storing the plurality of vector embeddings is based on a hierarchy (Paragraph [0105]: “wherein the augmented plurality of vectors (the plurality of embeddings) comprise a plurality of key value pairs, and the role information metadata (metadata) associated with each data record of the plurality of data records is stored in a key of each corresponding key value pair of the plurality of key value pairs (is stored in the vector store based on a hierarchy).”). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3-5 and 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Erramilli et al (US PG-PUB No. 20250384157 A1) in view of Ahmed et al (US PG-PUB No. 20250077595 A1). Regarding claim 1, Erramilli teaches a method implemented by a network controller of an enterprise network, the method comprising: receiving, from a computing device, a user query including user input data and an identity token associated with identifying a user; generating, a first embedding for the user input data (Paragraph [0078]: “At 815, the method may include receiving, from a user and at an interface (receiving from a computing device user interface) for accessing a large language model, a request (a user query) for a response from the large language model, the request including a prompt (the user query including a prompt to get the user input data) for the large language model and data access role information associated with the user (the user query also includes an identity token associated with identifying a user).”; Paragraph [0079]: “At 820, the method may include converting the received request into one or more vectors (generating a first embedding for the user input data, wherein the received request including the user input data, and the vector is the embedding).”); receiving, from an authorization system, authorization data associated with the identity token (Paragraph [0039] teaches the authorization process can be done by an authorization module: “In some cases, the authorization module 235 may determine that the data access role information associated with the user satisfies the data access policy information associated with the one or more data objects.”); generating, based on network inventory data, a plurality of embeddings; storing the plurality of embeddings in a vector store (Paragraph [0076]: “At 805, the method may include transforming a set of multiple data records into a set of multiple vectors, where the set of multiple vectors include the set of multiple data objects (generating, based on network inventory data, a plurality of embeddings).”; Paragraph [0077]: “At 810, the method may include storing, prior to receiving the request from the user, the set of multiple vectors in the data source (storing the plurality of embeddings in the vector store).”); determining, for individual ones of the plurality of embeddings, a characteristic associated with the respective embedding, the characteristic being indicative of a network device; determining, for individual ones of the plurality of embeddings, an access control element indicative of access control to the characteristic of the respective embedding; associating, for individual ones of the plurality of embeddings, the access control element with the respective embedding (Paragraph [0081] At 830, the method may include retrieving, from a data source including a set of multiple data objects, one or more data objects for inputting to the large language model based on comparing the data access role information associated with the user with data access policy information associated with the one or more data objects (wherein the data access role information associated with the user determines if the user has access to a characteristic of a network device; the data access policy information associated with the data objects determines the access control element indicative of access control to the characteristic of the network device); Paragraph [0039] further teaches “In some cases, the authorization module 235 may determine that the data access role information associated with the user satisfies the data access policy information associated with the one or more data objects. In some examples, inputting the one or more data objects to the large language model 220 may be based on the data access role information associated with the user satisfying the data access policy information associated with the one or more data objects (when the data access role information associated with the user satisfying the data access policy information associated with the data objects, associate the access control element with the respective embedding).”); sending, to a vector store, a search request comprising the first embedding and metadata indicative of one or more constraints for data that the user is authorized to access; receiving, from the vector store, network data for a set of embeddings, from among the plurality of embeddings, that the user is authorized to access and that are relevant to the first embedding (Paragraph [0080]: “At 825, the method may include querying the data source using the one or more vectors to retrieve the one or more data objects (sending, to a vector store, a search request comprising the first embedding and metadata), where the one or more data objects are identified based on a comparison between the one or more vectors and the set of multiple data objects (metadata indicative of one or more constraints for data that the user is authorized to access)”; Paragraph [0081]: “At 830, the method may include retrieving, from a data source (receiving from the vector store) including a set of multiple data objects, one or more data objects (network data for a set of embeddings, from among the plurality of embeddings) for inputting to the large language model based on comparing the data access role information associated with the user with data access policy information associated with the one or more data objects (the data objects include network data associated with the first embedding and role information metadata).”; Paragraph [0104]: “augmenting the plurality of vectors stored in the data source with role information metadata associated with each data record of the plurality of data records (sending the first embedding and metadata to a vector store), wherein the data access policy information associated with the plurality of data objects is based at least in part on the role information metadata (metadata indicative of one or more constraints for data that the user is authorized to access).”); sending, to a large language model (LLM), the context data and the user query (Paragraph [0082]: “At 835, the method may include inputting, via a model interface, the one or more data objects (the context data and the user query) to the large language model (sending to a large language model (LLM)).”); and receiving an output from the LLM, the output including a context-specific response to the user query; and sending, to the computing device, the output for display via a user interface (Paragraph [0083]: “At 840, the method may include receiving, via the model interface, an output of the large language model (receiving an output from the LLM) based on the one or more data objects, the output including the response to the request including the prompt (the output including a context-specific response to the user query, the output is sent to the computing device for display via a model user interface).”). Erramilli fails to explicitly teach ranking the set of embeddings. However, Ahmed teaches ranking the set of embeddings based on one or more network characteristics of the set of embeddings; generating, based on the ranking of the set of embeddings data, context data for the user query relative to the enterprise network (Paragraph [0083]: “In one non-limiting embodiment, the n-RAG engine 209 may create different links for different nested vector embeddings depending on a type of enterprise and various roles and ranks associated with the enterprise. After creating the appropriate plurality of links, the information is then stored under the associated plurality of vector embeddings which may facilitate more relevant user role-specific response.”); Erramilli and Ahmed are both considered to be analogous to the claimed invention because they both teach techniques to perform authorization on LLM responses. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Erramilli with adding ranking the set of embeddings based on one or more network characteristics of the set of embeddings and generating, based on the ranking of the set of embeddings data, context data for the user query relative to the enterprise network, disclosed by Ahmed. One of the ordinary skills in the art would have been motivated to make this modification in order to facilitate more relevant user role-specific response, as suggested by Ahmed in paragraph [0083]. Regarding claim 3, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli further teaches wherein the plurality of embeddings is stored in the vector store based on a hierarchy (Paragraph [0105]: “wherein the augmented plurality of vectors (the plurality of embeddings) comprise a plurality of key value pairs, and the role information metadata associated with each data record of the plurality of data records is stored in a key of each corresponding key value pair of the plurality of key value pairs (is stored in the vector store based on a hierarchy).”). Regarding claim 5, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli further teaches wherein the authorization data indicates types of data, devices, or resources the identity token is authorized to access within the enterprise network (Paragraph [0036]: “The authorization module 235 may use the metadata to provide citations, and determine if one or more roles that can access the document/record associated with a particular query (the authorization data indicates types of data, devices, or resources the identity token is authorized to access within the enterprise network). For instance, upon receiving an input prompt, the authorization module 235 may check the associated metadata (stored in the vector database 240) to check whether the user making the query satisfies a policy.”; Paragraph [0011] further discloses: “ the cloud platform may have access to various types of data (authorization data indicates types of data).”). Regarding claim 7, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli further teaches the method further comprising: determining, prior to sending the search request, a portion of the vector store to search based on the user query and the identity token, wherein the search request indicates the portion of the vector store (Paragraph [0034]: “In some examples, the retrieval augmented generation module 230 may transform a set of data records (user query and the identity token) into a set of vectors, where the set of vectors include the set of data objects. The retrieval augmented generation module 230 may store, prior to receiving the request from the user, the set of vectors in the data source (e.g., vector database 240) (determining a portion of the vector store to search prior to sending the search request). The transformed data may include a key-value pair (determining a portion of the vector store to search), with the key being the vector coordinates of the piece of text or data object in a high dimensional space and the value being the piece of text or data object.”). Regarding claim 8, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli further teaches wherein the vector store is configured to support metadata search requests (Paragraph [0035]: “In some examples, the cloud platform 215 may augment the set of vectors stored in the data source (e.g., vector database 240) (the vector store is configured to support) with role information metadata associated with each data record of the set of data records (metadata search requests).”). Regarding claim 9, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli further teaches wherein the enterprise network utilizes retrieval augmented generation based LLMs (Paragraph [0025]: “In some examples, one or more large language models (LLMs) may work with private enterprise data using a method called Retrieval Augmented Generation, where the large language model may be augmented by the private enterprise data by storing this data in a private data store (e.g., a vector database).”). Claim 4 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Erramilli et al (US PG-PUB No. 20250384157 A1) in view of Ahmed et al (US PG-PUB No. 20250077595 A1), in further view of Microsoft article (NPL: azure-role-based-access-control-permissions: published in 2023). Regarding claim 4 and claim 23, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli further teaches wherein the metadata comprises role-based access control information, including resource group name (Paragraph [0027]: “In some cases, the citation metadata may be augmented by one or more role based access controls policies on records.”; Paragraph [0023] further discloses the metadata including resource group information: “the system 100 may organize resources (e.g., processing resources, memory resources) to support tenant isolation (e.g., tenant-specific resources), tenant isolation within a shared resource (e.g., within a single instance of a resource), tenant-specific resources in a resource group, tenant-specific resource groups corresponding to a same subscription, tenant-specific subscriptions, or any combination thereof.”;). Erramilli and Ahmed fails to explicitly teach the metadata comprises role-based access control information including site name, fabric name, and device group name. However, a Microsoft article (NPL: azure-role-based-access-control-permissions: published in 2023), hereinafter Azure RBAC permissions, discloses all the Azure RBAC permissions information which include different categories such as resource group name, site name, fabric name and device group name. Erramilli, Ahmed and Azure RBAC permissions are all considered to be analogous to the claimed invention because they all teach role-based access control to resources in cloud environment. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Erramilli and Ahmed with adding site name, fabric name and device group name to the metadata for RBAC, disclosed by Azure RBAC permissions. One of the ordinary skills in the art would have been motivated to make this modification in order to provide fine-granular role-based access control to resources in cloud environment, as suggested in Azure RBAC permissions. Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Erramilli et al (US PG-PUB No. 20250384157 A1) in view of Microsoft article (NPL: azure-role-based-access-control-permissions: published in 2023). Regarding claim 12, Erramilli teaches all of the features with respect to claim 10, as outlined above. Erramilli further teaches wherein the metadata comprises role-based access control information, including resource group name (Paragraph [0027]: “In some cases, the citation metadata may be augmented by one or more role based access controls policies on records.”; Paragraph [0023] further discloses the metadata including resource group information: “the system 100 may organize resources (e.g., processing resources, memory resources) to support tenant isolation (e.g., tenant-specific resources), tenant isolation within a shared resource (e.g., within a single instance of a resource), tenant-specific resources in a resource group, tenant-specific resource groups corresponding to a same subscription, tenant-specific subscriptions, or any combination thereof.”;). Erramilli fails to explicitly teach the metadata comprises role-based access control information including site name, fabric name, and device group name. However, a Microsoft article (NPL: azure-role-based-access-control-permissions: published in 2023), hereinafter Azure RBAC permissions, discloses all the Azure RBAC permissions information which include different categories such as resource group name, site name, fabric name and device group name. Erramilli and Azure RBAC permissions are all considered to be analogous to the claimed invention because they all teach role-based access control to resources in cloud environment. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Erramilli with adding site name, fabric name and device group name to the metadata for RBAC, disclosed by Azure RBAC permissions. One of the ordinary skills in the art would have been motivated to make this modification in order to provide fine-granular role-based access control to resources in cloud environment, as suggested in Azure RBAC permissions. Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Erramilli et al (US PG-PUB No. 20250384157 A1) in view of Ahmed et al (US PG-PUB No. 20250077595 A1), in further view of TSE et al (US PG-PUB No. 20250330839 A1). Regarding claim 21, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli further teaches storing embeddings in the vector store (Paragraph [0077]: “At 810, the method may include storing, prior to receiving the request from the user, the set of multiple vectors in the data source (storing the plurality of embeddings in the vector store).”). Erramilli and Ahmed fails to explicitly teach generating embeddings in real-time as changes occur to the enterprise network. However, TSE teaches generating additional embeddings in real-time as changes occur to the enterprise network (Paragraph [0014]: “As illustrated, a database 110 captures various metrics, KPIs, and other data during operation of the network… Next, during inference, the ML inference stage 118 can load the model and generate real-time features vectors based on data collected in database 110 (generating additional embeddings in real-time as changes occur to the enterprise network).”). Erramilli, Ahmed and TSE are all considered to be analogous to the claimed invention because they all teach machine-learning model. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Erramilli and Ahmed with adding generating embeddings in real-time as changes occur to the enterprise network, disclosed by TSE. One of the ordinary skills in the art would have been motivated to make this modification in order to adapt the network changes, as suggested in TSE in paragraph [0014]. Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Erramilli et al (US PG-PUB No. 20250384157 A1) in view of Ahmed et al (US PG-PUB No. 20250077595 A1), in further view of Jung et al (US PG-PUB No. 20240179218 A1). Regarding claim 22, Erramilli and Ahmed teach all of the features with respect to claim 1, as outlined above. Erramilli and Ahmed fails to explicitly teach, but Jung teaches wherein the characteristic of individual ones of the plurality of embeddings is a configuration state or operational state of the network device (Paragraph [0056]: “The device embedding component 230 obtains network information 232 indicative of the network devices and enterprise sites in the network domain. The network information 232 includes characteristics of the network/computing equipment and software 102(1)-102(N) of FIG. 1 such as a network device type, a device model, version, components (number of ports), a device product family type, role of the device in the network domain, etc. The network information 232 may further include characteristics of various enterprise sites 110(1)-110(N) of FIG. 1 such as geographic location, type and number of various devices, an enterprise type and size. The network information 232 may further include attributes of the network domain such as operational states, updates and configuration related data, faults, errors, and/or enterprise network domain related data such as purchase contracts, service contracts, warranty service agreements, license agreements and other asset information i.e., data about network/computing equipment and software 102(1)-102(N), at various enterprise sites 110(1)-110(N)).”). Erramilli, Ahmed and Jung are all considered to be analogous to the claimed invention because they all teach machine-learning model. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method disclosed by Erramilli and Ahmed with adding the characteristic of individual ones of the plurality of embeddings is a configuration state or operational state of the network device, disclosed by Jung. One of the ordinary skills in the art would have been motivated to make this modification in order to keep track of device characteristics for determining network-specific user behavior, as suggested in Jung. Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Erramilli et al (US PG-PUB No. 20250384157 A1) in view of Jung et al (US PG-PUB No. 20240179218 A1). Regarding claim 24, Erramilli teaches all of the features with respect to claim 18, as outlined above. Erramilli fails to explicitly teach, but Jung teaches wherein the characteristic of individual ones of the plurality of embeddings is a configuration state or operational state of the network device (Paragraph [0056]: “The device embedding component 230 obtains network information 232 indicative of the network devices and enterprise sites in the network domain. The network information 232 includes characteristics of the network/computing equipment and software 102(1)-102(N) of FIG. 1 such as a network device type, a device model, version, components (number of ports), a device product family type, role of the device in the network domain, etc. The network information 232 may further include characteristics of various enterprise sites 110(1)-110(N) of FIG. 1 such as geographic location, type and number of various devices, an enterprise type and size. The network information 232 may further include attributes of the network domain such as operational states, updates and configuration related data, faults, errors, and/or enterprise network domain related data such as purchase contracts, service contracts, warranty service agreements, license agreements and other asset information i.e., data about network/computing equipment and software 102(1)-102(N), at various enterprise sites 110(1)-110(N)).”). One of the ordinary skills in the art would have been motivated to make this modification in order to keep track of device characteristics for determining network-specific user behavior, as suggested in Jung. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Crabtree et al (US 20250258708 A1) discloses FEDERATED DISTRIBUTED GRAPH-BASED COMPUTING PLATFORM WITH HARDWARE MANAGEMENT Longoni (US 20250245218 A1) discloses METHODS AND APPARATUS FOR A RETRIEVAL AUGMENTED GENERATIVE (RAG) ARTIFICIAL INTELLIGENCE (AI) SYSTEM Godbole et al (US 12488136 B1) discloses Systems And Methods For Access Control For Federated Retrieval-augmented Generation Svenell et al (US 20250371052 A1) discloses METHODS AND SYSTEMS FOR DATA TRANSFORMATION AND ACCESS CONTROL Jungerman et al (US 20250373451 A1) discloses TRUST-ENABLED ARTIFICIAL INTELLIGENCE AND NON-HUMAN IDENTITY ORCHESTRATOR FRAMEWORK Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASMINE DAY whose telephone number is (571)272-0204. The examiner can normally be reached Monday - Friday 9:00 - 5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.M.D./Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499
Read full office action

Prosecution Timeline

Aug 16, 2024
Application Filed
Jan 14, 2026
Non-Final Rejection mailed — §102, §103
Apr 02, 2026
Interview Requested
Apr 14, 2026
Examiner Interview Summary
Apr 14, 2026
Applicant Interview (Telephonic)
Apr 14, 2026
Response Filed
Jun 10, 2026
Final Rejection mailed — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12666489
RADIO RESOURCE RESERVATION FOR INTER-UE COORDINATION IN NR SIDELINK MODE 2
2y 7m to grant Granted Jun 23, 2026
Patent 12634501
VIDEO CODING AND DECODING
1y 10m to grant Granted May 19, 2026
Patent 12627825
VIDEO CODING AND DECODING
1y 10m to grant Granted May 12, 2026
Patent 12534225
SATELLITE DISPENSING SYSTEM
4y 1m to grant Granted Jan 27, 2026
Patent 12441265
Mechanisms for moving a pod out of a vehicle
3y 8m to grant Granted Oct 14, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
66%
Grant Probability
80%
With Interview (+13.8%)
2y 8m (~9m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 164 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month