Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This communication is in response to the application filed on 12/16/2024 in which Claims 1-20 are presented for examination.
Drawings
The applicant’s drawings submitted on 12/16/2024 are acceptable for examination purposes.
Objections
Claims 1-20 are objected to because of the following informalities: The examiner suggests amending claims 1 to delete the bullets.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claims 1-3, 5-12, 14-20 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Gee U.S. Patent No. 12549558 B1 (hereinafter " Gee ") in view of KARLBERG US 20210288971 A1.
As to claim 1, Gee teaches a method comprising: accessing a first set of objects generated by a source and representing a set of identities associated with a computer network; detecting the set of identities based on the first set of objects (Gee Col. 16 lines 31-35) [A relationship model is a logical representation of groupings of users of the computer network that is not coupled with or dependent on the topology of the computer network. It comprises a plurality of objects called “nodes]; accessing a first policy associated with the computer network (Gee Col. 3 lines 54-60) [Identity governance and administration (IGA) systems enable the implementation of a policy-based approach to managing user identities and controlling access]; extracting a first entitlement from the first policy, the first entitlement granting permission to a first identity in the set of identities to access a first resource, in a set of resources associated with the computer network (Gee Col. 5 lines 23-27) [enable secure delegation of authority to create and manage identities for users of a computer network and to provision access entitlements to users to network resources in a manner that ensures compliance with security and access policies], according to a first access level (Gee Col. 5 lines 37-45) [an administrator to set access permissions by attributes. For example, the user- the user's job title, function, and seniority level could determine the work that can be done; the resource- the type of file, the person who made it, or the document's sensitivity; and the circumstances- where the user is, the time of day, the date, etc. Rules can be developed for authorizing user access based on these attributes. This allows for well-defined access control];
It is noted that Gee not appear explicitly disclose accessing a first set of event data representing activity associated with the set of resources during a first time period;
detecting a first access attempt associated with the first resource by the first identity based on the first set of event data, the first access attempt characterized by a second access level; detecting a deviation between the second access level and the first access level defined in the first entitlement; generating a second policy representing a second entitlement granting permission to the first identity to access the first resource according to the second access level in response to detecting the deviation; and
serving the second policy to an operator via an interface.
However, KARLBERG discloses accessing a first set of event data representing activity associated with the set of resources during a first time period;
detecting a first access attempt associated with the first resource by the first identity based on the first set of event data, the first access attempt characterized by a second access level (KARLBERG Pa. [0176]) [determining that a first access control level is required to access a first computer resource of the plurality of computer resources and a second access control level different than the first access control level is required to access a second computer resource of the plurality of computer resources]; detecting a deviation between the second access level and the first access level defined in the first entitlement (KARLBERG Pa. [0176]) [comparing the first access control level and the second access control level with one or more access credentials of the user] [0125] [it is determined whether the user has access to all of the resources. In some embodiments, this is performed by the functionality described with respect to the client-resource runtime evaluator 226 of FIG. 2. In some embodiments, block 1310 is performed based on the comparing of block 1308. [0126] Per block 1312, if the user does not have access to all of the resources, particular embodiments provide to a user device only those resources that the user has access to]; generating a second policy representing a second entitlement granting permission to the first identity to access the first resource according to the second access level in response to detecting the deviation (KARLBERG Pa. [0126]) [ determine that the first user has access to a first computer resource of the plurality of computer resources and does not have access to a second computer resource of the plurality of computer resources. Accordingly, based at least in part on determining that the first user has access to the first computer resources and not the second computer resources, the user device associated with the first user is provided only the first computer resource (and not the second computer resource)]; and serving the second policy to an operator via an interface KARLBERG Pa. [0176]) [and based at least in part on the determining and the comparing, providing access to at least the first computer resource to a user device associated with the user]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by KARLBERG to the access control system of Gee would have yield predictable results and resulted in an improved system, namely, a system that would provide multiple resources or instances that need to be accessed securely (KARLBERG Pa. [0005])
As to claims 15 and 18, claims 15 and 18 recites the claimed that contain respectively similar limitations as claim 1; therefore, they are rejected under the same rationale.
As to claims 2-3, 5-12, 14, 16-17 and 19-20, claims 2-3, 5-12, 14, 16-1715 and 19 recites the claimed that contain respectively similar limitations as claim 1; therefore, they are rejected under the same rationale.
Allowable Subject Matter
Claims 4 and 13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. These include.
US 20230319055 A1 – SMYTH describes generating access entitlements to networked computing resources. Systems may be configured to: receive an input data set representing an entitlement request associated with a user identifier; generate an entitlement prediction associated with the user identifier based on an entitlement model and at least one hierarchical level, the entitlement model defining a cluster representation of entitlement similarity
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Friday 8:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EVANS DESROSIERS/Primary Examiner, Art Unit 2491