Prosecution Insights
Last updated: July 17, 2026
Application No. 19/045,413

ABNORMALLY PERMISSIVE ROLE DEFINITION DETECTION SYSTEMS

Non-Final OA §102§103
Filed
Feb 04, 2025
Priority
May 13, 2021 — continuation of 12/242,600
Examiner
CHAO, MICHAEL W
Art Unit
Tech Center
Assignee
Microsoft Technology Licensing, LLC
OA Round
1 (Non-Final)
70%
Grant Probability
Favorable
1-2
OA Rounds
1y 9m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 70% — above average
70%
Career Allowance Rate
384 granted / 549 resolved
+9.9% vs TC avg
Strong +41% interview lift
Without
With
+40.7%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
18 currently pending
Career history
583
Total Applications
across all art units

Statute-Specific Performance

§101
1.5%
-38.5% vs TC avg
§103
90.9%
+50.9% vs TC avg
§102
4.9%
-35.1% vs TC avg
§112
1.9%
-38.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 549 resolved cases

Office Action

§102 §103
CTNF 19/045,413 CTNF 85279 Notice of Pre-AIA or AIA Status 07-03-aia AIA 15-10-aia The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA. This action is in response to the claims filed 2/04/2025. Claims 21-40 are pending. Claims 21 (a machine), 30 (a method), and 37 (a computer-readable storage medium, see specification ¶ 13) are independent. Double Patenting 08-33 AIA The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg , 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman , 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi , 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum , 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel , 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington , 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA/25, or PTO/AIA/26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. 08-34 AIA Claim s 21, 22, 25, 30, 31, 33, and 37 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim s 1, 8, 9, 10, 13, 14, and 15 of U.S. Patent No. 12,242,600 . Although the claims at issue are not identical, they are not patentably distinct from each other because the presently presented claims are anticipated by the corresponding claims of ‘600 . Claim 21 is anticipated by claim 1 of ‘600. Claim 22 is anticipated by claim 8 of ‘600. Claim 25 is anticipated by claim 9 of ‘600. Claim 30 is anticipated by claim 10 of ‘600. Claim 31 is anticipated by claim 13 of ‘600. Claim 33 is anticipated by claim 14 of ‘600. Claim 37 is anticipated by claim 15 of ‘600. Claim interpretation: element pre-assigned/not pre-assigned Roles are stored in a role definition 306, defined by role assignment by security principals, see Applicant’s specification ¶ 26. Specifically, the schema is defined in a role definition/custom role definition 306 by administrators: “the schema has been preassigned with objects or expressions. In a custom role definition 306b, an administrator can build the role definition on behalf of the enterprise with expressions or objects into the schema.” Applicant’s specification ¶ 28. The claims are directed to “role definition detector 208: “In the illustrated example, the permissive role definition detector 208 is constructed from a plurality of interconnected components. The example permissive role definition detector 208 includes an analyzer 312, a security score generator 314, and detector 316.” ¶ 32. The claims do not require assigning new elements and previously existing pre-assigned elements. Rather, the claims imply that the imported schema has previously been defined, by unclaimed elements, to have existing and then additional elements . Claim Rejections - 35 USC § 102 07-07-aia AIA 07-07 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – 07-12-aia AIA (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. 07-15-03-aia AIA Claim(s) 21-23, 27, 30, 31, 34, 36, 37, and 40 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Nevatia et al., US 2020/0412726 (filed 2019-06) . As to claims 21, 30, and 37, Nevatia discloses a machine/method/CRM comprising: a processor system; and a memory that stores computer-executable instructions that are executable by the processor system to at least: (“Storage component 340 stores information and/or software related to the operation and use of device 300.” Nevatia ¶ 60) receive a role definition of a security principal regarding a scope of resources, (“the security monitoring platform may obtain historical data related to user access rights from the set of cloud applications…. the permissions data may be defined according to an attribute-based access control (ABAC) scheme, a policy-based access control (PBAC) scheme, and/or the like, whereby certain access rights are granted to users through the use of policies that are dependent on a set of attributes.” Nevatia ¶ 17. See Nevatia ¶¶ 18-32) the role definition defining a first permission based on a first element preassigned to a schema (“Each feature set may generally include a set of one or more related features that represent attributes associated with a particular user and/or one or more permissions and/or access rights that are assigned to the particular user within one or more of the cloud applications.” Nevatia ¶ 19) and a second permission based on a second element not preassigned to the schema; (“In some cases, where different cloud applications use different syntactic rules to represent certain attributes that are the same or substantially similar, the security monitoring platform may transform the different attributes into a common form (e.g., the string “system administrator” may be normalized to “sysadmin”, equivalent permissions such as “edit” and “modify all” may be normalized to a common form, and/or the like).” Nevatia ¶ 20) cause a machine learning model to determine a security score for the role definition by providing the first permission, the second permission, (“security monitoring platform may determine that a relatively high score is to be assigned to features that are determined to be the same and/or similar as previously identified features. In contrast, the security monitoring platform may determine that a relatively low score is to be assigned to features that are determined to be different than past identified features.” Nevatia ¶ 26) and a creation event indicating a circumstance of creating the role definition as inputs to the machine learning model, (“the user operating the client device may review the action that was performed to maintain, revoke, elevate, modify, and/or revise the current access rights assigned to the user, and the user may provide feedback by approving, rejecting, or revising the action.” Nevatia ¶ 38. “the security monitoring platform may apply the one or more reinforcement learning techniques to update the access rights data model based on the feedback received from the client device.” Nevatia ¶ 39. Also ¶ 41) the security score based at least on the creation event being an irregular role definition creation event and a plurality of permissions that comprises the first and second permissions corresponding to a relatively high amount of permission; (“if the user is associated with various attributes or features that are consistent with a restricted access level (e.g., read-only access, unauthorized access) but the user has a critical access level that provides unrestricted access, the probability score may have a low value to indicate that the access level assigned to the user may need to be revoked or revised.” Nevatia ¶ 34. With the reinforcement/feedback of Nevatia ¶¶ 39 and 41) compare the security score to plurality of security score ranges that comprises a first security score range corresponding to a first action in which access to a resource in the scope of resources is provided, a second security score range corresponding to a second action in which conditional access to the resource is provided, and a third security score range corresponding to a third action in which access to the resource is denied; and (“maintaining the current access rights based on the probability score satisfying a threshold that indicates that the current access level is likely correct (e.g., the current access level is consistent with a predicted access level that the access rights data model maps to a set of attributes or features associated with the user). In other examples, the action may include revoking or elevating the current access rights assigned to the user based on the probability score satisfying a threshold that indicates that the current access level is likely incorrect” Nevatia ¶ 35. The third level being likely incorrect threshold, the first being the likely correct threshold. “Accordingly, each column in the lookup table may correspond to a particular action, each row in the lookup table may correspond to a particular state, and each entry in the lookup table may correspond to a state-action pair that is initialized with a particular score, which may be refined as the security monitoring platform performs actions and receives feedback on the actions based on an exploration and exploitation technique” Nevatia ¶ 40. “one or more user-defined rules may be used in combination with the probability score described in more detail elsewhere herein to determine the action to be performed in relation to the current access rights assigned to one or more users.” Nevatia ¶ 38. Some other second score range being an additional state-action pair or user specific rule.) deny access to the resource by selecting the third action from the first, second, and third actions as a result of the security score being comprised in the third security score range. (“the action may include revoking or elevating the current access rights assigned to the user based on the probability score satisfying a threshold that indicates that the current access level is likely incorrect (e.g., the current access level is inconsistent with the predicted access level that the access rights data model maps to the set of attributes or features associated with the user).” Nevatia ¶ 35) (as to claims 30 and 37) providing conditional access to the resource by selecting the second action from the first, second, and third actions as a result of the security score being comprised in the second score range. (“one or more user-defined rules may be used in combination with the probability score described in more detail elsewhere herein to determine the action to be performed in relation to the current access rights assigned to one or more users.” Nevatia ¶ 38.) As to claims 22 and 31, Nevatia discloses the machine/method/CRM of claims 21, 30, and 37 and further discloses: wherein the machine learning model is trained on features that are based on permissions of role definitions and creation events for multiple scopes of resources. (“the security monitoring platform may use one or more extract, transform, and load (ETL) tools to obtain historical data related to user access rights from a set of cloud applications, and the historical data obtained from the set of cloud applications may be partitioned into clusters using an unsupervised machine learning technique.” Nevatia ¶ 14. Nevatia ¶¶ 39 and 41) As to claims 23 and 34, Nevatia discloses the machine/method/CRM of claims 21, 30, and 37 and further discloses: cause the machine learning model to determine the security score for the role definition based at least on a difference between the first permission and the second permission. (“the security monitoring platform may determine a probability score for the current access rights assigned to the user based on the access rights data model that was generated and trained using the combination of unsupervised and supervised machine learning techniques” Nevatia ¶ 34) As to claims 27, 36, and 40, Nevatia discloses the machine/method/CRM of claims 21, 30, and 37 and further discloses: wherein the creation event indicates a previous role definition that precedes the role definition. (“the user operating the client device may review the action that was performed to maintain, revoke, elevate, modify, and/or revise the current access rights assigned to the user, and the user may provide feedback by approving, rejecting, or revising the action.” Nevatia ¶ 38.) Claim Rejections - 35 USC § 103 07-20-aia AIA The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 07-21-aia AIA Claim (s) 24, 25, 28, 29, 32, 33, and 38 , is/are rejected under 35 U.S.C. 103 as being unpatentable over Nevatia et al., US 2020/0412726 (filed 2019-06), in view of Sadovsky et al., US 2015/0180894 (filed 2013) . As to claims 24, 33, and 38, Nevatia discloses the machine/method/CRM of claims 21, 30, and 37 and further discloses: cause the machine learning model to determine the security score for the role definition by causing the machine learning model (“one or more user-defined rules may be used in combination with the probability score described in more detail elsewhere herein to determine the action to be performed in relation to the current access rights assigned to one or more users.” Nevatia ¶ 38. “a probability score for the current access rights … combination of unsupervised and supervised machine learning techniques,” Nevatia ¶ 34.) Nevatia does not explicitly disclose: to analyze the creation event using rule-based logic. Sadovsky discloses: to analyze the creation event using rule-based logic. (“the accounts that are monitored for anomalous activity may be operator accounts (e.g., accounts that have permissions to create, modify, and delete accounts for other users or groups or users) or other types of accounts (e.g., user accounts, privileged accounts, and the like).” Sadovsky ¶ 3. “For example, anomalous activity may be detected by anomaly detector 26 in response to an unusually large number of requests from accounts in the online service to: create new accounts; change permissions; start processes;” Sadovsky ¶ 16. See Sadovsky ¶¶ 13 and 38 discussing rules and weights.) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Nevatia with Sadovsky by incorporating the rules of Sadovsky as the user-defined rules of Nevatia. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Nevatia with Sadovsky in order to detect deviations from a baseline permission activity, thereby preventing malicious actors in the monitored system. As to claims 25 and 32, Nevatia in view of Sadovsky discloses the machine/method/CRM of claims 24, 30, and 24 and further discloses: cause the machine learning model to determine the security score for the role definition by causing the machine learning model to use a rule to determine how often a creator of the role definition, who is indicated by the creation event, creates role definitions. (“For example, anomalous activity may be detected by anomaly detector 26 in response to an unusually large number of requests from accounts in the online service to: create new accounts; change permissions; start processes;” Sadovsky ¶ 16.) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Nevatia with Sadovsky by incorporating the rules of Sadovsky as the user-defined rules of Nevatia. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Nevatia with Sadovsky in order to detect deviations from a baseline permission activity, thereby preventing malicious actors in the monitored system. As to claim 28, Nevatia discloses the machine/method/CRM of claims 21, 30, and 37 but does not disclose: wherein the creation event indicates a person who created the role definition. Sadovsky discloses: wherein the creation event indicates a person who created the role definition. (“the accounts that are monitored for anomalous activity may be operator accounts (e.g., accounts that have permissions to create, modify, and delete accounts for other users or groups or users) or other types of accounts (e.g., user accounts, privileged accounts, and the like).” Sadovsky ¶ 3. “For example, anomalous activity may be detected by anomaly detector 26 in response to an unusually large number of requests from accounts in the online service to: create new accounts; change permissions; start processes;” Sadovsky ¶ 16. “The event information may include information, such as: a type of the event; a time the event occurred; what account generated the event; a result of the event; and the like. ” Sadovsky ¶ 36) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Nevatia with Sadovsky by incorporating the rules of Sadovsky as the user-defined rules of Nevatia. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Nevatia with Sadovsky in order to detect deviations from a baseline permission activity, thereby preventing malicious actors in the monitored system. As to claim 29, Nevatia in view of Sadovsky discloses the machine/method/CRM of claims 21, 30, and 24 and further discloses: wherein the creation event indicates when the role definition was created. Sadovsky discloses: wherein the creation event indicates when the role definition was created. (“the accounts that are monitored for anomalous activity may be operator accounts (e.g., accounts that have permissions to create, modify, and delete accounts for other users or groups or users) or other types of accounts (e.g., user accounts, privileged accounts, and the like).” Sadovsky ¶ 3. “For example, anomalous activity may be detected by anomaly detector 26 in response to an unusually large number of requests from accounts in the online service to: create new accounts; change permissions; start processes;” Sadovsky ¶ 16. “The event information may include information, such as: a type of the event; a time the event occurred; what account generated the event; a result of the event; and the like. ” Sadovsky ¶ 36). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Nevatia with Sadovsky by incorporating the rules of Sadovsky as the user-defined rules of Nevatia. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Nevatia with Sadovsky in order to detect deviations from a baseline permission activity, thereby preventing malicious actors in the monitored system . 07-21-aia AIA Claim (s) 26, 35, and 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nevatia et al., US 2020/0412726 (filed 2019-06), in view of Glotzer et al., US 10,057,291 (filed 2015) . As to claims 26, 35, and 39, Nevatia discloses the machine/method/CRM of claims 21, 30, and 37 but does not disclose: wherein the schema comprises an allowed operation for a resource control plane, a denied operation for the resource control plane, an allowed operation for a resource data plane, and a denied operation for the resource data plane. Glotzer discloses: (“networking ACLs are rules that define whether network traffic is to be allowed or denied. In some types of ACLs (called data plane ACLs), the rules define whether network traffic is permitted to pass through a given device. In other types of ACLs (called control plane ACLs), the rules define whether network traffic is permitted to reach a destination device (e.g., is allowed to be received and processed by a network device). ACL rules are defined in terms of Internet protocol (IP) addresses, port numbers, network protocols, and/or other networking details. The technologies described herein can be used to perform semantic analysis of various types of ACLs, including data plane ACLs, control plane ACLs, and/or other types of networking ACLs.” Glotzer col. 2, ln. 30. See also Glotzer col. 3, ln. 30.) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Nevatia with Glotzer by utilizing the ACLs of Glotzer as part of the feature set of Nevatia. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Nevatia with Glotzer in order to enable networks to manage flows within the network, thereby securing the network data, Glotzer col. 2, ln. 45 . Conclusion 07-96 AIA The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly: Veeramacheneni et al., US 2022/0179986, discloses a method for managing user permissions. Saxena et al., US 2019/0327271, discloses automated access control management for computing systems. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MICHAEL W CHAO/ Primary Examiner, Art Unit 2492 Application/Control Number: 19/045,413 Page 2 Art Unit: 2492 Application/Control Number: 19/045,413 Page 3 Art Unit: 2492 Application/Control Number: 19/045,413 Page 4 Art Unit: 2492 Application/Control Number: 19/045,413 Page 5 Art Unit: 2492 Application/Control Number: 19/045,413 Page 6 Art Unit: 2492 Application/Control Number: 19/045,413 Page 7 Art Unit: 2492 Application/Control Number: 19/045,413 Page 8 Art Unit: 2492 Application/Control Number: 19/045,413 Page 9 Art Unit: 2492 Application/Control Number: 19/045,413 Page 10 Art Unit: 2492 Application/Control Number: 19/045,413 Page 11 Art Unit: 2492 Application/Control Number: 19/045,413 Page 12 Art Unit: 2492 Application/Control Number: 19/045,413 Page 13 Art Unit: 2492 Application/Control Number: 19/045,413 Page 14 Art Unit: 2492 Application/Control Number: 19/045,413 Page 15 Art Unit: 2492 Application/Control Number: 19/045,413 Page 16 Art Unit: 2492
Read full office action

Prosecution Timeline

Feb 04, 2025
Application Filed
Jun 16, 2026
Non-Final Rejection mailed — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683970
PERFORMING SERVICES ON A HOST
2y 9m to grant Granted Jul 14, 2026
Patent 12675565
DETECTION OF A CLASS OF PROCESSES
4y 6m to grant Granted Jul 07, 2026
Patent 12652284
SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR AUTHENTICATING DEVICES WITH DEVICE AUTHENTICATION IDENTIFIERS
2y 1m to grant Granted Jun 09, 2026
Patent 12641081
FAST JOINS AND LOW MEMORY USAGE FOR END-TO-END (E2E)-SECURE APPLICATIONS USING LIGHT MLS CLIENTS
2y 1m to grant Granted May 26, 2026
Patent 12634132
ELECTRONIC DEVICE FOR CONTROLLING POWER CONSUMPTION OF ACCESSORY DEVICE AND OPERATING METHOD THEREFOR
3y 0m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
70%
Grant Probability
99%
With Interview (+40.7%)
3y 3m (~1y 9m remaining)
Median Time to Grant
Low
PTA Risk
Based on 549 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month