DETAILED ACTION
This office action is in response to the correspondence filed on 01/03/2019. Claims 1-20 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite two users accessing data from different systems; determine if their expected entitlements of the data access match the actual access entitlement, and present the results of the determination on a display.
The limitation of determining the users’ expected entitlements of the data access match the actual access entitlement, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting by “one or more processor,” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “one or more processor” language, “determine” in the context of this claim encompasses the user manually determining users’ expected entitlements of the data access match the actual access entitlement. If a 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – using a processor to provide the determining step and present the results of the determination on a display. The processor in this step is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of ranking information based on a determined amount of use) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the reporting steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claims 1-20, specifically independent claims 1, 13, and 20, it is unclear if the limitation reciting “an expected set of access entitlements associate with the fifth data” is a part of “a status of a third user of a third system” in the previous limitation about the second server. Additionally, the limitation reciting “matches the actual access entitlement to the third user for the third system”, it is unclear if the “actual access entitlement” refers to the first server data accesses or the second server data accesses.
Appropriate correction is required.

 

Allowable Subject Matter
Claims 1-19 contain allowable subject matter but remain rejected under 101 and 112 rejections. Claim 20 contain allowable subject matter but remain rejected under 112 rejection.
The following is an examiner’s statement of reasons for allowance:
Rice et al. (US Pub. No 2019/0230088 A1) discloses a system for dynamic role-based evaluation of access and permissions. While Rice discloses compiling a compliance database comprising the plurality of access permissions and compliance criteria associated with each access permission, when the system receives a user request for accessing an outlier access permission, the system determines whether the user meets the compliance criteria of that outlier access permission before authorizing the outlier access permission, it fails to disclose a first server obtaining different data defining access entitlements of two users with multiple data accesses to two different systems; a second server obtaining a fifth data relating to a status of a third user of a third system from a third server, wherein the third user is one of the two users and the third system is one of the two systems, determining if an expected set of access entitlements associated with the fifth data matches the actual access entitlement of the third user for the third system as described in the claims.
Barcelo et al. (US Pub. No. 2011/0307957 A1) discloses a method for managing and monitoring continuous improvement in detection of compliance violations. While Barcelo discloses collecting data associated with an identity account including compliance data, determining risk factors for the identity account based on the collected data, calculating a risk score of the identity account based on the determined risk factors, it fails to disclose a first server obtaining different data defining access entitlements of two users with multiple data accesses to two different systems; a second server obtaining a fifth data relating to a status of a third user of a third system from a third server, wherein the third user is one of the two users and the third system is one of the two systems, determining if an expected set of access entitlements associated with the fifth data matches the actual access entitlement of the third user for the third system as described in the claims.
Chari et al. (NPL - Chari, Suresh, et al. "Ensuring continuous compliance through reconciling policy with usage." Proceedings of the 18th ACM symposium on Access control models and technologies. 2013.) discloses ensuring continuous compliance through reconciling policy with usage. While Chari discloses comparing user groups defined in a policy with roles generated from the actual usage patterns and ensuring continuous compliance to see if the enforced security policy and the resulting usage is consistent with a common intended security goal, it fails to disclose a first server obtaining different data defining access entitlements of two users with multiple data accesses to two different systems; a second server obtaining a fifth data relating to a status of a third user of a third system from a third server, wherein the third user is one of the two users and the third system is one of the two systems, determining if an expected set of access entitlements associated with the fifth data matches the actual access entitlement of the third user for the third system as described in the claims.
Therefore, the pending claims are allowable as the prior art of record does not disclose all the features including a first server obtaining different data defining access entitlements of two users with multiple data accesses to two different systems; a second server obtaining a fifth data relating to a status of a third user of a third system from a third server, wherein the third user is one of the two users and the third system is one of the two systems, determining if an expected set of access entitlements associated with the fifth data matches the actual access entitlement of the third user for the third system as described in the claims; nor would it have been obvious to one of ordinary skill in the art to further modify the prior art to include all of the deficient features, as set forth in the allowable claims. 



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/KA SHAN CHOY/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435