DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-4, 7-11, 14 and 15 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Amit Singhal on 2/16/21.

The application has been amended as follows: 
1. (Currently Amended) A processor-executable method of identifying over-privileged access in a computing system, the method comprising:
	receiving configuration information for the computing system, the configuration information including information on roles that can be assumed by a computing resource or service of the computing system;
	selecting an identity that can access the computing system and determining access privileges for the selected identity using at least the received configuration information, the access privileges identifying one or more computing resource or service accessible to the selected identity;
	determining at least one role assumable by the identified one or more computing resource or service accessible to the selected identity based on the configuration information;
select a new role assumable by the identified one or more computing resource or service to access an additional resource or service based on the access privileges for the selected identity or the configuration information associated with the identified one or more computing resource or service, or (b) modify the determined at least one role to access an additional resource or service based on the access privileges for the selected identity or the configuration information associated with the identified one or more computing resource or service, or both (a) and (b); 
	simulating access granted to the selected identity by the selected new role or the modified role to identify over-privileged access for the selected identity; and
	in a case where it is determined that the identified one or more computing resource or service accessible to the selected identity can elevate its privileges, providing notification of the identified over-privileged access to the computing system.

2. (Original) The method according to claim 1, wherein the computing system is a cloud computing system.

3. (Currently Amended) The method according to claim 1, wherein the configuration information further includes 

4. (Original) The method according to claim 1, wherein the identity includes a role, a user, or a group.

5. (Canceled) 

6. (Canceled) 

7. (Currently Amended) The method according to claim 1, wherein the notification includes information on the new role assumable by the identified one or more computing resource or service, or the additional resource or service  the identified over-privileged access

8. (Currently Amended) An identity and access management system that identifies over-privileged access in a computing system, the identity and access management system comprising:
	at least one memory configured to store instructions; and
	at least one processor communicatively connected to the at least one memory and configured to execute the stored instructions to:
		receive configuration information for the computing system, the configuration information including information on roles that can be assumed by a computing resource or service of the computing system;
		select an identity that can access the computing system and determine access privileges for the selected identity using at least the received configuration information, the access privileges identifying one or more computing resource or service accessible to the selected identity;
		determine at least one role assumable by the identified one or more computing resource or service accessible to the selected identity based on the configuration information;
		determine whether the identified one or more computing resource or service accessible to the selected identity can select a new role assumable by the identified one or more computing resource or service to access an additional resource or service based on the access privileges for the selected identity or configuration information associated with the identified one or more computing resource or service, or (b) modify the determined at least one role to access an additional resource or service based on the access privileges for the selected identity or configuration information associated with the identified one or more computing resource or service, or both (a) and (b);
		simulate access granted to the selected identity by the selected new role or the modified role to identify over-privileged access for the selected identity; and
		in a case where it is determined that the identified one or more computing resource or service accessible to the selected identity can elevate its privileges, provide notification of the identified over-privileged access to the computing system.
	
9. (Original) The system according to claim 8, wherein the computing system is a cloud computing system.

10. (Currently Amended) The system according to claim 8, wherein the configuration information further includes 

11. (Original) The system according to claim 8, wherein the identity includes a role, a user, or a group.

12. (Canceled) 

13. (Canceled) 

 the identified over-privileged access

15. (Currently Amended) A non-transitory computer readable storage medium storing a program executable by a processor to perform a method of identifying over-privileged access in a computing system, the method comprising:
	receiving configuration information for the computing system, the configuration information including information on roles that can be assumed by a computing resource or service of the computing system;
	selecting an identity that can access the computing system and determining access privileges for the selected identity using at least the received configuration information, the access privileges identifying one or more computing resource or service accessible to the selected identity;
	determining at least one role assumable by the identified one or more computing resource or service accessible to the selected identity based on the configuration information;
	determining whether the identified one or more computing resource or service accessible to the selected identity can select a new role assumable by the identified one or more computing resource or service to access an additional resource or service based on the access privileges for the selected identity or the configuration information associated with the identified one or more computing resource or service, or (b) modify the determined at least one role to access an additional resource or service based on the access privileges for the selected identity or the configuration information associated with the identified one or more computing resource or service, or both (a) and (b); 
simulating access granted to the selected identity by the selected new role or the modified role to identify over-privileged access for the selected identity; and
	in a case where it is determined that the identified one or more computing resource or service accessible to the selected identity can elevate its privileges, providing notification of the identified over-privileged access to the computing system.
Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
Russinovich et al. U.S. Pub. No. 20130298128 discloses a method of determining whether execution rights to a process can be escalated based on roles of the processes.
Pistoia et al. U.S. Pub. No. 20120198557 discloses determining vulnerability of computer software applications to privilege-escalation attacks.
The prior art of record does not explicitly disclose the specific steps recited in independent claims to identify and simulate over-privileged access for selected identity base on configuration information.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Smith et al. U.S. Pub. No. 20160248809 discloses method to process data based on automatically detecting a security environment.
Deninno et al. U.S. Pub. No. 20180248889 discloses method for role-based computer security configuration.
Roth et al. U.S. Pat. No. 10880283 discloses techniques for remote access to a computing resource service provider.
Naldurg et al. U.S. Pub. No. 20080104665 discloses analyzing access control configurations.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789.  The examiner can normally be reached on Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431