DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application No. 16/212/963 filed on 12/07/2018.
Claims 1-20 have been examined and are pending in this application. 
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 12/07/2018, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 1-2, 4-7, 10-11, 13-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lanner et al. (US 10,162,619; Hereinafter “Lanner”) in view of Sullivan (US 2019/0294613).
Regarding claim 1, Lanner teaches a method for enforcing authorization controls for an approved software change on a target system, the method comprising: 
validating that a user is authorized to perform a set of actions (Lanner: Col. 11, Lines 44-58, As used herein, the term "privileged user" refers to a user (e.g., a user account) who has been granted the privilege to access portions of the catalog and/or functionalities of the package management service 110 to which access is restricted. For example, a set of users who are entrusted to determine the security of software packages may be named as privileged users with respect to the global catalog in order to test software packages and add those packages to private catalogs. The privilege may be granted using an identity and access management (IAM) role that is honored by a package management service associated with the global catalog. [privileged user validated via identity and access management role]); 
monitoring the set of actions performed by the validated user to determine whether the set of actions conform to an approved process for the approved software change on the target system (Lanner: Col. 14, Lines 40-67, As shown in 720, the privileged user may be permitted to test one or more software packages in the global catalog. The privileged user may browse or search the global catalog, e.g., for newly released and untested software packages. The privileged user may select any of the software packages and deploy them in a test environment. In one embodiment, the privileged user may create, select, and/or modify a package set of multiple software packages for testing purposes. The test environment may include a set of computing devices that may be isolated from other systems and networks (e.g., a production environment that actually interacts with customers or clients of an organization). Testing the software packages may include executing them in the test environment and monitoring the execution and/or the results of the execution. The testing may be performed prior to approving the deployment of the package set to a fleet in a production environment. Based on the monitoring and/or results, the privileged user may approve any of the software packages that are tested in this manner. Approval of a software package may be recorded in the catalog 150 based on user input. Col. 15, Lines 1-12); 
(Lanner: Col. 15, Lines 13-34, The blacklist may indicate explicit exclusion of one or more software packages in the private catalog. The rules may represent other criteria for inclusion and may be overridden by a whitelist and/or blacklist, if any. For example, a particular rule may be evaluated using pattern-matching techniques to cause inclusion of new software updates to operating system software released by a particular publisher. Software packages may be added to one or more private catalogs based on user input by a privileged user that specifically identifies the package(s) and the private catalog(s) or instead based on automatic and programmatic evaluation of the whitelist and/or rules. For example, when a software package is newly approved for deployment, then the whitelists, blacklists, and rules (if any) for existing private catalogs may be evaluated relative to the newly approved package.); 
Lanner does not explicitly teach responsive to detecting the deviation from the approved process, sending an alert regarding the deviation.  
In an analogous art, Sullivan, teaches a system and method wherein responsive to detecting the deviation from the approved process, sending an alert regarding the deviation (Sullivan: Fig. 23A-23B, Para. [0164], Alert services 316 of Cloud Controller 302 are generated to indicate a status change in a cloud application in the development and deployment process. Alerts generated by Alert services 316 are associated with Auto-Audit rules. Alerts are classified as "INFO," "WARN," "ERROR," and "FATAL" alerts.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sullivan with the system and method of Lanner to include wherein responsive to detecting the deviation from the approved process, sending an alert regarding the deviation because this functionality provides for transmitting alert notifications to an authorized user when approved changes do not conform to approved audit rules thereby providing a governance framework for control of processing logic and data in a cloud (Sullivan: Para. [0028]). 
Regarding claim 2, Lanner, in combination with Sullivan, teaches the method of claim 1 further comprising: responsive to detecting the deviation from the approved (Sullivan: Fig. 23A-23B, Para. [0164], Alert services 316 of Cloud Controller 302 are generated to indicate a status change in a cloud application in the development and deployment process. Alerts generated by Alert services 316 are associated with Auto-Audit rules. Alerts are classified as "INFO," "WARN," "ERROR," and "FATAL" alerts. [Alert classified as “WARN” meets the sending a warning limitation]).
Regarding claim 4, Lanner, in combination with Sullivan, teaches the method of claim 1, wherein the user is validated using a plurality of conditions that includes at least one of a valid change control record identifier, a valid user identifier, a correct target system identifier, a valid source system identifier, and a valid software change timeframe within a change request ticket corresponding to the approved software change on the target system (Lanner: Col. 11, Lines 44-58, As used herein, the term "privileged user" refers to a user (e.g., a user account) who has been granted the privilege to access portions of the catalog and/or functionalities of the package management service 110 to which access is restricted. For example, a set of users who are entrusted to determine the security of software packages may be named as privileged users with respect to the global catalog in order to test software packages and add those packages to private catalogs. The privilege may be granted using an identity and access management (IAM) role that is honored by a package management service associated with the global catalog. [privileged user validated via identity and access management role that includes a valid user identifier]).
Regarding claim 5, Lanner, in combination with Sullivan, teaches the method of claim 1, wherein the set of actions is issuing one or more commands corresponding to the approved software change on the target system (Lanner: Col. 14, Lines 40-67, As shown in 720, the privileged user may be permitted to test one or more software packages in the global catalog. The privileged user may browse or search the global catalog, e.g., for newly released and untested software packages. The privileged user may select any of the software packages and deploy them in a test environment. In one embodiment, the privileged user may create, select, and/or modify a package set of multiple software packages for testing purposes. The test environment may include a set of computing devices that may be isolated from other systems and networks (e.g., a production environment that actually interacts with customers or clients of an organization). Testing the software packages may include executing them in the test environment and monitoring the execution and/or the results of the execution. The testing may be performed prior to approving the deployment of the package set to a fleet in a production environment.).
Regarding claim 6, Lanner, in combination with Sullivan, teaches the method of claim 1, wherein the approved process is an approved change control record that contains at least one of a list of tested change commands corresponding to the approved software change, a list of rollback commands, and a white list of commands (Lanner: Col. 12, Lines 42-67 to Col. 13, Lines 1-9, For example, a particular rule may be evaluated using pattern-matching techniques to cause inclusion of new software updates to operating system software released by a particular publisher. Software packages may be added to one or more private catalogs based on user input by the privileged user 500 that specifically identifies the package(s) and the private catalog(s) or instead based on automatic and programmatic evaluation of the whitelist and/or rules. For example, when a software package is newly approved for deployment, then the whitelists, blacklists, and rules (if any) for existing private catalogs may be evaluated relative to the newly approved package. As another example, when the membership of a private catalog is queried (e.g., using an appropriate API), then the whitelist, blacklist, and rules (if any) for the private catalog may be evaluated. The whitelist, blacklist, and/or rules for a private catalog may be created or modified by the privileged user 500 who has access to the global catalog 550.).
Regarding claim 7, Lanner, in combination with Sullivan, teaches the method of claim 1, wherein the alert is sent to a security information and event manager (Sullivan: Para. [0164], In the development of cloud applications, the developer of the cloud application and approvers (cloud managers) can view alerts associated with every change in a cloud application profile status. Para. [0165]).
Regarding claims 10-11, claims 10-11 are rejected under the same rational as claims 1-2, respectively. 
Regarding claim 13-14, claims 13-14 are rejected under the same rational as claims 4-5, respectively. 
Regarding claim 15-16, claims 15-16 are rejected under the same rational as claims 1-2, respectively. 
Regarding claim 18-20, claims 18-20 are rejected under the same rational as claims 4-6, respectively. 
Allowable Subject Matter
Regarding claims 3, 12, and 17, Claims 3, 12, and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Regarding claim 8, Claim 8 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Regarding claim 9, Claim 9 is objected to as being dependent upon an objected claim 8, which depends upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/NELSON S. GIDDINS/            Primary Examiner, Art Unit 2437