DETAILED ACTION
This is a final Office action in response to communications received on 2/08/2021.   Claims 1, 7-8, 17 and 20-22 were amended.  New claims 23-24 were added.  No new claims were cancelled or withdrawn.  Claims 1-17 and 20-24 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Arguments
Applicant’s amendments, filed 2/08/2021, to claims 20-22 amending the claims to indicate that they depend from a method, rather than a system, claim are sufficient to overcome the objection to the aforementioned claims by properly identifying the parent claim.  Accordingly, the objection to claims 20-22 is withdrawn.
Applicant’s amendments, filed 2/08/2021, to claim 8 adding memory is sufficient to overcome the rejection of the aforementioned claims under 101 for being directed to software per se.  Accordingly, the rejection of claims 8-17 under 101 is withdrawn.
Applicant’s amendments, filed 2/08/2021, to claims 7 and 17 removing the claim term “optional” is sufficient to overcome the rejection of the aforementioned claims under 112, second paragraph, for containing indefinite language.  Accordingly, the rejection under 112, second paragraph, of claims 7 and 17 is withdrawn.
Applicant’s arguments regarding the rejection of the claims under 103 have been considered but found unpersuasive.
Applicant argues on page 12 of the Remarks, filed 2/08/2021, that Jain is silent “with regard to the role and the permissions that are mapped to the user corresponding 
Applicant further argues on page 12 of the Remarks that Jain fails to teach the limitations because the word “authentication” and “authenticate” do not appear in Jain, however the Examiner respectfully disagrees.  Examiners are to give claims their 
Applicant further argues on page 13 of the Remarks that Yaskin fails to teach the amended claim limitations because Yaskin is silent as to “the second service being further configured to utilize the user permissions and the authentication of the first service through role creation and mapping”, however the Examiner respectfully disagrees.  Yaskin teaches LDAP system utilizes security roles with user permissions, where the roles are created through mapping (i.e. through role creation and mapping), and performs authentication/validation of user permissions for accessing search results (i.e. authentication of the first service) in order to determine what specific information users may access based on the created roles and permissions (paras. [0030], [0038], [0042], [0055], [0068], [0070]).  Consequently, Yaskin teaches the limitations for which it is cited.
The remaining arguments fail to comply with 37 C.F.R. 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Consequently, the rejection of the claims under 35 U.S.C. 103 is sustained.
In addition, Applicant’s remaining arguments filed 2/08/2021, with respect to the rejection of claims 1-17 and 20-24 under 35 USC § 103(a) have been fully considered but are moot because newly added claim limitations requiring “the role and the permissions that are mapped to the user corresponding to user permissions in the first service, resulting in a single location for the user permissions and authentication at the first service, wherein the second service is further configured to utilize the user permissions and the authentication of the first service through role creation and mapping" require new grounds of rejection necessitated by amendments.

Objections
Claims 1 and 8 are objected to for the following informalities: it is unclear from the claims and Specification what is meant by the following claim language “the role and the permissions that are mapped to the user corresponding to user permissions in the first service, resulting in a single location for the user permissions”.  Specifically, it is unclear if this language is meant to disclose that the user permissions are stored in a single location or that by mapping the role and user permissions together, the permissions can be identified through accessing the roles.  Are the user permissions physically stored in the one language or are they just grouped together and accessed together in a single manner?  This claim language is taken straight from Applicant’s Specification (para. [0047]), but the paragraph from which it is obtained does not clarify what is meant by the language.  In addition, the claims do not provide further clarification.  Appropriate clarification/correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
Claims 1-5, 8-9, 11-15 and 20-24 are rejected under 35 U.S.C. 103 as being unpatentable over Jain (US 2013/0326588) in view of Yaskin (US 2010/0198804).
Regarding claim 1, Jain discloses the limitations substantially as follows:
A method, comprising:
establishing a plurality of roles for a first service (paras. [0002]-[0004], [0025], [0027]: administrator sets parameters to define roles for different job functions (i.e. for a first service)); 
mapping a role of the plurality of roles to a user based on information that is indicative of the user within the second service (paras. [0003]-[0004], [0027]-[0028], [0031], [0039]-[0040]: mapping a role from multiple roles to a user based on originating host device and user ID indicating user’s attributes within the LDAP system (i.e. within the second service)), the role and the permissions that are mapped to the user corresponding to user permissions in the first service, resulting in a single location for the user permissions and authentication at the first service, to utilize the user permissions and the authentication of the first service through role creation and mapping (paras. [0002]-[0004], [0027]-[0028], [0031], [0034], [0039]-[0042]: the roles and the permissions that are mapped to a user correspond to permissions for the different job functions (i.e. first service), so that users acquire permissions through the user’s roles (i.e. single location for user permissions) and use the permissions to validate user’s requesting access for the different job functions (i.e. at the first service), such that the permissions for the role are transmitted in the form of credentials to the user (i.e. utilizing the permissions) and the credentials of the role for accessing the different job functions are validated/authenticated (i.e. authentication of the first service) through mapping the role to the user and generating the permissions)); and
assigning the role to the user (paras. [0003], [0004], [0027], [0031], [0039]-[0040]: assigning roles to users)). 
Jain does not explicitly disclose the remaining limitations of claim 1 as follows:
mapping a role of the plurality of roles to a user based on metadata of the user received from a second service, the metadata being indicative of permissions granted to the user within the second service;
wherein the second service is further configured to utilize the user permissions through role creation and mapping
However, in the same field of endeavor Yaskin discloses the remaining limitations of claim 1 as follows:
establishing a plurality of roles for a first service (paras. [0026], [0030], [0041], [0047], [0070]: establishing security roles defining permissions for searching/crawling (i.e. first service));
authentication at the first service (paras. [0026], [0030], [0035], [0038], [0040]-0041], [0049]: authenticating user attempts to access searching services (i.e. first service));
mapping a role of the plurality of roles to a user based on metadata of the user received from a second service, the metadata being indicative of permissions granted to the user within the second service (Yaskin, paras. [0038], [0042], [0055], [0068], [0070]: mapping a globalized security role 830 to users from security roles 430a and 430b based on ACL metadata of the user, the metadata including permissions of the user stored in the LDAP system (i.e. within the second service));
wherein the second service is further configured to utilize the user permissions and authentication through role creation and mapping (paras. [0030], [0038], [0042], [0055], [0068], [0070]: LDAP system (i.e. second service) utilizes security roles with user permissions, where the roles are created through mapping (i.e. through role creation and mapping), and performs authentication/validation of user permissions for accessing search results (i.e. authentication of the first service) in order to determine what specific information users may access based on the created roles and permissions);
Jain and Yaskin are combinable because both are from the same field of providing security in LDAP systems.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Yaskin’s method of mapping roles based on metadata indicative of user permission for searching with the system of 

	Regarding claim 2, Jain and Yaskin disclose the limitations of claim 1.
Jain and Yaskin discloses the limitations of claim 2 as follows:
The method according to claim 1, wherein the first service comprises a search engine service (Yaskin, paras. [0037]-[0038], [0055]: user is requesting access to a search engine service (i.e. first service) and the metadata used to determine the role of the user is obtained from the LDAP system and data silos (i.e. directory service) and the second service comprises a directory service (Jain, paras. [0019]-[0021], [0027]-[0028]: lightweight directory access protocol server services).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Yaskin’s first search service with the system of Jain in order to enable mapping of roles to users for search services and restricting of search results obtained by users based on roles mapped for search services.  

Regarding claim 21, Jain and Yaskin disclose the limitations of claims 1 and 2.
Jain discloses the limitations of claim 21 as follows:
The method  (Jain, paras. [0030], [0034]: LDAP directory stores user attributes and permissions) (see also Yaskin, paras. [0037]-[0038], [0055], [0070]: LDAP system stores user information from the global identity management system 375).

Regarding claim 3, Jain and Yaskin disclose the limitations of claim 1.
Jain and Yaskin disclose the limitations of claim 3 as follows:
The method according to claim 1, wherein the mapping of the role (Jain, paras. [0027], [0033]: mapping roles) is defined by a domain-specific language having parameters that match with one or more of the permissions granted to the user from the second service (Yaskin, paras. [0037]-[0038], [0042], [0044], [0051], [0055], [0070]: roles are defined by HTML (i.e. domain-specific language) documents/entities for which the user has matching permissions permitted by the LDAP system).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Yaskin’s method of defining roles based on matching permissions for HTML documents/entities with the system of Jain in order to enable tailoring role definitions to include permissions matching those granted to a user for the specific service of searching.

Regarding claim 4, Jain and Yaskin disclose the limitations of claims 1 and 3.
Jain discloses the limitations of claim 4 as follows:
The method according to claim 3, further comprising creating a role-mapping expression for each of the plurality of roles, the role-mapping expression comprising: 
a field rule that defines one or more field and value pairs (Jain, paras. [0027], [0028], [0033]: role LDAP user data object includes attributes including field and value pairs) (see also Yaskin, paras. [0041]-[0042], [0044]: role expressions include access control list (ACL) defining data access permissions with one or more entity fields for an entity and pairs of names and sources (i.e. field/value pairs)); and 
a user field that is indicative of a distinguished name of the user or any group to which the user belongs (Jain, paras. [0028]-[0030]: attributes further include an AuthID attribute variable that stores an identifier uniquely identifying the user and a Name attribute that uniquely identifies the name of the user) (see also Yaskin, paras. [0041]-[0042]: user security role identifying user workgroup and security role of user).

Regarding claim 5, Jain and Yaskin disclose the limitations of claim 1.
Jain discloses the limitations of claim 5 as follows:
The method according to claim 1, further comprising receiving an access request for the first service from a computing device associated with the user, prior to the step of assigning (Jain, paras. [0026]-[0027]: access request for the accessing a resource is received from a computing device of the user prior to assigning the role).

Regarding claim 20, Jain and Yaskin disclose the limitations of claim 1.
Jain and Yaskin disclose the limitations of claim 20 as follows:
The method  (Jain, paras. [0020], [0025], [0027]: mapping of roles in the mapping module is based on policies set up and enforced in the DSA+ and correlation modules) based on the metadata received (Yaskin, paras. [0042], [0044], [0052]-[0053], [0055], [0068]-[0070]: matching roles to users based on matching metadata received).
The same motivation to combine utilized in claim 1 is equally applicable in the instant claim. 

Regarding claim 22, Jain and Yaskin disclose the limitations of claim 1.
Yaskin discloses the limitations of claim 22 as follows:
The method  (paras. [0008]-[0009], [0068]-[0070], [0074]: new/updated security role is assigned to user after the user submits a search request to a search engine).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Yaskin’s method of assigning roles when the user is requesting performance of a search with the system of Jain order to enable mapping of roles to be tailored based upon permissions of a user for obtaining search services.

	Regarding claim 8, Jain discloses the limitations substantially as follows:A system, comprising: 
a role mapping service comprising a processor and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method 
establish roles for a first service(paras. [0002]-[0004], [0025], [0027]: administrator sets parameters to define roles for different job functions (i.e. for a first service)), 
map one or more roles to the user based on data of the user received from a second service (paras. [0003]-[0004], [0027]-[0028], [0031], [0039]-[0040]: mapping a role from multiple roles to a user based on originating host device and user ID indicating user’s attributes within the LDAP system (i.e. within the second service)) the role and the permissions that are mapped to the user corresponding to user permissions in the first service, resulting in a single location for the user permissions and authentication at the first service, to utilize the user permissions and the authentication of the first service through role creation and mapping (paras. [0002]-[0004], [0027]-[0028], [0031], [0034], [0039]-[0042]: the roles and the permissions that are mapped to a user correspond to permissions for the different job functions (i.e. first service), so that users acquire permissions through the user’s roles (i.e. single location for user permissions) and use the permissions to validate user’s requesting access for the different job functions (i.e. at the first service), such that the permissions for the role are transmitted in the form of credentials to the user (i.e. utilizing the permissions) and the credentials of the role for accessing the different job functions are validated/authenticated (i.e. authentication of the first service) through mapping the role to the user and generating the permissions)); and 
assign the one or more roles to the user (paras. [0003], [0004], [0027], [0031], [0039]-[0040]: assigning roles to users)).
Jain does not explicitly disclose the remaining limitations of claim 8 as follows:
the roles defining permissions granted to a user for the first service;
map one or more roles to the user based on metadata of the user received from a second service, the metadata being indicative of permissions granted to the user by the second service
wherein the second service is further configured to utilize the user permissions through role creation and mapping
However, in the same field of endeavor Yaskin discloses the remaining limitations of claim 8 as follows:
the roles defining permissions granted to a user for the first service (paras. [0026], [0030], [0047], [0068]: security roles including permissions for searching/crawling (i.e. first service));
authentication at the first service (paras. [0026], [0030], [0035], [0038], [0040]-0041], [0049]: authenticating user attempts to access searching services (i.e. first service));
map one or more roles to the user based on metadata of the user received from a second service, the metadata being indicative of permissions granted to the user by the second service (paras. [0038], [0042], [0055], [0068], [0070]: mapping a globalized security role 830 to users from security roles 430a and 430b based on ACL metadata of the user, the metadata including permissions of the user stored in the LDAP system (i.e. within the second service))
wherein the second service is further configured to utilize the user permissions and authentication through role creation and mapping (paras. [0030], [0038], [0042], [0055], [0068], [0070]: LDAP system utilizes security roles with user permissions, where the roles are created through mapping (i.e. through role creation and mapping), and performs authentication/validation of user permissions for accessing search results (i.e. authentication of the first service) in order to determine what specific information users may access based on the created roles and permissions);
Jain and Yaskin are combinable because both are from the same field of providing security in LDAP systems.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Yaskin’s method of mapping roles based on metadata indicative of user permission for searching with the system of Jain in order to enable tailoring user roles to permissions of users for obtaining search results.  

Regarding claim 9, Jain and Yaskin disclose the limitations of claim 8.
Jain discloses the limitations of claim 9 as follows:
The system according to claim 8, wherein the role mapping service is distinct from and communicatively coupled to the first service and the second service (paras. [0002]-[004], [0021], [0023], [0027]: role mapping module is distinct from and communicatively coupled to the LDAP server and the first and second originating host devices for performing the different LDAP/job functions (i.e. first service and second service)).

Regarding claim 11, Jain and Yaskin disclose the limitations of claim 8.
Yaskin discloses the limitations of claim 11 as follows:
The system according to claim 8, wherein the metadata from the second service further comprises information that is indicative of the user within the second service (Yaskin, paras. [0038], [0042], [0055], [0068], [0070]: mapping a globalized security role 830 to users from security roles 430a and 430b based on ACL metadata of the user, the metadata including permissions of the user stored in the LDAP system (i.e. within the second service)).
The same motivation to combine utilized in claim 8 is equally applicable in the instant claim.

Regarding claim 12, Jain and Yaskin disclose the limitations of claim 8.
Jain and Yaskin disclose the limitations of claim 12 as follows:
The system according to claim 8, wherein the first service comprises a search engine service (Yaskin, paras. [0037]-[0038], [0055]: user is requesting access to a search engine service (i.e. first service) and the metadata used to determine the role of the user is obtained from the LDAP system and data silos (i.e. directory service) and the second service comprises a directory service of a network protocol layer (Jain, paras. [0019]-[0021], [0027]-[0028]: lightweight directory access protocol server services).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Yaskin’s first search service with the system of Jain in order to enable mapping of roles to users for search services and restricting of search results obtained by users based on roles mapped for search services.  

Regarding claim 13, Jain and Yaskin disclose the limitations of claim 8.
Jain and Yaskin disclose the limitations of claim 13 as follows:
The system according to claim 8, wherein the role mapping service (Jain, paras. [0027], [0033]: mapping roles) employs a domain-specific language having parameters that matched with one or more of the permissions granted to the user from the second service(Yaskin, paras. [0037]-[0038], [0042], [0044], [0051], [0055], [0070]: roles are defined by HTML (i.e. domain-specific language) documents/entities for which the user has matching permissions permitted by the LDAP system).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Yaskin’s method of defining roles based on matching permissions for HTML documents/entities with the system of Jain in order to enable tailoring role definitions to include permissions matching those granted to a user for the specific service of searching.


Jain discloses the limitations of claim 14 as follows:
The system according to claim 13, wherein the role mapping service creates a role-mapping expression for each of the roles, the role-mapping expression comprising any one or more of the following: 
a field rule that defines one or more field and value pairs (Jain, paras. [0027], [0028], [0033]: role LDAP user data object includes attributes including field and value pairs) (see also Yaskin, paras. [0041]-[0042], [0044]: role expressions include access control list (ACL) defining data access permissions with one or more entity fields for an entity and pairs of names and sources (i.e. field/value pairs)); 
or a user field that is indicative of a distinguished name of the user or any group to which the user belongs (Jain, paras. [0028]-[0030]: attributes further include an AuthID attribute variable that stores an identifier uniquely identifying the user and a Name attribute that uniquely identifies the name of the user) (see also Yaskin, paras. [0041]-[0042]: user security role identifying user workgroup and security role of user), 
or other information that is indicative of an individual or user.

Regarding claim 15, Jain and Yaskin disclose the limitations of claim 8.
Jain discloses the limitations of claim 15 as follows:
The system according to claim 8, wherein the role mapping service is further configured to receive an access request for the first service from a computing device associated with the user, prior to role assignment (Jain, paras. [0026]-[0027]: access request for the accessing a resource is received from a computing device of the user prior to assigning the role).

Regarding claim 23, Jain and Yaskin disclose the limitations of claim 8.
Jain discloses the limitations of claim 23 as follows:
The system according to claim 8, wherein the role service mapping is performed by a server (paras. [0002]-[0004], paras. [0019]-[0020], [0023], [0027]: a mapping module of a Directory service Agent Plus (DSA+) of a Lightweight Directory Access Protocol Server (i.e. server) maps the roles onto the users).

Regarding claim 24, Jain and Yaskin disclose the limitations of claim 8.
Jain discloses the limitations of claim 24 as follows:
The system according to claim 8, wherein the role service mapping is performed by a cloud-based service (paras. [0002]-[0004], paras. [0019]-[0020], [0023], [0027]: a mapping module of a Directory service Agent Plus (cloud-based service)) of a Lightweight Directory Access Protocol Server maps the roles onto the users).


Claims 6-7, 10 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Jain (US 2013/0326588) in view of Yaskin (US 2010/0198804), as applied to claims 1 and 8, further in view of Allen (US 2017/0134434).
Regarding claim 6, Jain and Yaskin disclose the limitations of claim 1.

The method according to claim 1, further comprising generating a mapping request comprising (Jain, paras. [0025]-[0027]: in response to receiving access request, sending information from correlation module to mapping module in order to receive mapping of role of user):
Neither Jain or Yaskin discloses the remaining limitations of claim 6 as follows:
a designation if a mapping is enabled or disabled;  
a list of the plurality of roles granted to users that match role-mapping rules; and 
rules that determine the users matched by the role-mapping rules.
However, in the same field of endeavor Allen discloses the remaining limitations of claim 6 as follows:
a designation if a mapping is enabled or disabled (paras. [0025], [0066]: indicating that mapping to the role is automatically enabled if the probably is one or the mapping is not enabled/disabled if the probability is zero);  
a list of the plurality of roles granted to users that match role-mapping rules (paras. [0025], [0066]: plurality of roles granted to user that match role-mapping rules); and 
rules that determine the users matched by the role-mapping rules (paras. [0025], [0066]: rules that determine whether a user matches a role mapping rule).
Allen is combinable with Jain and Yaskin because all three are from the same field of endeavor of securely enforcing roles in order to restrict access to a LDAP directory 

Regarding claim 7, Jain, Yaskin and Allen disclose the limitations of claims 1 and 6.
Allen discloses the limitations of claim 7 as follows:
The method according to claim 6, wherein the mapping request further comprises  (Allen, paras. [0022]-[0025], [0027], [0041], [0044]: role assigner executes instructions requesting to obtain/retrieve (i.e. mapping request) user metadata and permission information (i.e. optional metadata) in order to define roles to be assigned to user).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Allen’s method of using metadata to define roles for users in order to enable creation of roles for users with permissions that require “different and/or specialized access” while avoiding the creation of an “extremely complex system with a combinatorial explosion of roles and user-role associations” (Allen, para. [0020]). 

Regarding claim 10, Jain and Yaskin disclose the limitations of claim 8.
Allen discloses the limitations of claim 10 as follows:
The system according to claim 8, wherein the role mapping service is configured to function as an application programming interface between the first service and the second service, the role mapping service providing role mapping and assignment of the roles to users (paras. [0025], [0027], [0034], [0037]-[0038]: role mapping by the role assigner occurs through use of an application programming interface operating between performing initiating of the user connection (i.e. first service) and accessing existing permission repository (i.e. second service), wherein the role assigner maps roles and assigns roles to users) (see also Yaskin, paras. [0058], [0068]-[0070]: role assigning/mapping occurs within a connector framework that defines Application programming interfaces for connecting the directory data silos (i.e. second service) with the search system (i.e. first service))
Allen is combinable with Jain and Yaskin because all three are from the same field of endeavor of securely enforcing roles in order to restrict access to a LDAP directory system.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Allen’s method of having the role mapping service function as an application programming interface between the first and second service with the system of Jain and Yaskin in order to enable updating information for the first service based upon retrieving information from the second service while simultaneously performing the process of role mapping.

Regarding claim 16, Jain and Yaskin disclose the limitations of claim 8.
Jain discloses the limitations of claim 16 as follows:
The system according to claim 8, wherein the role mapping service is further configured to receive a mapping request (Jain, paras. [0025]-[0027]: in response to receiving access request, sending information from correlation module to mapping module in order to receive mapping of role of user) comprising: 
Neither Jain or Yaskin discloses the remaining limitations of claim 16 as follows:
a designation if a mapping is enabled or disabled; 
a list of the roles granted to users that match role-mapping rules; and 
rules that determine the users matched by the role-mapping rules
However, in the same field of endeavor Allen discloses the remaining limitations of claim 16 as follows:
a designation if a mapping is enabled or disabled(paras. [0025], [0066]: indicating that mapping to the role is automatically enabled if the probably is one or the mapping is not enabled/disabled if the probability is zero); 
a list of the roles granted to users that match role-mapping rules (paras. [0025], [0066]: plurality of roles granted to user that match role-mapping rules); and 
rules that determine the users matched by the role-mapping rules (paras. [0025], [0066]: rules that determine whether a user matches a role mapping rule).
Allen is combinable with Jain and Yaskin because all three are from the same field of endeavor of securely enforcing roles in order to restrict access to a LDAP directory system.  It would have been obvious to one of ordinary skill before the effective filing 

Regarding claim 17, Jain, Yaskin and Allen disclose the limitations of claim 8.
Allen discloses the limitations of claim 17 as follows:
The system according to claim 16, wherein the mapping request further comprises (Allen, paras. [0022]-[0025], [0027], [0041], [0044]: role assigner executes instructions requesting to obtain/retrieve (i.e. mapping request) user metadata and permission information (i.e. optional metadata) in order to define roles to be assigned to user).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Allen’s method of using metadata to define roles for users in order to enable creation of roles for users with permissions that require “different and/or specialized access” while avoiding the creation of an “extremely complex system with a combinatorial explosion of roles and user-role associations” (Allen, para. [0020]). 

Conclusion
For the above-stated reasons, claims 1-17 and 20-24 are rejected.
Prior art considered but not relied upon includes:

2) Ture (US 2007/0208714) – receiving a search query from a user and restricting search results sent in response to the query based a list of roles/groups to which the user belongs and security attributes appended to the search query including the name of the user, grant and deny tags and a list of roles.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHARON S LYNCH/Primary Examiner, Art Unit 2438