DETAILED ACTION
This office action is in response to communication filed on 6 January 2021 and 12 February 2021.

Claims 1 – 3, 5 – 13, and 15 – 20 are presented for examination.

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12 February 2021 has been entered.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Amendment
In the response filed 6 January 2021 and 12 February 2021, Applicant amended claims 1, 11, and 20.  Claims 4 and 14 are cancelled.

Amendments to claims 1, 11, and 20 are insufficient to overcome the 35 USC § 101 rejection.  Therefore, the 35 USC § 101 rejection of claims 1 – 3, 5 – 13, and 15 – 20 are maintained.


Response to Arguments
Applicant's arguments filed 6 January 2021 have been fully considered but they are not persuasive. 

In the remarks regarding the 35 U.S.C. 101 rejection, Applicant argues that claims are not directed to abstract ideas without significantly more.  Examiner respectfully disagrees. While it is appreciated by the Examiner that Example 37 integrates the claim as a whole into a practical application and makes an improvement, it is unclear how that equates to Applicant’s claims.  The manner of performing an abstract idea without any specific technology involved does not convey evidence that there is an improvement to the technology as argued.  Applicant may believe that there is an improvement over existing methods to assign entitlements, but that would apply only to a prior art rejection argument and the test for Alice determinations of subject matter eligibility is not “an improved way” to perform an abstract step.  None of these steps require a special computer, or any computer at all for that matter.  The additional elements of processors, database, and user device are not necessary to perform the claimed functionality, and are only tangentially claimed to simply automate otherwise abstract functions.  They are not critical to functionally accomplish the steps claimed.  

In the remarks regarding independent claims 1, 11, and 20, Applicant argues that Chari and Molloy do not disclose constraints and penalty strength based on job responsibilities data and role data matrix.  Examiner respectfully disagrees.  Applicant’s claims now require that there is a constraint with a penalty against roles that share entitlements such that the penalty strength (or multiplier) is based on the job responsibility and role data matrix. This only means that a constraint of job responsibility data is increased based on that same data along with role data.  Molloy certainly teaches this in section 2.2.2, which describes the Disjoint Decomposition Model.  Because in this model described by Molloy only one user can be assigned to a single business role and  a permission is assigned to a single technical role, that means that the constraining of a single user to a single role is using both types of data, so it is based on them as Applicant requires.  Further, Molloy’s requirement that a single user be constrained to a single role necessitates that the highest strength penalizes a one to one matching, which is explicitly stated in this section where it notes that the model penalizes to automatically select the number of roles to be one to one with users.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1 – 3, 5 – 13, and 15 – 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the judicial exception of abstract ideas without significantly more. The independent claims recite receiving entitlement data mapping to users, receiving job responsibility data mapping to users, generating role data and reduced entitlement data by applying non-negative matrix factorization which maps job responsibilities to roles and roles to entitlements while constraining with a penalty against roles sharing entitlements, applying a mining algorithm to role data and reduced entitlement data to generate an RBAC policy, and assigning entitlements to user based on various factors.  Dependent claims further narrow the abstract ideas.  Making associations between users and their roles and entitlement/job responsibilities is managing interactions between people, which is a certain method of organizing human activity.  Applying a role mining algorithm is a mathematical concept, specifically performing a calculation.  These groupings are defined as an abstract idea in Section I of the 2019 Revised Patent Subject Matter Eligibility Guidance published in the Federal Register (84 FR 50) on January 7, 2019.  This judicial exception is not integrated into a practical application because the claims are directed to abstract ideas with additional generic computer elements such as processors and a database. Generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claimed processors and database merely automate the mappings and calculations that would otherwise be abstract in the claims.  Performing repetitive calculations in the manner that Applicant’s claims utilize this computer technology is a well-understood, routine, and conventional use of computer components as recognized by court decisions in MPEP § 2106.05(d) (Flook, 437 U.S. at 594, 198 USPQ2d at 199 (recomputing or readjusting alarm limit values); Bancorp Services v. Sun Life, 687 F.3d 1266, 1278, 103 USPQ2d 1425, 1433 (Fed. Cir. 2012) ("The computer required by some of Bancorp’s claims is employed only for its most basic function, the performance of repetitive calculations, and as such does not impose meaningful limits on the scope of those claims.")).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1 – 3, 5 – 13, and 15 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. P.G. Pub. 2012/0246098 (hereinafter, Chari) in view of Molloy et al, “Mining Roles with Noisy Data,” published June 2010 as non-patent literature (hereinafter, Molloy).

Regarding claim 1, Chari teaches a method for automatically assigning entitlements to users of an enterprise computer system, the method comprising:
receiving, by one or more processors, entitlement data that maps a plurality of users to a plurality of entitlements, wherein the entitlement data is represented by a matrix (¶ 48, “In another embodiment, the role decompositions obtained using the present techniques will tie the role decompositions causally to users' attributes. This is a very natural way of performing and reasoning with role decompositions and leads to access control policies which are easy to administer. While such a decomposition is not always possible, for example when similar users are assigned vastly different roles, these are viewed as exceptions.”) (¶ 63, “The outputs of methodology 100 are matrices UR and RP representing the binary role-to-user and permission-to -role assignments.”) (Note: permission to role is entitlement matrix);
receiving, by the one or more processors, job responsibilities data that maps the plurality of users to a plurality of job responsibilities, wherein the job responsibilities data is represented by a matrix (¶ 63, “The outputs of methodology 100 are matrices UR and RP representing the binary role-to-user and permission-to -role assignments.”) (¶ 65, “In step 112, the user-to -role UR and role-to-permission RP mappings are updated to try to improve the fit of these matrices with the given permission data in UP.”)(Note: user to role is job responsibility).
Chari does not explicitly teach utilizing non-negative matrix factorization to determine mappings of permissions to roles and those roles to job responsibilities, but does at least teach determining mappings of permissions to roles and roles to job responsibilities (¶ 63, “The outputs of methodology 100 are matrices UR and RP representing the binary role-to-user and permission-to -role assignments.”) (¶ 65, “In step 112, the user-to -role UR and role-to-permission RP mappings are updated to try to improve the fit of these matrices with the given permission data in UP.”).  However, in the analogous art of role mining, Molloy teaches generating, by the one or more processors, a role data matrix and reduced entitlement data matrix by applying non-negative matrix factorization (NMF) to the entitlement data and the job responsibilities data, wherein the role data matrix maps the plurality of job responsibilities to a plurality of roles, the reduced entitlement data matrix maps the plurality of roles to the plurality of entitlements, and the applying of the NMF includes using rows of the job responsibilities data as a constraint and imposing a penalty against roles that share entitlements such that a strength of the penalty is based on at least the job responsibilities data and the role matrix data (Section 2.1.2, “Non-Negative Matrix Factorization: The singular value-decomposition makes it difficult to interpret the A and B matrices, especially in the context of RBAC. Instead, we can constrain them to be non-negative, resulting in non-negative matrix factorization (NMF) [9], To contrast models with negative assignments, NMF can be viewed as learning a decomposition as a sum of parts. This is more consistent with RBAC, which lacks negative assignments and a user’s set of assigned permissions is the disjunction of the permissions of their authorized roles”) (“2.2.2 Disjoint Decomposition Model Another approach is Frank, Basin and Buhmann’s disjoint decomposition model (DDM). In DDM, each user is assigned to a single business role, and each permission is assigned to a single functional or technical role. A two-layer role hierarchy connects business roles to technical roles, authorizing permissions to users. This is similar to the enterprise RBAC (ERBAC) model with the constraint that each user and each permission is assigned to only a single role. Frank et al. use what is called the infinite relational model (IRM) [6] to cluster users into user groups and permissions into permission groups. One disadvantage of DDM stems from the constraints placed on the user and permission assignment relations and is best explained in the context of mining clean data. DDM restricts each user to be assigned to a single business role; all users assigned to the same business role must have exactly the same set of permissions, and there must exist a business role for each unique user. This requires the creation of a large number of roles, something the IRM model penalizes to automatically select the number of roles”).
Chari further teaches:
applying, by the one or more processors, a mining algorithm to the role data matrix and the reduced entitlement data matrix to generate a role-based access control policy (¶ 36, “The role mining problem is now described. Role-based access control (RBAC) is an attractive and widely used model in enterprise security and identity management products. RBAC offers a conceptually simple way to tie entitlements to business function, reduces the number of relations to be managed and makes administration simpler.”) (¶ 48, “Role mining with attribution also enables predictive modeling of roles and permissions, since similar users, e.g., users having the same attributes, have the same roles and permissions. Techniques are built to predict roles and permissions for new users based only on their attributes. Prior work has only considered the problem of extending partially known permissions. The term "user attributes," as used herein refers to a key-value pair mapping a finite set of keys, i.e., attribute names or types, to a value for the user. The key-value pairs will map from an attribute name, such as a string, to a value represented as a string, number, or other type, for example, work location, department, whether he/she is a manager, etc.”) (¶ 57, “Role mining with attribution can be used for predictive modeling, namely, given a new user and the user's attributes, the presented techniques can be used to identify a probability distribution over the roles. In most cases, the probabilistic assignments produced by the generative machine learning models yield probabilistic assignments of roles where there is a sharp drop off in probability after a few roles. An administrator can use this as decision support in identifying the roles and hence permissions for a new user.”); 
assigning, by the one or more processors, entitlements to the plurality of users based on at least a minimization of risk to the enterprise computer system, and a weighted sum of a difference between the entitlements in the entitlement data and the role-based access control policy (¶ 5, “To calculate the fitness of the data, called the risk, requires model evaluation for all cluster sets, which is exponential and must be constrained.”) (¶ 71, “In step 116, the new user is assigned one or more roles based on the roles assigned to users with similar attributes. To assign new users to roles, a new role distribution from users to roles is required. This distribution is generated from the permissions assigned to the new users, past permission usage, and attributes (if known) for the user, and the learned model from prior users.”) (¶ 67, “The simplest measure is the Hamming distance between the actual user permission assignment UP, and the product of the current user-to -role and role-to-permission mappings. Another option considered is to have more weighting for over assignments, i.e., when assignments end up with a user having more permissions than specified in UP.”) (¶ 52, “the quality of the decomposition as measured by stability (i.e., how much the decomposition changes based on small changes in input), coverage (i.e., how well does the decomposition match the given permissions) and generality (i.e., how well does the decomposition cover new users and permissions)”).
It would have been obvious to one having ordinary skill in the art prior to the effective filing date to combine the factorization technique of Molloy with the determination of permissions/entitlements through mining user roles of Chari.  Chari mentions the Molloy reference in several places as performing steps prior to the disclosed steps of Chari, and it would generally be beneficial to combine these to utilize the linear algebra technique of Molloy to perform the general end determination of user permission assignment of Chari as a design preference.  

Regarding claim 2, Chari and Molloy teach the method of claim 1. Chari teaches comprising: generating, from the role data matrix and the reduced entitlement data matrix, binary role data and binary reduced entitlement data using a predetermined relevance parameter and a predetermined coverage parameter, wherein determining the one or more entitlements for the user comprises using the received job responsibility data, the binary role data, and binary reduced entitlement data (¶ 80, “Explicit Attribution with Author Topic Model: For role mining with explicit attribution, the Author-Topic model is used which extends the models of LDA. It is assumed that, besides the user-permission data, a list of attribute values for each user is also given. The goal is to find a role decomposition which is correlated with the attributes of the user. The translation of this problem to ATM is again straightforward: As before, the words are the individual permissions, the documents are the users (permissions assigned to the users). In addition, the authors are the attributes of the individual users.”).

Regarding claim 3, Chari and Molloy teach the method of claim 1. Chari teaches comprising: determining one or more roles for the user using the received job responsibility data and the role data matrix (¶ 90, “when apparatus 1300 is configured to implement one or more of the steps of methodology 100 the machine-readable medium may contain a program configured to use at least one generative machine learning technique to obtain a collection K of k roles, a probability distribution ɵ for user-to -role assignments and a probability distribution β for role-to-permission assignments; and use the probability distribution ɵ for user-to -role assignments and the probability distribution β for role-to-permission assignments to produce a final set of roles, including user-to -role assignments and role-to-permission assignments.”).

Regarding claim 5, Chari and Molloy teach the method of claim 1. Chari teaches wherein the entitlement data comprises a first binary matrix and the job responsibilities data comprises a second binary matrix (¶ 63, “The outputs of methodology 100 are matrices UR and RP representing the binary role-to-user and permission-to -role assignments.”).

Regarding claim 6, Chari and Molloy teach the method of claim 1. Chari teaches comprising performing a matrix multiplication of a matrix representing the entitlement data and a matrix representing the job responsibilities data, wherein the non-negative matrix factorization (NMF) is applied to a result of the matrix multiplication (¶ 67, “The simplest measure is the Hamming distance between the actual user permission assignment UP, and the product of the current user-to -role and role-to-permission mappings.”).  As taught in claim 1, Molloy teaches the use of non-negative matrix factorization and could be applied to any additional calculations as desired.  It would have been obvious to one having ordinary skill in the art prior to the effective filing date to combine the factorization technique of Molloy with the determination of permissions/entitlements through mining user roles of Chari.  Chari mentions the Molloy reference in several places as performing steps prior to the disclosed steps of Chari, and it would generally be beneficial to combine these to utilize the linear algebra technique of Molloy to perform the general end determination of user permission assignment of Chari as a design preference.  

Regarding claim 7, Chari and Molloy teach the method of claim 1. Chari teaches wherein the plurality of job responsibilities comprises at least one of: a job family, a job level, a department, a reporting hierarchy, an organization, a supervisor name, a team name, or a team type (¶ 39, “There are many optimizations used in the literature, such as reducing the number of roles or linear combination of the number of assignments such that p and A represent the same level of access.”).

Regarding claim 8, Chari and Molloy teach the method of claim 1. Chari teaches wherein receiving job responsibility data for the user comprises receiving job responsibility data for a user having no prior entitlements within the enterprise computer system (¶ 15, “The present role decomposition method can causally associate the role assignments to business and other attributes of the user, such as department, location, whether he or she is a manager etc. Such assignments which are associated strongly with user attributes can be used for predictive modeling of permission assignment, i.e., a new user's attributes can be used to predict the permissions to be assigned to the new user.”).

Regarding claim 9, Chari and Molloy teach the method of claim 1. Chari teaches wherein the one or more entitlements comprise access rights to at least one of one: a compute resource, a data source, or a source code repository (¶ 2, “The present invention relates to role based access control models, and more particularly to, generative models, i.e., models that can explain observations of usage of access control permissions and are causally tied to user attributes, and to the use of such models to the problem of prediction of permission assignment and provisioning.”) (¶ 72, “The public data sets are from the HP Labs data set where two data sets are being considered: Firewall which is a firewall policy and APJ which is a Cisco firewall policy used to provide external users access to HP resources.”).

Regarding claim 10, Chari and Molloy teach the method of claim 1. Chari teaches comprising: receiving, from the user device, a request to update entitlements for the user; receiving updated binary role data and updated binary reduced entitlement data; and determining one or more updated entitlements for the user using the updated binary role data and the updated binary reduced entitlement data (¶ 65, “the user-to -role UR and role-to-permission RP mappings are updated to try to improve the fit of these matrices with the given permission data in UP.”).

Regarding claims 11 and 20, the claims recite substantially similar limitations to claim 1.  Therefore, claims 11 and 20 are similarly rejected for the reasons set forth above with respect to claim 1.

Regarding claim 12, the claim recites substantially similar limitations to claim 2.  Therefore, claim 12 is similarly rejected for the reasons set forth above with respect to claim 2.

Regarding claim 13, the claim recites substantially similar limitations to claim 3.  Therefore, claim 13 is similarly rejected for the reasons set forth above with respect to claim 3.

Regarding claim 15, the claim recites substantially similar limitations to claim 5.  Therefore, claim 15 is similarly rejected for the reasons set forth above with respect to claim 5.

Regarding claim 16, the claim recites substantially similar limitations to claim 8.  Therefore, claim 16 is similarly rejected for the reasons set forth above with respect to claim 8.

Regarding claim 17, the claim recites substantially similar limitations to claim 9.  Therefore, claim 17 is similarly rejected for the reasons set forth above with respect to claim 9.

Regarding claim 18, the claim recites substantially similar limitations to claim 6.  Therefore, claim 18 is similarly rejected for the reasons set forth above with respect to claim 6.

Regarding claim 19, Chari and Molloy teach the method of claim 11. Chari teaches wherein applying non-negative matrix factorization (NMF) comprises performing an iterative numerical method using an objective function that relies on one or more approximation-orthogonality parameters (¶ 66, “In each iteration, keeping all other assignments the same, it is determined whether adding the role (permission) with the next highest probability or removing the lowest probability role (permission) assigned leads to a closer fit with the observed permission data. At the end of the iteration, the matrices URi and RPi are simultaneously updated with the recorded (beneficial) changes which results in a better fit with the given permission data in UP.”).  Molloy teaches that NMF is used that uses approximation-orthogonality parameters (as defined in Applicant’s specification) (section 2.1.3, “We can further constrain A and B to be boolean matrices, allowing us to directly interpret the results in the context of RBAC. Binary non-orthogonal matrix decomposition [7] decomposes a matrix X by successive rank-one decompositions X = abT where a and b are binary vectors that minimize the Hamming distance. That is, it finds a single role that most closely approximates the remaining uncovered user-permission relation.”).  As taught in claim 11, Molloy teaches the use of non-negative matrix factorization and could be applied to any additional calculations as desired.  It would have been obvious to one having ordinary skill in the art prior to the effective filing date to combine the factorization technique of Molloy with the determination of permissions/entitlements through mining user roles of Chari.  Chari mentions the Molloy reference in several places as performing steps prior to the disclosed steps of Chari, and it would generally be beneficial to combine these to utilize the linear algebra technique of Molloy to perform the general end determination of user permission assignment of Chari as a design preference.  


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMANDA GURSKI whose telephone number is (571)270-5961.  The examiner can normally be reached on Monday to Thursday 8am to 6pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matthew Gart can be reached on 571-272-3955.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/AMANDA GURSKI/Primary Examiner, Art Unit 3623