Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 09/27/2019.
Claims 1-18 are under examination.
The Information Disclosure Statements filed on 09/27/2019 has been entered and considered.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Dharmarajan et al. (US 2013/0067538 A1) and Amies et al. (US 2009/0150981 A1).
Regarding claim 1, Dharmarajan et al. discloses A method to automate building and use of a dataset in a governance system having an organization entity-structured [[data model]] [abs, “Mechanisms are provided for facilitating recertification of a user access entitlement”, par. 0055, user role for accessing system resources within a computer system of the organization, par. 0082, “An analysis engine analyzes collected security information and event logs for the specified context and generates a recommendation as to whether to accept or deny the recertification of the user account”], comprising: receiving and storing in or in association with the [[data model]] additional data [par. 0046, “the identity and access management system further comprises mechanisms for monitoring and collecting security information and event logs (also referred to herein generally as "access information") of system resources… This information may then be input to an analytic engine of the identity and access management system to generate recertification context information and reports for specific user accounts subject to recertification operations”], the 5additional data describing a permission associated with a governance data object of the [[data model]] [par. 0048, “The recertification context information may be comprised of one or more sub-context views… ”, par. 0049, “The resource sub-context view may be comprised of various context information for describing the resource that is being accessed by the user access entitlement… If the resource is a software resource, such as an application, service, or the like, then the resource sub-context view information may specify what software resource it is (e.g., HR application or finance application, etc.) among other information that may be of benefit to the recertifier when determining whether to permit recertification”]; dynamically building a dataset of entitlements associated with a campaign, wherein the dataset is built at least in part using the [par. 0059, “the context analysis engine 436 retrieves the corresponding security information and event log information for the system resource(s) meeting the context criteria specified by the recertifier”]; and  10executing the campaign against the dataset [abs, “These mechanisms determine that recertification of the user access entitlement, with regard to the system resource, is to be performed and a pattern of access is determined based on the access information for the user access entitlement”, par. 0060, “the analysis may include comparing the security information and event log information for the current user account subject to the recertification request with corresponding security information and event log information for user accounts in the specified grouping(s) to generate a recommendation with regard to whether the recertifier should accept or deny recertification of the user account's access to the system resource(s)”].  
Dharmarajan et al. does not explicitly disclose the governance system having an organization entity-structured data model.
However Amies et al. teaches the governance system having an organization entity-structured data model [par. 0043, “This access entitlement framework may comprise an access entitlement entity model, a role based access control (RBAC) based model, a lifecycle model, an auditing and reporting model, and an administrative model. The access entitlement entity model is used to abstract the concept of access entitlement to one more aligned with a business perspective”, par. 0046, “user attributes specific to a organizational role and access entitlement to resources are supported via role assignment… Assignment of a user to an organizational role enables role-based provisioning of access entitlements to managed resources”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Amies et al. into the teaching of Dharmarajan et al. with the motivation to abstract the concept of access entitlement to one more aligned with a business perspective and assignment of a user to an organizational role enables role-based provisioning of access entitlements to managed resources as taught by Amies et al. [Amies et al.: pars. 0043, 0046].
Regarding claim 2, the rejection of claim 1 is incorporated.
Dharmarajan et al. further discloses the governance data object is one of: an application properties data object, and an entitlement properties data object [par. 0049, “If the resource is a software resource, such as an application, service, or the like, then the resource sub-context view information may specify what software resource it is (e.g., HR application or finance application, etc.) among other information that may be of benefit to the recertifier when determining whether to permit recertification”].
Regarding claim 3, the rejection of claim 2 is incorporated.
Dharmarajan et al. further discloses the additional data is maintained as an extension of the governance data object [par. 0046, “the identity and access management system further comprises mechanisms for monitoring and collecting security information and event logs (also referred to herein generally as "access information") of system resources in servers, end systems (e.g., client computing devices, storage systems, or the like), and applications/services or other types of system resources. Such information may comprise, for example, for each system resource and for each user account, information regarding dates and times for login operations or usage of the system resource, numbers of login operations/usages of the system resource (or frequency of login operations or usage of the system resource), amount of time the user account is used to access the system resource, a last login date/time, and/or the like. Such information may be monitored and collected on a periodic or continuous basis from the various system resources for the various user accounts used to access the system resources. This information may then be input to an analytic engine of the identity and access management system to generate recertification context information and reports for specific user accounts subject to recertification operations”].
Regarding claim 4, the rejection of claim 2 is incorporated.
Dharmarajan et al. discloses the 5additional data is retrieved during building of the dataset [par. 0046, “Such information may be monitored and collected on a periodic or continuous basis from the various system resources for the various user accounts used to access the system resources”].
Dharmarajan et al. does not explicitly disclose the additional data is maintained externally to the governance data object.
However Amies et al. teaches the additional data is maintained externally to the governance data object [see fig. 3, Corporate LDAP server 334 hosts identities for people working on the Athena project and is concerned with protecting access to the Athena project,(maintained externally to the resource entitlement, application entitlement), par. 0038, “Existing account provisioning in an identity management system typically creates an account with a user ID (and often a password, etc.) within a repository, such as a Lightweight Directory Access Protocol (LDAP) data repository. This account provides a repository for an identity to be presented to some hardware platform or application”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Amies et al. into the teaching of Dharmarajan et al. with the motivation to abstract the concept of access entitlement to one more aligned with a business perspective and assignment of a user to an organizational role enables role-based provisioning of access entitlements to managed resources as taught by Amies et al. [Amies et al.: pars. 0043, 0046].
Regarding claim 5, the rejection of claim 1 is incorporated.
Amies et al. further teaches including updating the data model to include additional data objects [par. 0061, “When a new resource is installed in the IT environment, the new provisioned resource is configured within the identity management server with a service profile. This embodiment modifies the service profile to specify the attributes of the business application. By creating a service profile for the business application and provisioning the application as a service in the identity management system, the business application may be represented as a managed target in the identity management system”, par. 0062].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Amies et al. into the teaching of Dharmarajan et al. with the motivation to abstract the concept of access entitlement to one more aligned with a business perspective and assignment of a user to an organizational role enables role-based provisioning of access entitlements to managed resources as taught by Amies et al. [Amies et al.: pars. 0043, 0046].
Regarding claim 6, the rejection of claim 1 is incorporated.
Dharmarajan et al. further discloses the campaign is a certification campaign that determines whether particular users continue to have access rights with respect to given resources in the organization [abs, “These mechanisms determine that recertification of the user access entitlement, with regard to the system resource, is to be performed and a pattern of access is determined based on the access information for the user access entitle”, par. 0082, “The corresponding user account database entries are then updated to reflect acceptance/denial of the recertification (step 700). Access to the system resource(s) is then controlled with regard to the user account based on the updated user account database entries (step 710).”].
Regarding claim 7, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 8, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 9, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 10, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 11, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 12, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.

 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20170093872 A1		AUTOMATICALLY PROVISIONING NEW ACCOUNTS ON MANAGED TARGETS BY PATTERN RECOGNITION OF EXISTING ACCOUNT ATTRIBUTES
US 20200322342 A1		Identity attribute confidence scoring while certifying authorization claims
US 20140075492 A1		Identity context-based access control

US 20090328132 A1		DYNAMIC ENTITLEMENT MANAGER
US 20190334912 A1		SYSTEM FOR USING A DISTRIBUTED LEDGER TO MANAGE USER ENTITLEMENTS TO COMPUTING RESOURCES
US 20190260752 A1		SYSTEM FOR CONTROLLING ACCESS TO A PLURALITY OF TARGET SYSTEMS AND APPLICATIONS
US 20190251274 A1		ACCESS CONTROL GOVERNANCE USING MAPPED VECTOR SPACES

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/JASON CHIANG/Primary Examiner, Art Unit 2431