DETAILED ACTION
Status of Claims 
This Final Office Action is responsive to Applicant's reply filed July 22, 2021. 
Claims 1, 5-6, 11-13, 17, and 20 have been amended.
Claims 1-20 are currently pending and have been examined. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application claims priority of Provisional Application 62/735,892 filed on 9/25/2018. Applicant's claim for the benefit of this prior-filed application is acknowledged. 

Response to Arguments
Applicant’s amendments have been fully considered, but do not overcome the previously pending 35 USC 103 and 35 USC 101 rejections. 

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.
With regard to the limitations of claims 1-20, Applicant argues that the claims are patent eligible under 35 USC 101 because the pending claims are not directed toward an abstract idea. The Examiner respectfully disagrees. The Examiner has already set forth 
The Applicant argues that the claims recite an improvement in the field of information technology security. The Examiner respectfully disagrees. The Examiner has clearly pointed out the limitations directed towards the abstract idea, what the additional elements are and why they do not integrate the abstract idea into a practical application, and why the additional elements and remaining limitations do not amount to significantly more than the abstract idea. The Applicant does not point out what claim limitations amount to the improvement. The Examiner further asserts that the claims do not even recite security at all. Applicant’s arguments are not persuasive.
The Applicant argues that the claims integrate the abstract idea into a practical application, with reference to McRO. The Examiner respectfully disagrees. The Examiner has clearly pointed out the limitations directed towards the abstract idea, what the additional elements are and why they do not integrate the abstract idea into a practical application, and why the additional elements and remaining limitations do not amount to significantly more than the abstract idea. The Applicant does not point out what the additional elements are. The Examiner further asserts that assigning roles based on rules and historical data is directed towards the abstract idea of Organizing Human Activity (See PEG 2019), where assigning of a task to a human user further merely adds insignificant extra solution activity and merely adds the words apply it with the judicial exception (See PEG 2019 and MPEP 2106.05). The Examiner further notes that simply applying these known concepts to a specific technical environment (e.g. the computers/Internet as recited by Applicant’s specification Paragraphs 0063-0067 and 
The Applicant argues that the claims amount to significantly more than the abstract idea, with reference to Berkheimer and Trading Technologies. The Examiner respectfully disagrees. The Examiner has clearly pointed out the limitations directed towards the abstract idea, what the additional elements are and why they do not integrate the abstract idea into a practical application, and why the additional elements and remaining limitations do not amount to significantly more than the abstract idea. The Applicant merely copy and pastes the entire independent claims and states the claims are eligible without pointing out what the additional elements are. The Examiner has clearly cited the 2019 PEG and MPEP 2106.05 as the required support for the additional elements as 
With regard to the limitations of claims 1-20, Applicant argues that the claims are allowable over 35 USC 103 because the claim amendments overcome the current art rejection. The Examiner respectfully disagrees. Please see the updated rejection below since amendments by Applicant require additional reference to the Examiner’s art rejection.
Applicant further argues that the cited prior art does not disclose automatically generate based on the historical user actions a plurality of roles. The Examiner respectfully disagrees. The Examiner asserts that Kazachkov et al. teach automatically generate, based on the historical user actions and the rulesets, a plurality of roles (See Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059, Paragraph 0079, and claim 3 – “collecting user accounts for each computing device; categorizing identified computer users into a plurality of different user roles; and generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules”), where each user’s role is being determined in the categorization and further control policies are determined for each different user. The Examiner asserts that each users role is determined based on the control rules of certain applications. The Examiner further points to at least Paragraph 0070 of Kazachkov et al. which states “collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, clearly disclosing how historical actions of the users from each PC is being used in the analysis. Applicant’s arguments are not persuasive. 
Applicant further argues that the cited prior art does not disclose assign, based on the historical user actions and the rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system. The Examiner respectfully disagrees. The Examiner asserts that Kazachkov et al. teach assign, based on the historical user actions and the rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system (See Figure 4, Abstract, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059 – “performs testing of the new application control rule 210 and then compares the results of the analysis with the working of the existing application control rules in order to identify conflicts in the working of the new application control rule 210 … During the testing, all possible verdicts may be identified that are delivered by the new application control rule 210 for the start of a particular application on any particular PC 150 by any particular user. For this, the module 250 makes a request to the inventory database 230 to collect current information on the applications contained in each PC 150 of the network 110, information about the categories assigned to each application, user accounts of the users on each PC 150, the roles assigned to each account record of the users, and existing application control rules”, Paragraph 0079, and claim 1), where Paragraphs 0052 and 0059 clearly disclose how control policies are determined based on the user’s actions (past and present) and once the control policies are set roles are assigned to each account (e.g. each user). The Examiner further points to at least Paragraph 0070 of Kazachkov et al. which states “collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, clearly disclosing how historical actions of the users from each PC is being used in the analysis. Applicant’s arguments are not persuasive.
As an example the Examiner points to Figures 3A-3B of Kazachkov et al. which shows user’s actions performed on certain applications (new and existing) and determining a role to assign user’s as shown in the verdict column. 
Applicant further argues, claim 2, that testing is not taught by the cited prior art. The Examiner respectfully disagrees. The Examiner asserts that Kazachkov et al. teach testing of the assigned roles in Paragraph 0059 – “performs testing of the new application control rule 210 and then compares the results of the analysis with the working of the existing application control rules in order to identify conflicts in the working of the new application control rule 210 … During the testing, all possible verdicts may be identified that are delivered by the new application control rule 210 for the start of a particular application on any particular PC 150 by any particular user. For this, the module 250 makes a request to the inventory database 230 to collect current information on the applications contained in each PC 150 of the network 110, information about the categories assigned to each application, user accounts of the users on each PC 150, the roles assigned to each account record of the users, and existing application control rules”, where the assigned roles and rules are being tested. Applicant’s arguments are not persuasive.
Applicant further argues, claims 3-6, that the recreation of a production environment is not taught by the cited prior art. The Examiner respectfully disagrees. The Examiner points to Paragraphs 0059 and 0070 of Kazachkov, which specifically discloses the testing of rules and role assignment, where those tests are done in a testing environment. Applicant’s arguments are not persuasive.
Claim 12 arguments see above and Paragraphs 0059 and 0070 of Kazachkov. Applicant’s arguments are not persuasive.
Applicant further argues, claim 10, that one or more activities that are historically used less than a predetermined number of times is not taught by the cited prior art. The Examiner respectfully disagrees. The Examiner asserts that Chari et al. teach one or more activities that are historically used less than a predetermined number of times in at least Paragraph 0061 – “detect and correct over-provisioning errors in a role-based access control policy by identifying anomalies and inconsistencies. An over-provisioning error may be, for example, assigning a number of permissions to a candidate role that exceeds a predefined threshold level, assigning a number of users to a candidate role that exceeds a predefined threshold level, or assigning mutually exclusive access permissions to a same candidate role”, where the number of permissions assigned to the candidate if exceeding a threshold number (e.g. predetermined number of times) will be detected as an anomaly. The Examiner asserts that this example is for example, if a user tries to log into an account a certain number of times and does not input the proper account name and password the user may for example be locked out. Applicant’s arguments are not persuasive.
The Examiner further asserts that the claims do not recite specific on what benefits are being provided by using the claimed features of claim 10, for example the Applicant’s specification provides no details or examples of what an emergency repair role entails. It is unclear to the Examiner what the Applicant is arguing and therefore considered addressed above.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter; 
When considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter.  If the claim does 
            In the instant case (Step 1), claims 13-19 are directed toward a process, claim 20 is directed toward a product, and claims 1-12 are directed toward a system; which are statutory categories of invention. Additionally (Step 2A Prong One), the independent claims are directed toward receive user activity data including identification of historical user actions of a plurality of users in an enterprise system; receive one or more separation of duty (SoD) rulesets; automatically generate, based on the historical user actions and the SoD rulesets, a plurality of roles; and assign, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system (Organizing Human Activity), which are considered to be abstract ideas (See PEG 2019 and MPEP 2106.05). The steps/functions disclosed above and in the independent claims are directed toward the abstract idea of Organizing Human Activity because the claimed limitations are analyzing user activity data to SoD rulesets to determine roles that the users should perform and assigning the roles to the users based on the analysis, which is managing relationships and interactions. The steps/functions disclosed above and in the independent claims are directed toward the abstract idea of Organizing Human Activity because the claimed limitations are analyzing user activity data to SoD rulesets to determine roles that the users should perform and 
Step 2A Prong Two: In this application, even if not directed toward the abstract idea, the above “receive user activity data; receive one or more separation of duty (SoD) rulesets; and assign one or more of the plurality of generated roles to plurality of users of the enterprise system” steps/functions of the independent claims would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity and merely adds the words to apply it with the judicial exception. Also, the claimed “system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method” would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because the claimed structure merely adds the words to apply it with the judicial exception and mere instructions to implement an abstract idea on a computer (See PEG 2019 and MPEP 2106.05). 
In addition, dependent claims 2-12 and 14-19 further narrow the abstract idea and dependent claims 2-7, 9-11, 14-17, and 19 additionally recite “assign one or more of the plurality of generated roles to a plurality of test users; place the test users in the recreated 
The claimed “system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method” are recited so generically (no details whatsoever are provided other than that they are general purpose computing components and regular office supplies) that they represent no more than mere instructions to apply the judicial exception on a computer. These 
Step 2B: When analyzing the additional element(s) and/or combination of elements in the claim(s) other than the abstract idea per se the claim limitations amount(s) to no more than: a general link of the use of an abstract idea to a particular technological environment and merely amounts to the application or instructions to apply the abstract idea on a computer (See MPEP 2106.05 and PEG 2019). Further, method claims 13-19; System claims 1-12; and Product claim 20 recite a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method; however, these elements merely facilitate the claimed functions at a high level of generality and they perform conventional functions and are considered to be general purpose computer components which is supported by Applicant’s specification in Paragraphs 0063-0067 and Figure 5. The Applicant’s claimed additional elements are mere instructions to implement the abstract idea on a general purpose computer and generally link of the use of an abstract idea to a particular technological environment. Also, the above “receive user activity data; receive one or 
In addition, claims 2-12 and 14-19 further narrow the abstract idea identified in the independent claims and present no additional elements that provide significantly more.  The Examiner notes that the dependent claims merely further define the data being analyzed and how the data is being analyzed. Similarly, claims 2-7, 9-11, 14-17, and 19 additionally recite “assign one or more of the plurality of generated roles to a plurality of test users; place the test users in the recreated production environment; provide access to one or more user devices; assign the one or more of the plurality of generated roles to the plurality of users; place the test users in the recreated production environment; retrieve subsequent user actions of the plurality of users; place the test users in the recreated production environment; receive legacy role definitions and legacy role assignments of the plurality of users of the enterprise system; store the legacy role definitions and legacy role assignments; assign the identified one or more activities; and assigning one or more actions to each of the plurality of roles” which do not account for additional elements that amount to significantly more than the abstract idea because 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6, 11-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kazachkov et al. (US 2015/0088800 A1) in view of Thompson et al. (US 7,712,127 B1).

Regarding Claims 1, 13, and 20: Kazachkov et al. teach a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to (See Figure 1, Figure 2, Figure 5, Paragraph 0008, claim 1, claim 11, and claim 20): 
receive user activity data including identification of historical user actions of a plurality of users in an enterprise system (See Figure 1, Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0070 – “collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, Paragraphs 0071-0074 – “information on the user accounts, information on the PCs where said user accounts are being used, information on the applications installed on these PCs, information on the categories of these applications”, claim 1, and claim 3 – “collecting user accounts for each computing device
receive one or more rulesets (See Figure 4, Abstract, Paragraph 0008, Paragraph 0028, Paragraphs 0051-0053 – “generate a list of application control rules for each user account”, Paragraph 0057, Paragraph 0069 – “a new application control rule 210 is created and sent to the configuration system 200 for testing its operating accuracy”, claim 1 – “generating a new application control rule relating to a software application deployable on one or more computing devices in a network”); 
automatically generate, based on the historical user actions and the rulesets, a plurality of roles (See Figure 4, Paragraph 0010, Paragraph 0045, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059, Paragraph 0079, and claim 3 – “collecting user accounts for each computing device; categorizing identified computer users into a plurality of different user roles; and generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules”); 
and assign, based on the historical user actions and the rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system (See Figure 4, Abstract, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059 – “performs testing of the new application control rule 210 and then compares the results of the analysis with the working of the existing application control rules in order to identify conflicts in the working of the new application control rule 210 … During the testing, all possible verdicts may be identified that are delivered by the new application control rule 210 for the start of a particular application on any particular PC 150 by any particular user. For this, the module 250 makes a request to the inventory database 230 to collect current information on the applications contained in each PC 150 of the network 110, information about the categories assigned to each application, user accounts of the users on each PC 150, the roles assigned to each account record of the users, and existing application control rules”, Paragraph 0079, and claim 1). 

Kazachkov et al. do not specifically disclose separation of duty (SoD) rulesets. However, Thompson et al. further teach separation of duty (SoD) rulesets (See Figure 5, Figure 6, column 6 lines 24-40 – “RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. to incorporate the SoD ruleset of Thompson et al. in order to share completion of single tasks as an internal control method to prevent fraud and error. 

Regarding Claims 2 and 14: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 1. Kazachkov et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to: assign, based on the user activity data and the rulesets, one or more of the plurality of generated roles to a plurality of test users, respective test users of the plurality of test users corresponding to respective users of the plurality of users of the enterprise system; and test the plurality of generated roles assigned to the plurality of test users (See Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0057, Paragraph 0059 – “performs testing of the new application control rule 210 and then compares the results of the analysis with the working of the existing application control rules in order to identify conflicts in the working of the new application control rule 210 … During the testing, all possible verdicts may be identified that are delivered by the new application control rule 210 for the start of a particular application on any particular PC 150 by any particular user. For this, the module 250 makes a request to the inventory database 230 to collect current information on the applications contained in each PC 150 of the network 110, information about the categories assigned to each application, user accounts of the users on each PC 150, the roles assigned to each account record of the users, and existing application control rules”, Paragraph 0070, Paragraph 0075, Paragraph 0079, claim 1, and claim 4). 
Kazachkov et al. do not specifically disclose separation of duty (SoD) rulesets. However, Thompson et al. further teach separation of duty (SoD) rulesets (See Figure 5, RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. to incorporate the SoD ruleset of Thompson et al. in order to share completion of single tasks as an internal control method to prevent fraud and error.

Regarding Claims 3 and 15: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 2. Kazachkov et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to: recreate a production environment of the enterprise system; place the test users in the recreated production environment; and provide access to one or more user devices to control the test users in the recreated production environment (See Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0043 – “the administrator can create, modify and save the categorization rules in the database 140. The administrator may also create his own custom application categories”, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0053 – “the administrator may use control rule templates to create application control rules. These templates may be based at least on application categories that were previously generated”, Paragraph 0057, Paragraph 0059, Paragraph 0069, Paragraph 0070 – “perform the testing of the control rule 210, the testing module 250, in step 420, may collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, Paragraph 0075 – “the testing module 250 tests the new application control rule on the basis of the current information received”, Paragraph 0079, claim 1, and claim 4). 

Regarding Claims 4 and 16: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 3. Kazachkov et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to assign the one or more of the plurality of generated roles to the plurality of users of the enterprise system by provisioning the tested plurality of generated roles from the test users to respective users of the plurality of users of the enterprise system (See Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0057 – “designed to test at least one new application control rule for the presence of conflicts with existing application control rules and then fine-tune (i.e., reconfigure) the tested application control rule in the event that at least one conflict or working inaccuracy is found”, Paragraph 0059, Paragraph 0070, Paragraph 0075, Paragraph 0079, Paragraph 0080 – “In step 480, a reconfiguration of the control rule 210 is done in accordance with the conflict identified. The reconfiguration can be, for example, a configuring the control rule 210 by means of adding the application that was blocked to the exclusions for the working of the given control rule 210”, claim 1, and claim 5). 

Regarding Claims 5 and 17: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 2. Kazachkov et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to: recreate a production environment of the enterprise system; place the test users in the recreated production environment; retrieve subsequent user actions of the plurality of users of the enterprise system in the production environment; and replay, with the corresponding test users in the recreated production environment, the subsequent user actions (See Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0038 – “collecting current information on at least every PC 150, on the applications 190 contained on each PC 150, and on the account records of the users making use of one or another PC 150”, Paragraph 0043, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0053, Paragraph 0057, Paragraph 0059 – “perform the testing of the application control rule 210 on the basis of current information at least on all PCs 150 and applications installed on at least one PC 150”, Paragraph 0069, Paragraph 0070 – “perform the testing of the control rule 210, the testing module 250, in step 420, may collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, Paragraph 0075 – “the testing module 250 tests the new application control rule on the basis of the current information received”, Paragraph 0079, claim 1, and claim 4). 

Regarding Claim 6: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 2. Kazachkov et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to: recreate a production environment of the enterprise system; place the test users in the recreated production environment; and replay, with the corresponding test users in the recreated production environment, the historical user actions of the plurality of users (See Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0038 – “collecting current information on at least every PC 150, on the applications 190 contained on each PC 150, and on the account records of the users making use of one or another PC 150”, Paragraph 0043, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0053, Paragraph 0057, Paragraph 0059 – “perform the testing of the application control rule 210 on the basis of current information at least on all PCs 150 and applications installed on at least one PC 150”, Paragraph 0069, Paragraph 0070 – “perform the testing of the control rule 210, the testing module 250, in step 420, may collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, Paragraph 0075 – “the testing module 250 tests the new application control rule on the basis of the current information received”, Paragraph 0079, claim 1, and claim 4). 

Regarding Claim 11: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 1. Kazachkov et al. further teach wherein automatically generating the plurality of roles includes: naming a plurality of roles; and assigning, based on the user activity data and the rulesets, one or more actions to each of the plurality of roles (See Figure 4, Paragraph 0010, Paragraph 0045, Paragraphs 0051-0053 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059 – “performs testing of the new application control rule 210 and then compares the results of the analysis with the working of the existing application control rules in order to identify conflicts in the working of the new application control rule 210 … During the testing, all possible verdicts may be identified that are delivered by the new application control rule 210 for the start of a particular application on any particular PC 150 by any particular user. For this, the module 250 makes a request to the inventory database 230 to collect current information on the applications contained in each PC 150 of the network 110, information about the categories assigned to each application, user accounts of the users on each PC 150, the roles assigned to each account record of the users, and existing application control rules”, Paragraph 0069, Paragraph 0079, and claim 3 – “collecting user accounts for each computing device; categorizing identified computer users into a plurality of different user roles; and generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules”). 
Kazachkov et al. do not specifically disclose separation of duty (SoD) rulesets. However, Thompson et al. further teach separation of duty (SoD) rulesets (See Figure 5, Figure 6, column 6 lines 24-40 – “RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. to incorporate the SoD ruleset of Thompson et al. in order to share completion of single tasks as an internal control method to prevent fraud and error.

Regarding Claim 12: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 11. Kazachkov et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to test the assigned one or more of the plurality of generated roles by: identifying subsequent collecting current information on at least every PC 150, on the applications 190 contained on each PC 150, and on the account records of the users making use of one or another PC 150”, Paragraph 0043, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0053, Paragraph 0057 – “designed to test at least one new application control rule for the presence of conflicts with existing application control rules and then fine-tune (i.e., reconfigure) the tested application control rule in the event that at least one conflict or working inaccuracy is found”, Paragraph 0059 – “perform the testing of the application control rule 210 on the basis of current information at least on all PCs 150 and applications installed on at least one PC 150”, Paragraph 0069, Paragraph 0070 – “perform the testing of the control rule 210, the testing module 250, in step 420, may collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, Paragraph 0075 – “the testing module 250 tests the new application control rule on the basis of the current information received”, Paragraph 0079, Paragraph 0080 – “In step 480, a reconfiguration of the control rule 210 is done in accordance with the conflict identified. The reconfiguration can be, for example, a configuring the control rule 210 by means of adding the application that was blocked to the exclusions for the working of the given control rule 210”, claim 1, and claim 5). 

Regarding Claim 18: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 13. Kazachkov et al. further teach wherein automatically generating the plurality of roles includes transforming the user activity data and the rulesets into the plurality of roles (See Figure 4, Paragraph 0010, Paragraph 0045, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059, Paragraph 0079, and claim 3 – “collecting user accounts for each computing device; categorizing identified computer users into a plurality of different user roles; and generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules”).
Kazachkov et al. do not specifically disclose separation of duty (SoD) rulesets. However, Thompson et al. further teach separation of duty (SoD) rulesets (See Figure 5, Figure 6, column 6 lines 24-40 – “RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it .

Claims 7-8, 10, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kazachkov et al. (US 2015/0088800 A1) in view of Thompson et al. (US 7,712,127 B1) and further in view of Chari et al. (US 2014/0196103 A1).

Regarding Claim 7: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 1. Kazachkov et al. further teach wherein the computer program code includes algorithms configured to analyze the user activity data and the rulesets and generate the plurality of roles (See Figure 4, Paragraph 0010, Paragraph 0045, Paragraphs 0051-0053 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059, Paragraph 0069, Paragraph 0079, and claim 3 – “collecting user accounts for each computing device; categorizing identified computer users into a plurality of different user roles; and generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules”). 
Kazachkov et al. do not specifically disclose separation of duty (SoD) rulesets or machine learning algorithms. However, Thompson et al. further teach separation of duty (SoD) rulesets (See Figure 5, Figure 6, column 6 lines 24-40 – “RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. to incorporate the SoD ruleset of Thompson et al. in order to share completion of single tasks as an internal control method to prevent fraud and error.
Kazachkov et al. in view of Thompson et al. do not specifically disclose machine learning algorithms. However, Chari et al. further teach machine-learning algorithms (See Figure 4 – “404, 406, 408, 410”, Figure 5, Figures 6A-6B, Figures 7A-7B, Paragraph 0015 – “role-based access control policy generated by a machine learning application”, Paragraph 0039, Paragraph 0061 – “use machine learning techniques … detect and correct over-provisioning errors in a role-based access control policy by identifying anomalies and inconsistencies. An over-provisioning error may be, for example, assigning a number of permissions to a candidate role that exceeds a predefined threshold level, assigning a number of users to a candidate role that exceeds a predefined threshold level, or assigning mutually exclusive access permissions to a same candidate role”, Paragraph 0064, Paragraphs 0089-0090 – “generates a user-attribute relation by mapping the users to attributes describing each of the users … generates a permission-attribute relation by mapping the permissions to attributes describing each of the permissions … generates a role-based access control policy”, Paragraphs 0103-0104, claim 6 – “roles assigned to each of the users”, and claims 17-18).
The teachings of Kazachkov et al., Thompson et al., and Chari et al. are related because all involve performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. in view of Thompson et al. to incorporate the machine learning algorithm of Chari et al. in order to better predict if a candidate for a role granting access to specific systems will potentially make an error in the system.

Regarding Claim 8: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 7. Kazachkov et al. do not specifically disclose the following. However, Thompson et al. further teach separation of duty (SoD) rulesets (See Figure 5, Figure 6, column 6 lines 24-40 – “RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. to incorporate the SoD ruleset of Thompson et al. in order to share completion of single tasks as an internal control method to prevent fraud and error.
Kazachkov et al. in view of Thompson et al. do not specifically disclose wherein the machine-learning algorithms are further configured to: analyze existing role definitions to determine naming and format conventions; analyze rulesets to determine second-level restrictions; and generate the plurality of roles in accordance with the determined naming and format conventions and second-level restrictions. However, Chari et al. further teach wherein the machine-learning algorithms are further configured to: analyze existing role definitions to determine naming and format conventions; analyze rulesets to determine second-level restrictions; and generate the plurality of roles in accordance with the determined naming and format conventions and second-level restrictions (See Figure 4 – “404, 406, 408, 410”, Figure 5, Figures 6A-6B, Figures 7A-7B, Paragraph 0015 – “role-based access control policy generated by a machine learning application”, Paragraph 0039, Paragraph 0061 – “use machine learning techniques … detect and correct over-provisioning errors in a role-based access control policy by identifying anomalies and inconsistencies. An over-provisioning error may be, for example, assigning a number of permissions to a candidate role that exceeds a predefined threshold level, assigning a number of users to a candidate role that exceeds a predefined threshold level, or assigning mutually exclusive access permissions to a same candidate role”, Paragraph 0064, Paragraphs 0089-0090 – “generates a user-attribute relation by mapping the users to attributes describing each of the users … generates a permission-attribute relation by mapping the permissions to attributes describing each of the permissions … generates a role-based access control policy”, Paragraphs 0103-0104, claim 6 – “roles assigned to each of the users”, and claims 17-18). 
The teachings of Kazachkov et al., Thompson et al., and Chari et al. are related because all involve performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. in view of Thompson et al. to incorporate the machine learning algorithm of Chari et al. in order to better predict if a candidate for a role granting access to specific systems will potentially make an error in the system.

Regarding Claims 10 and 19: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 1. Kazachkov et al. in view of Thompson et al. do not specifically disclose the following. However, Chari et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to: generate an emergency repair role; identify, from within the user activity data, one or more activities that are historically used less than a predetermined number of times; and assign the identified one or more activities to the emergency repair role (See Figure 5, Figures 6A-6B, Figures 7A-7B, Paragraph 0039 – “Thresholds 230 also may include threshold values for a maximum complexity level of role-based access control policies”, Paragraph 0061 – “detect and correct over-provisioning errors in a role-based access control policy by identifying anomalies and inconsistencies. An over-provisioning error may be, for example, assigning a number of permissions to a candidate role that exceeds a predefined threshold level, assigning a number of users to a candidate role that exceeds a predefined threshold level, or assigning mutually exclusive access permissions to a same candidate role”, Paragraphs 0103-0104 – “role-based access control policy is greater than a predefined complexity threshold”, claim 6 – “roles assigned to each of the users”, and claims 17-18). 
The teachings of Kazachkov et al., Thompson et al., and Chari et al. are related because all involve performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. in view of Thompson et al. to incorporate the error detection of Chari et al. in order to better assign roles to candidates for performing tasks.

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kazachkov et al. (US 2015/0088800 A1) in view of Thompson et al. (US 7,712,127 B1) and further in view of Prasad et al. (US 7,568,217 B1).

Regarding Claim 9: Kazachkov et al. in view of Thompson et al. teach the limitations of claim 1. Kazachkov et al. in view of Thompson et al. do not specifically disclose the following. However, Prasad et al. further teach wherein the computer program code, when the user may "switch" to administrator mode for a short duration to perform some administrative tasks and then revert back to "user roles"”, column 8 lines 15-30 – “a role is conditionally assignable to a class of users on a network. All of the roles that may be defined to exist for a system may be said to comprise the role domain 200 for a network”, column 9 lines 14-62 – “two (or more) roles are mutually assignable to individuals in a class of users only if a particular condition occurs … roles may be removed if a designated condition occurs”, column 11 lines 20-31 – “Step 350 provides that the conditional assignment of roles is determined from the identified business rules. In one embodiment, a role is conditionally assignable to the user only if a corresponding condition is identified from the user initiating the operation. In another embodiment, the conditional role that is to be assigned to the user is one that is otherwise mutually exclusive of another role that the user is occupying when initiating the operation. The occurrence of the condition enables the user to mutually occupy the two roles at one time”, column 11 lines 30-40 – “The conditional role may be unassigned once the triggering operation is completed”, and claim 1). 
The teachings of Kazachkov et al., Thompson et al., and Prasad et al. are related because all involve performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective 

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record, but not relied upon is considered pertinent to applicant's disclosure is listed on the attached PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW D HENRY whose telephone number is (571)270-0504.  The examiner can normally be reached on Monday-Thursday 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, BRIAN EPSTEIN can be reached on (571)-270-5389.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/MATTHEW D HENRY/Primary Examiner, Art Unit 3683