DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013 is being examined under the first inventor to file provisions of the AIA .
Status of the Application
This action is a first action on the merits in response to the application filed on 08/15/2019.
Status of Claims
Claims 1-19 filed on 08/15/2019 are currently pending and have been examined in this application.
Examiner’s Notes
Paragraph 0091 of the instant specification recites “The software product may be stored in a non-volatile or non-transitory storage medium, which can be a compact disk read-only memory (CD-ROM), a USB flash disk, or a removable hard disk”. The non-transitory CRM as claimed is statutory. 
Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 
Claims 1-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Specifically, claims 1-19 are directed to an abstract idea without additional elements to integrate the claims into a practical application or to amount to significantly more than the abstract idea.
Claims 1-19 are directed to a process, machine, or manufacture (Step 1), however the 
With respect to Step 2A Prong One of the framework, claim 1 recites an abstract idea. Claim 1 includes limitations for “transform enterprise access data into data sets; identify business roles based on common patterns of the access data, the business roles comprising at least one access point associated with the access data; present at least one business role assignable to an employee to an access manager; and receive an approval indication associated with the access manager assigning the business role to the employee”
The limitations above recite an abstract idea under Step 2A Prong One. More particularly, the limitations above recite Mental Process because an ordinary person can analyze access data and assign access to employees based on their roles. As a result, claim 1 recites an abstract idea under Step 2A Prong One.
Claims 10 and 19 recite substantially similar limitations to those presented with respect to claim 1. As a result, claims 10 and 19 recite an abstract idea under Step 2A Prong One for the same reasons as stated above with respect to claim 1. Similarly, claims 2-9 and 11-18 recite a Mental Process because the claimed elements describe a process for analyzing access data. As a result, claims 2-9 and 11-18 recite an abstract idea under Step 2A Prong One.
With respect to Step 2A Prong Two of the framework, claim 1 does not include additional elements that integrate the abstract idea into a practical application. Claim 1 includes additional elements that does not recite an abstract idea. The additional elements of claim 1 include “A system for approving access permissions, the system comprising at least one processor and memory storing instructions”. when considered in view of the claim as a whole, the recited computer elements do not integrate the abstract idea into a practical application because the computer elements are generic computer elements that are merely used as a tool to 
As noted above, claims 10 and 19 recite substantially similar limitations to those recited with respect to claim 1. Although claim 10 further recites “A computer-implemented method” and claim 19 further recites “A non-transitory computer-readable medium having instructions thereon which, when executed by a processor”, when considered in view of the claims as a whole, the recited computer elements do not integrate the abstract idea into a practical application because the computer elements are generic computer elements that are merely used as a tool to perform the recited abstract idea. As a result, claims 10 and 19 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
Claims 2-9 and 11-18 do not include any additional elements beyond those recited by independent claims 1, 10, and 19. As a result, claims 2-9 and 11-18 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
With respect to Step 2B of the framework, claim 1 does not include additional elements amounting to significantly more than the abstract idea. As noted above, claim 1 includes additional elements that does not recite an abstract idea. The additional elements of claim 1 include “A system for approving access permissions, the system comprising at least one processor and memory storing instructions. The recited computer elements do not amount to significantly more than the abstract idea because the computer elements are generic computer elements that are merely used as a tool to perform the recited abstract idea. As a result, claim 1 does not include additional elements that amount to significantly more than the abstract idea 
As noted above, claims 10 and 19 recite substantially similar limitations to those recited with respect to claim 1. Although claim 10 further recites “A computer-implemented method” and claim 19 further recites “A non-transitory computer-readable medium having instructions thereon which, when executed by a processor”, the recited computer elements do not amount to significantly more than the abstract idea because the computer elements are generic computer elements that are merely used as a tool to perform the recited abstract idea. Further, looking at the additional elements as an ordered combination adds nothing that is not already present when considering the additional elements individually. As a result, claims 10 and 19 do not include additional elements that amount to significantly more than the abstract idea under Step 2B.
Claims 2-9 and 11-18 do not include any additional elements beyond those recited by independent claims 1, 10, and 19. As a result, claims 2-9 and 11-18 do not include additional elements that amount to significantly more than the abstract idea under Step 2B.
Therefore, the claims are directed to an abstract idea without additional elements amounting to significantly more than the abstract idea. Accordingly, claims 1-19 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness. 
Claims 1-2, 10-11, and 19 are rejected under 35 U.S.C. 103 as being un-patentable over Chari et al. (US 20120246098 A1) in view of Wilkinson et al. (US 8978104 B1).
Regarding claim 1. Chari teaches A system for approving access permissions, the system comprising at least one processor and memory storing instructions which when executed by the at least one processor configure the at least one processor to: [Chari, claim 13, Chari teaches “An apparatus for performing role mining given a plurality of users and a plurality of permissions, the apparatus comprising: a memory; and at least one processor device, coupled to the memory” and Chari’ claim 16 teaches “An article of manufacture for performing role mining given a plurality of users and a plurality of permissions, comprising a machine-readable recordable medium containing one or more programs which when executed implement the steps of” wherein stored instructions] transform enterprise access data into data sets; [Chari, para. 0003, Chari teaches “An active area of research has been to identify efficient methodologies to take a corpus of users and the entitlements assigned to them and decompose this into a set of role assignments to users and permissions assigned to roles” wherein transform enterprise access data into data sets] identify business roles based on common patterns of the access data, [Chari, para. the business roles comprising at least one access point associated with the access data; [Chari, para. 0072, Chari teaches “An evaluation of methodology 100 and role decomposition is now provided. The LDA based process is evaluated using a number of data sets... Three proprietary data sets are referred to herein: Customer{1,2,3} which represent administrative access to various resources” wherein an administrator {1,2,3} (business role) having access based on roles] 
Chari does not specifically teach, however, Wilkinson teaches present at least one business role assignable to an employee to an access manager; and receive an approval indication associated with the access manager assigning the business role to the employee [Wilkinson, column 5 lines 21-24, Wilkinson teaches “the ACC manager, upon seeing that a request to access a virtual desktop 124 has been submitted to the ACC server 118 from the technical support person, may send approval for the access request to the ACC server 118” wherein presenting an approval request to a manager and receive an approval. Further, column 5 lines 30-32 teach “The security of the ACC server 118 and the ACC database 120 is particularly important considering their roles in controlling the access given to the technical support personnel” wherein approval based on role]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teaching of Wilkinson by having a manager approve an access request based on role.  The motivation to combine Chari with Wilkinson has the advantage where the credentials manager 704 may thereafter provide the retrieved credentials directly to the production, development, and/or test systems 128 (through 
Regarding claim 2. Chari in view of Wilkinson teaches all of the limitations of claim 1 (as above). Further, Chari teaches wherein the at least one processor is configured to: permit access to the employee to the at least one access points associated with the business role [Chari, claim 21, Chari teaches “The apparatus of claim 20, wherein the at least one processor device when performing the determine step is further operative to: (a) for each user i, select a random number 0.ltoreq.r.ltoreq.K; (b) for each user i, assign user i top r roles; (c) for each role j, select a random number 0.ltoreq.p.ltoreq.m, where m is a total number of unique permissions and the role is assigned top p permissions;” wherein the above steps performed by the processor are steps to permit access to a user based on role].  
Regarding claim 10. Chari teaches A computer-implemented method of approving access permissions, the method comprising: [Chari, Abstract, Chari teaches “A Applications of machine learning techniques such as Latent Dirichlet Allocation (LDA) and author-topic models (ATM) to the problems of mining of user roles to specify access control policies from entitlement as well as logs which contain record of the usage of these entitlements are provided” wherein a computer-implemented method of approving access permissions] transforming, by at least one processor, enterprise access data into data sets; [Chari, para. 0003, Chari teaches “An active area of research has been to identify efficient methodologies to take a corpus of users and the entitlements assigned to them and decompose this into a set of role assignments to users and permissions assigned to roles” wherein transform enterprise access data into data - 22 -identifying, by the at least one processor, business roles based on common patterns of the access data, [Chari, para. 0047, Chari teaches “the present techniques consider whether a user has performed an action before (i.e., in the past) and how frequently. This concept is also referred to as "past actions" of the user” wherein common patterns of the access data] the business roles comprising at least one access point associated with the access data; [Chari, para. 0072, Chari teaches “An evaluation of methodology 100 and role decomposition is now provided. The LDA based process is evaluated using a number of data sets... Three proprietary data sets are referred to herein: Customer{1,2,3} which represent administrative access to various resources” wherein an administrator {1,2,3} (business role) having access based on roles] 
Chari does not specifically teach, however, Wilkinson teaches presenting, by the at least one processor, at least one business role assignable to an employee to an access manager; and receiving, by the at least one processor, an approval indication input associated with the access manager assigning the business role to the employee [Wilkinson, column 5 lines 21-24, Wilkinson teaches “the ACC manager, upon seeing that a request to access a virtual desktop 124 has been submitted to the ACC server 118 from the technical support person, may send approval for the access request to the ACC server 118” wherein presenting an approval request to a manager and receive an approval. Further, column 5 lines 30-32 teach “The security of the ACC server 118 and the ACC database 120 is particularly important considering their roles in controlling the access given to the technical support personnel” wherein approval based on role]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teaching of Wilkinson by having a manager approve an access request based on role.  The motivation to combine Chari 
Regarding claim 11, the claim recites analogous limitations to claim 2 above, and is therefore rejected on the same premise. Claim 2 is a system claim while claim 11 is directed to a method which is anticipated by Chari claim 13.
Regarding claim 19. Chari teaches A non-transitory computer-readable medium having instructions thereon which, when executed by a processor, perform a method of approving access permissions, said method comprising: [Chari, claim 13, Chari teaches “An apparatus for performing role mining given a plurality of users and a plurality of permissions, the apparatus comprising: a memory; and at least one processor device, coupled to the memory”] transforming enterprise access data into data sets; [Chari, para. 0003, Chari teaches “An active area of research has been to identify efficient methodologies to take a corpus of users and the entitlements assigned to them and decompose this into a set of role assignments to users and permissions assigned to roles” wherein transform enterprise access data into data sets] - 24 -identifying business roles based on common patterns of the access data, [Chari, para. 0047, Chari teaches “the present techniques consider whether a user has performed an action before (i.e., in the past) and how frequently. This concept is also referred to as "past actions" of the user” wherein common patterns of the access data] the business roles comprising at least one access point associated with the access data; [Chari, para. 0072, Chari teaches “An evaluation of methodology 100 and 
Chari does not specifically teach, however, Wilkinson teaches presenting at least one business role assignable to an employee to an access manager; and receiving an approval indication input associated with the access manager assigning the business role to the employee [Wilkinson, column 5 lines 21-24, Wilkinson teaches “the ACC manager, upon seeing that a request to access a virtual desktop 124 has been submitted to the ACC server 118 from the
technical support person, may send approval for the access request to the ACC server 118” wherein presenting an approval request to a manager and receive an approval. Further, column 5 lines 30-32 teach “The security of the ACC server 118 and the ACC database 120 is particularly important considering their roles in controlling the access given to the technical support personnel” wherein approval based on role]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teaching of Wilkinson by having a manager approve an access request based on role.  The motivation to combine Chari with Wilkinson has the advantage where the credentials manager 704 may thereafter provide the retrieved credentials directly to the production, development, and/or test systems 128 (through the virtual desktops 124), thereby accessing the production, development, and/or test systems 128 in an automated manner. Such an arrangement has an advantage in that the technical support personnel are not exposed to the credentials and therefore cannot misuse them [Wilkinson, column 11 lines 41-48].
Claims 3 and 12 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Wilkinson and in further view of Bhagwan et al. (US 8359652 B2).
Regarding claim 3. Chari in view of Wilkinson teaches all of the limitations of claim 1 (as above). Chari in view of Wilkinson does not specifically teach, however, Bhagwan teaches wherein to transform data into data sets, the at least one processor is configured to: obtain the enterprise access data; identify outliers of the enterprise access data; [Bhagwan, Abstract, Bhagwan teaches “First, policy statements are extracted from the access control lists. Next, object-level anomaly detection is performed using thresholds by categorizing outliers in the policies discovered in the first phase as potential anomalies” wherein obtain the enterprise access data and identify outliers]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Wilkinson to incorporate the teaching of Bhagwan by obtaining the enterprise access data and identifying outliers.  The motivation to combine Chari in view of Wilkinson with Bhagwan has the advantage where this object-level anomaly detection can yield object-level security anomalies and object-level accessibility anomalies [Bhagwan, Abstract].
Further, Chari teaches perform a function role factorization on the enterprise access data; and cluster business roles from the enterprise access data [Chari, Abstract, Chari teaches “The method includes the following steps. At least one generative machine learning technique, e.g., LDA, is used to obtain a probability distribution .theta. for user-to-role assignments and a probability distribution .beta. for role-to-permission assignments” wherein role factorization and clustering for the access data]. 
Regarding claim 12, the claim recites analogous limitations to claim 3 above, and is therefore rejected on the same premise. Claim 3 is a system claim while claim 12 is directed to a method which is anticipated by Chari claim 13. 
Claims 4-6 and 13-15 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Wilkinson and Bhagwan, and in further view of Jaideep Vaidya (The Role Mining Problem: Finding a Minimal Descriptive Set of Roles (2007)) hereinafter Vaidya.
Regarding claim 4. Chari in view of Wilkinson and Bhagwan teaches all of the limitations of claim 3 (as above). Chari in view of Wilkinson and Bhagwan does not specifically teach, however, Vaidya teaches wherein to perform the function role factorization, the at least one processor is configured to: transform access into a binary matrix representation; and factor the resulting access matrix into: a first factored matrix representing a mapping from users to function roles; and  a second factored matrix representing a mapping from function roles to access permissions.  [Vaidya, see table 1-3, Vaidya teaches binary tables. Table 2- (a) user to role and table 3 (b) role to permission]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Wilkinson and Bhagwan to incorporate the teaching of Vaidya by transforming access data to binary tables and factorizing user to role and role to permission.  The motivation to combine Chari in view of Wilkinson and Bhagwan with Vaidya has the advantage where role mining can be used as a tool, in conjunction with a top-down approach, to identify potential or candidate roles which can then be examined to determine if they are appropriate given existing functions and business processes [Vaidya, end of page 175- start of page 176].
Regarding claim 5. Chari in view of Wilkinson and Bhagwan teaches all of the limitations of claim 3 (as above). Chari in view of Wilkinson and Bhagwan does not specifically teach, however, Vaidya teaches wherein to cluster business roles based on common patterns of access privileges, the at least one processor is configured to: factor out function roles associated with the access privileges common to at least two employees; and generate business roles based on the function roles [Vaidya, see table 2- (a) user 2 and user 4 have the same role r1 and table 2-(b) shows role r1 to permissions p1, p2, p3…]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Wilkinson and Bhagwan to incorporate the teaching of Vaidya by factoring out function roles associated with the access privileges common to at least two employees and generating business roles based on the function roles.  The motivation to combine Chari in view of Wilkinson and Bhagwan with Vaidya has the advantage where role mining can be used as a tool, in conjunction with a top-down approach, to identify potential or candidate roles which can then be examined to determine if they are appropriate given existing functions and business processes [Vaidya, end of page 175- start of page 176]. 
Regarding claim 6. Chari in view of Wilkinson, Bhagwan, and  Vaidya teaches all of the limitations of claim 5 (as above). Chari in view of Wilkinson and Bhagwan does not specifically teach, however, Vaidya teaches wherein the at least one processor is configured to: compute a difference in access by multiplying the factors together and taking the difference between the multiplied factors and an original access matrix [Vaidya, see page 177, second column, lines 9-
If  M(UA) ⊗ M(P A) − M(UPA) ≤ δ where M(UA), M(P A), and M(UPA) denote the matrix representation of UA, P A and UPA respectively. Essentially, the notion of δ-consistency allows us to bound the degree of difference between the user-to-role assignment UA, role-to-permission assignment P A and user-to-permission assignment UPA. For UA, P A, and UPA to be δ-consistent, the user-permission matrix generated from UA and P A should be within δ of UPA” emphasis added, wherein finding a difference by multiplying the user-to-role assignment UA with role-to-permission assignment P A as above (M(UA) ⊗ M(P A)) and finding the difference (M(UA) ⊗ M(P A) − M(UPA))]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Wilkinson and Bhagwan to incorporate the teaching of Vaidya by computing a difference in access by multiplying the factors together and taking the difference between the multiplied factors and an original access matrix.  The motivation to combine Chari in view of Wilkinson and Bhagwan with Vaidya has the advantage where role mining can be used as a tool, in conjunction with a top-down approach, to identify potential or candidate roles which can then be examined to determine if they are appropriate given existing functions and business processes [Vaidya, end of page 175- start of page 176]. 
Regarding claims 13-15, claims 13-15 recite substantially similar limitations as claim 4-6, respectively; therefore, claims 13-15 are rejected with the same rationale, reasoning, and motivation provided above for claims 4-6, respectively. Claims 4-6 are system claims while .
Claims 7 and 16 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Wilkinson and Bhagwan, and in further view of Thompson et al. (US 20100312726 A1).
Regarding claim 7. Chari in view of Wilkinson and Bhagwan teaches all of the limitations of claim 3 (as above). Chari in view of Wilkinson and Bhagwan does not specifically teach, however, Thompson teaches wherein to cluster business roles, the at least one processor is configured to: compose a feature vector for each employee; define a similarity metric; apply the similarity metric to the data to generate a feature vector for the employees; and cluster the feature vector into groupings based on a threshold value. [Thompson, para. 0027, Thompson teaches “The unsupervised clustering technique may group one or more feature vectors into the mathematical cluster based upon characteristics of the one or more feature vectors (e.g., dimensions) being similar to the similarity metric. That is, the unsupervised clustering technique may group feature vectors that are plotted close to one another within the multidimensional matrix in view of the similarity metric because feature vectors located in close spatial relation to one another may exhibit similar characteristics due to being plotted within the multidimensional matrix based upon their characteristics” wherein applying similarity metric to feature vectors and  clustering feature vectors ]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Wilkinson and Bhagwan to incorporate the teaching of Thompson by applying similarity metric to feature vectors and  
Regarding claim 16, the claim recites analogous limitations to claim 7 above, and is therefore rejected on the same premise. Claim 7 is a system claim while claim 16 is directed to a method which is anticipated by Chari claim 13. 
Claims 8-9 and 17-18 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Wilkinson and Bhagwan, in further view of Thompson, and in further view of Verramachaneni et al. (US 20180165475 A1).
Regarding claim 8. Chari in view of Wilkinson, Bhagwan, and Thompson teaches all of the limitations of claim 7 (as above). Chari in view of Wilkinson, Bhagwan, and Thompson does not specifically teach, however, Verramachaneni teaches wherein to compose a feature vector for each employee the at least one processor is configured to: convert categorical variables into numerical representations [Verramachaneni, para. 0144, Verramachaneni teaches “FIG. 10 is an illustration of the method that converts categorical variables to numerical data” wherein converting categorical variables into numerical representations ]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Wilkinson, Bhagwan, and Thompson to incorporate the teaching of Verramachaneni by converting categorical variables into numerical representations.  The motivation to combine Chari in view of Wilkinson, Bhagwan, and Thompson with Verramachaneni is advantageous because the generation of such 
Regarding claim 9. Chari in view of Wilkinson, Bhagwan, and Thompson teaches all of the limitations of claim 7 (as above). Chari in view of Wilkinson, Bhagwan, and Thompson does not specifically teach, however, Verramachaneni teaches wherein the feature vector comprises: information on which function roles an employee has been assigned; and categorical human resource data associated with the employee [Verramachaneni, para. 0233, Verramachaneni teaches “The dataset related to human resources information, and described the career goals and reviews for 1818 employees. It also contained some information about the employees' quarterly reviews. There were 10 interconnected tables describing this information” wherein the career goal is equivalent is equivalent to function role and human resources information is equivalent to human resource data associated with the employee]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Wilkinson, Bhagwan, and Thompson to incorporate the teaching of Verramachaneni by converting categorical variables into numerical representations which is associated with human resources information and employee role.  The motivation to combine Chari in view of Wilkinson, Bhagwan, and Thompson with Verramachaneni is advantageous because the generation of such synthetic data allows publication of bulk data freely and on-demand (e.g., for data analysis purposes), without the risk of security/privacy breaches [ Verramachaneni, Abstract]. 
Regarding claims 17-18, claims 17-18 recite substantially similar limitations as claim 8-9, respectively; therefore, claims 17-18 are rejected with the same rationale, reasoning, and 
Conclusion
Any inquiry concerning this communication from the examiner should be directed to Abdallah El-Hagehassan whose telephone number is (571) 272-0819.  The examiner can normally be reached on Monday- Friday 8 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on (571) 272-6045. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-3734.
Information regarding the status of an application may be obtained from the patent application information retrieval (PAIR) system. Status information of published applications may be obtained from either private PAIR or public PAIR. Status information of unpublished applications is available through private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have any questions on access to the private PAIR system, contact the electronic business center (EBC) at (866) 271-9197 (toll-free). If you would like assistance from a USPTO customer service representative or access to the automated information system, call (800) 786-9199 (in US or Canada) or (571) 272-1000.

/ABDALLAH A EL-HAGE HASSAN/
Examiner, Art Unit 3623
/RUTAO WU/Supervisory Patent Examiner, Art Unit 3623