Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 10/31/2019.
Claims 1-20 are under examination.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8-10 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Pitre (US 2015/0200943 A1) and Fabrizi et al. (US 20200028854 A1).
Regarding claim 1, Pitre discloses A method for managing user access to a plurality of resources of an organization [abs, “Access to the resource(s) associated with those accounts may be updated based on the access granted by the access policies which are associated with those accounts”], the method performed by one or more processors of an access management system and comprising: receiving an access change request message [identifying a user] and requesting a change in the identified user's access to one or more selected resources of the plurality of resources [par. 0064, “IDM system 112 may manage (e.g., create, read, update, or delete) information (e.g., role information 146) about users in an organization. Role information 146 may be stored by IDM system 112 in data store 140. Role information 146 may indicate one or more roles defined within an organization. Role information 146 may be defined by an organization for managing access to target systems”, par. 0066, “IDM system 112 may manage (e.g., create, read, update, or delete) access policies used to manage access to resources types provided by any one of target systems 102… access policies may be managed based on instructions received from a user (e.g., an administrator or operator)”, par. 0073, “new access policies and updates to existing access policies”, par. 0067, “an access policy may, among other things, specify one or more resources types and user or groups to which provisioning of those resource types are allowed or disallowed”, par. 0074, “IDM system 112 may discover updates or changes a policy profile of a user… IDM system 112 may store information indicating a change in access policy data, such as a new, a modified, or a deleted access policy”]; transmitting an event message to each of the selected resources, each of the event messages identifying the user and instructing a corresponding one of the selected resources to modify the user's access based on the requested change [par. 0071, “IDM system 112 may request one or more target systems 102 to modify access provided by the account based on the access granted/denied by the access policy applicable to the account. IDM system 112 may periodically evaluate existing access policies to determine whether entitlements granted to an account are proper based on access policies applicable to the resource type indicated by the account. IDM system 112 may request a target system to update access to a resource type provided to an account based on a change in an entitlement for the resource type indicated by an access policy associated with the account”];
Pitre does not explicitly disclose the access change request message identifying a user and requesting a change in the identified user's access to one or more selected resources of the plurality of resources; receiving, from each of the selected resources, an event acknowledgement message indicating whether the requested change in the identified user's access was successfully completed.
However, Fabrizi et al. teaches the access change request message identifying a user and requesting a change in the identified user's access to one or more selected resources of the plurality of resources [par. 0048, “when a user passes from the role of developer to the role of team leader the update request indicates that the user has become authorized to read/write all the projects of his/her team”]; receiving, from each of the selected resources, an event acknowledgement message indicating whether the requested change in the identified user's access was successfully completed [par. 0077, “said step of receiving the update request expressed in structured way comprises detecting (by the computing system) a rule change in one or more access control rules for accessing the resources by the subjects. However, the rule change may be detected in any way (for example, by receiving a notification whenever the access control rules change, by monitoring the access control rules with any periodicity)”].
[Fabrizi et al.: abs.].
Regarding claim 2, the rejection of claim 1 is incorporated.
Fabrizi et al. further discloses the access change request message indicates at least one of a role of the identified user in the organization, a work group of the organization to which the identified user belongs, or a change in the user's role or work group; and the at least one of the role, the work group, or the change in the user's role or work group identifies the selected resources [par. 0048, “the update manager at block 412 generates an update request (or more) corresponding to the change of the access rules (for example, when a user passes from the role of developer to the role of team leader the update request indicates that the user has become authorized to read/write all the projects of his/her team)”, par. 0076, “the method comprises receiving (by the computing system) the update request expressed in structured way. However, the (structured) update request may be of any type (for example, derived from access control rules based on roles or any other model)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Fabrizi et al.  into the teaching of Pitre with the motivation for controlling access to one or more resources of a computing system as taught by Fabrizi et al. [Fabrizi et al.: abs.].
Regarding claim 3, the rejection of claim 1 is incorporated.
[par. 0048, “when a user passes from the role of developer to the role of team leader the update request indicates that the user has become authorized to read/write all the projects of his/her team”];
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Fabrizi et al.  into the teaching of Pitre with the motivation for controlling access to one or more resources of a computing system as taught by Fabrizi et al. [Fabrizi et al.: abs.].
Regarding claim 8, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 9, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 10, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.

Claims 4-6, 11-12 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Pitre (US 2015/0200943 A1) and Fabrizi et al. (US 20200028854 A1) as applied to claims 1-3, 8-10 and 14-16 above, and further in view of Lotem et al. (US 2014/0150050 A1).
Regarding claim 4, the rejection of claim 1 is incorporated.
Pitre and Fabrizi et al. discloses the access change request message includes information indicating the requested change in the identified user's access is to be implemented in one or more of the selected resources.
They do not explicitly disclose the access change request message includes information indicating a date and/or a time at which the requested change in the identified user's access is to be implemented in one or more of the selected resources.
However Lotem et al. teaches the access change request message includes information indicating a date and/or a time at which the requested change in the identified user's access is to be implemented in one or more of the selected resources [par. 0171, “the access change request should include details such as:… Due date--the date for implementing the change”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Lotem et al. into the [Lotem et al.: abs.].
Regarding claim 5, the rejection of claim 4 is incorporated.
Lotem et al. further teaches determining whether the requested change in the identified user's access is completed by the indicated date and/or time; and generating a completion signal or an error signal based on the determining [par. 0171, “the access change request should include details such as:… Due date--the date for implementing the change”, par. 0277, “An ACR that its verification tests succeeded, get an indication for the success of the verification tests. This indication can trigger a status change of the ACR ("Deployment verified", or even "Closed") or leave that final decision to the user”, par. 0275, “ACRs which have been deployed and their verification tests failed are associated with a deployment problem indication. This indication can be used for sending alerts to relevant users, or for highlighting the problematic ACRs in views and reports (stage 7130)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Lotem et al. into the teaching of Pitre and Fabrizi et al. with the motivation for evaluating a deployment of a network access change request as taught by Lotem et al. [Lotem et al.: abs.].
Regarding claim 6, the rejection of claim 5 is incorporated.
Lotem et al. further teaches the generating comprises: generating the completion signal based on receiving confirmation of the requested change in the identified user's access in the event acknowledgement message by the indicated date and/or time; and generating the error signal based on not receiving confirmation of the requested change in the identified user's [par. 0171, “the access change request should include details such as:… Due date--the date for implementing the change”, par. 0269, “The check of the implementation details verifies that all the required changes to rules and groups appear in the model of the current configuration. This can be done by examining each of the implementation items in the Firewall ACR, and examining if it matches in the model of the current configuration”, par. 0275, “ACRs which have been deployed and their verification tests failed are associated with a deployment problem indication. This indication can be used for sending alerts to relevant users, or for highlighting the problematic ACRs in views and reports (stage 7130)”, par. 0277, “An ACR that its verification tests succeeded, get an indication for the success of the verification tests. This indication can trigger a status change of the ACR ("Deployment verified", or even "Closed") or leave that final decision to the user”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Lotem et al. into the teaching of Pitre and Fabrizi et al. with the motivation for evaluating a deployment of a network access change request as taught by Lotem et al. [Lotem et al.: abs.].
Regarding claim 11, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 12, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.

Claims 7 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Pitre (US 2015/0200943 A1) and Fabrizi et al. (US 20200028854 A1) as applied to claims 1-3, 8-10 and 14-16 above, and further in view of Ahmed et al. (US 2005/0138648 A1).
Regarding claim 7, the rejection of claim 1 is incorporated.
Pitre discloses the event message transmitted to a respective one of the selected resources.
Fabrizi et al. discloses the event acknowledgement message received from the respective one of the selected resources.
They do not explicitly disclose the event message and the event acknowledgement message are linked to each other by a message identifier.
However Ahmed et al. teaches the event message and the event acknowledgement message are linked to each other by a message identifier [claim 4, “the response message comprises an acknowledgement component for acknowledging receipt of the request message, a correlation identifier”, par. 0079, “The Correlation_ID component 186 and associated String Identifier 188 allow the abstract response message 176 to be correlated with a particular incoming request message 158, and to indicate this correlation to the requesting client application 124”].
[Ahmed et al.: par. 0079].
Regarding claim 20, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Pitre (US 2015/0200943 A1) and Fabrizi et al. (US 20200028854 A1) as applied to claims 1-3, 8-10 and 14-16 above, and further in view of Fuller et al. (US 8,813,225 B1).
Regarding claim 13, the rejection of claim 8 is incorporated.
Pitre and Fabrizi et al. disclose receiving an access change request message requesting a change in the identified user's access to one or more selected resources of the plurality of resources.
They do not explicitly disclose a respective one of the resources includes an application program interface (API) configured to decode the event message and implement the requested change in the identified user's access, irrespective of a type of user access mechanism or interface utilized by the respective one of the resources.
However Fuller et al. teaches a respective one of the resources includes an application program interface (API) configured to decode the event message and implement the requested change in the identified user's access, irrespective of a type of user access mechanism or [col. 7, line 48 – col. 8, line 12, “the access manager may support MACPs requested by external or third-party service managers. As noted above, in some embodiments a third-party provider may wish to utilize some resources of the provider network to implement a service for its clients… an MACP management interface may be implemented in the form of one or more application programming interfaces (APIs)… allowing service managers or other trusted access controllers to specify various details and parameters of MACPs in one embodiment. A client-facing programmatic interface or set of interfaces may also or instead be implemented in another embodiment, allowing clients to ascertain which if any MACPs apply to the various resources that they own or have an interest in, and the various services that they utilize”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ahmed et al. into the teaching of Pitre and Fabrizi et al. with the motivation of allowing clients to ascertain which if any MACPs apply to the various resources that they own or have an interest in, and the various services that they utilize as taught by Fuller et al. [Fuller et al.: col. 7, line 48 – col. 8, line 12].


 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20060235851 A1		Conference system and terminal apparatus

US 20050166260 A1		Distributed policy enforcement using a distributed directory
US 20020002677 A1		Data processing system and method
US 8656465 B1		Userspace permissions service
US 20130185774 A1		Systems and Methods of Managing Access to Remote Resources
US 8769642 B1		Techniques for delegation of access privileges
US 20090221266 A1		MOBILE TERMINAL, ACCESS CONTROL MANAGEMENT DEVICE, AND ACCESS CONTROL MANAGEMENT METHOD
US 20110173679 A1		RESOURCE ACCESS BASED ON MULTIPLE SCOPE LEVELS
US 8973108 B1		Use of metadata for computing resource access

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/JASON CHIANG/Primary Examiner, Art Unit 2431