DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 05/07/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
3.	Claims 1 and 20 are objected to because of the following informalities:  
Claims 1 and 20 use abbreviations (i.e. FP-growth algorithm) in the claim language without 
disclosing the meaning of the abbreviation within the scope of the claims and the abbreviations must be spelled out the first instance they are used in the claims.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
4.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.





6.	Claim 1 recites in the preamble the phrase “a computing system”. Further, the first limitation recites “obtaining, by a computing device and from a data store comprising access right data, at least a portion of the access right data that characterizes a plurality of access rights associated with a plurality of users of a computing system,…” (emphasis added). It is unclear whether the applicant is trying to refer to the same computing system recited in the preamble or a different computing system.  There is insufficient antecedent basis for this limitation in the claim.
	Note: For the examination purposes, the examiner interprets that it is the same computing system.
Claims 1 and 20 recites in a limitation “a computing system”. Further, the first limitation recites “selecting, at least based on the at least one evaluation, a candidate bundle of access rights of the at least one candidate bundle of access rights to define as a role” (emphasis added). Another limitation recites “defining, for the computing system, a role based on the candidate bundle of access rights selected” (emphasis added). It is unclear whether the applicant is trying to refer to the same role recited in the prior limitation or a different role.  There is insufficient antecedent basis for this limitation in the claim.
	Note: For the examination purposes, the examiner interprets that the applicant is referring to the same role.
Claims 6, 10 and 12 suffer similar deficiencies and rejected using the same rationale. Dependent Claim 7 rejected based upon their respective dependence from Claim 6.

Claim 2 recites in a limitation “wherein the plurality of access rights comprises a plurality of permissions, and wherein individual permissions of the plurality of permissions are associated with a computing resource of the computing system” (Emphasis added). It is unclear whether the applicant is trying to refer to the same computing resource recited in Claim 1 or a different computing resource.  There is insufficient antecedent basis for this limitation in the claim.
Note: For the examination purposes, the examiner interprets that it is the same computing resource.
Claim 5 recites in a limitation “generating the tree data structure comprises generating the tree data structure based on one or more access rights of the plurality of access rights that are associated with a support count that meets a threshold support count.” (Emphasis added). It is unclear whether the applicant is trying to refer to the same support count recited in the claim earlier or a different support count.  There is insufficient antecedent basis for this limitation in the claim.
Note: For the examination purposes, the examiner interprets that it is the same support count.

Claim Rejections - 35 USC § 103
7.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
9.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

10.	Claims 1-6, 8-10, 12 and 14-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over B’far et al. (US 2014/0129268 A1, hereinafter B’far) in view of Yang et al. (US 2018/0107695 A1, hereinafter Yang).

Regarding Claim 1,

B'far discloses a method of provisioning access rights in a computing system (B’far: [Abstract] Systems and methods…, method optimizes the assignment of permissions (e .g., ability to write to a database, ability to create a new account, etc.) to jobs) comprising: 
(B’far: ¶ [0030] "permission" or "privilege" or "authorization" refers to a granted ability perform a particular activity, ¶ [0048] a permissions descriptions database for storing and retrieving one or more permission descriptions 104..., a computer processor to perform analysis, ¶ [0099]), at least a portion of the access right data that characterizes a plurality of access rights associated with a plurality of users of a computing system (B’far: ¶ [0010] a plurality of permissions for the respective duties of the job, ¶ [0028] "job" or "title" refers to a name ascribed to a person ( e.g., and employee or a contractor, etc.) who is tasked to perform applicable duties, ¶¶ [0048, 0062]), 
wherein individual access rights of the plurality of access rights are associated with a computing resource of the computing system (B’far: ¶ [0030] "permission" or "privilege" or "authorization" refers to a granted ability perform a particular activity …, a duty to approve a purchase order can be codified to a permission to read a purchase order from a database, and to view a corresponding authorization signature block, and to sign the purchase order, and to store the authorizing signature block in the database, ¶¶ [0048, 0099]); 
generating,  in accordance with an FP-growth algorithm and based on the portion of the access right data obtained, a tree data structure corresponding to the plurality of access rights (B’far: ¶ [0079] Using any known-in-the art techniques the roles hierarchy 300 can be flattened (e.g., traversed depth first to enumerate each leaf node, or traversed breadth first to enumerate each leaf node), See Fig. 1c Fig. 3); 
identifying at least one candidate bundle of access rights (B’far: ¶ [0081] each permission cluster can be evaluated to determine the number of jobs for which each and every permission in the candidate cluster, ¶ [0069] a roles hierarchy 300 of duties to permissions as used in systems for roles discovery using privilege cluster analysis, ¶ [0083] Candidate Privilege Clusters, See Fig. 3, Table 3-page7) at least by: 
traversing, in accordance with the FP-growth algorithm, the tree data structure (B’far: ¶ [0079] Using any known-in-the art techniques the roles hierarchy 300 can be flattened (e.g., traversed depth first to enumerate each leaf node, or traversed breadth first to enumerate each leaf node), ¶ [0048] an organization chart or graph is computer-readable and can be traversed by a computer processor to perform analysis (e.g., analysis as discussed herein));
applying at least one constraint during the traversing, wherein the at least one constraint excludes, from the at least one candidate bundle of access rights, at least one set of access rights represented in the tree data structure (B’far: ¶ [0079] a parameterized flattening operation might enumerate the universe of permissions considering only permissions that have been used within some particular parameterized time period ( e.g., within 365 days)…, the dotted lines to permissions represent those that have not been used within a certain time period, ¶ [0084] Various operations can be performed so as to select (or exclude) permission clusters for further consideration, See Page 7. Table 3 –C22, C24, C25).
performing, based on the portion of the access right data obtained, at least one evaluation of the at least one candidate bundle of access rights (B’far: ¶ [0081] each permission cluster can be evaluated to determine the number of jobs for which each and every permission in the candidate cluster is granted, ¶ [0074]); 
selecting, at least based on the at least one evaluation, a candidate bundle of access rights of the at least one candidate bundle of access rights to define as a role (B’far: ¶ [0082] A permission cluster ( e.g., cluster of authorizations or privileges) will be prioritized for consideration as a role based on the number of jobs that inherit all of its privileges in combination with the number of  privileges it contains, ¶ [0087]); 
(B’far: ¶ [0086] Match Candidate Privilege Clusters Against Existing Duties:
Name Virtual Roles, ¶ [0029] term "duty" or "role" refers to a name ascribed to an activity or responsibility to be performed by a person who holds a particular job or title); and 
provisioning the role for one or more users of the plurality of users (B’far: ¶ [0087] virtual role can be discovered through cluster analysis ( e.g., as discussed above) and a virtual role may or may not correspond to any existing named role, ¶ [0088] match the candidate clusters against existing named roles. Strictly as an example, for each privilege cluster,
record the M named roles with the highest degree of match with the privileges in the privilege cluster and use the essence of the top M named roles to define a convenient name for the virtual role).
However, it is noted that B'far does not explicitly disclose:
generating,  in accordance with an FP-growth algorithm and based on the portion of the access right data obtained, a tree data structure corresponding to the plurality of access rights; and
identifying at least one candidate bundle of access rights at least by: traversing, in accordance with the FP-growth algorithm, the tree data structure.
However, Yang et al. from the same field of endeavor as the claimed invention discloses that mining data in a database by recursively mining a conditional frequent pattern tree (FP-tree) for frequent items of each conditional pattern base for each node in an FP-tree to obtain frequent
patterns (Yang : [Abstract]), an FP-growth algorithm is used for mining frequent item sets in the transactions 302 stored in the database 212 (Yang : ¶ [0056]), once the redundant rule
604 is removed, the preliminary rule set 602 is updated/modified to generate the final rule set 606 (Yang : ¶ [0078]), generates a conditional pattern base for each node in the FP-tree by traversing the FP-tree at 710. Traversing the FP-tree includes, for example, following node-links for each of   (i.e. generating FP-tree in accordance with FP-Growth algorithm and traversing the tree …) (Yang : ¶ [0085]), and if the confidence is greater than or equal to the threshold, then a set of association rules (including multiple consequents) is generated from the association rules (Yang : ¶ [0091]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 2,
Claim 2 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. B’far further discloses wherein the plurality of access rights comprises a plurality of permissions, and wherein individual permissions of the plurality of permissions are associated with a computing resource of the computing system (B’far: ¶ [0030] "permission" or "privilege" or "authorization" refers to a granted ability perform a particular activity…, a duty to approve a purchase order can be codified to a permission to read a purchase order
from a database, and to view a corresponding authorization signature block, and to sign the purchase order, and to store the authorizing signature block in the database, ¶ [0048] a permissions descriptions database for storing and retrieving one or more permission descriptions 104..., ¶¶ [0048, 0099]).


Regarding Claim 3,
Claim 3 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. B’far further discloses wherein applying the at least one constraint excludes, from the at least one candidate bundle of access rights, a set of access rights that does not correspond to a branch of the tree data structure (B’far: ¶ [0070] nodes and/or relationships that are candidates to be pruned…, Phantom jobs, exceptions, unused jobs, and unused relationships are depicted using dotted lines. Any unused jobs, duties, permissions or relationships can be marked as unused in the roles hierarchy 300, ¶ [0079] those permissions {P6, P7, P8 ...P 111, P112, ..., Pnnn} are excluded from the universe).

Regarding Claim 4,
Claim 4 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. B’far does not explicitly disclose wherein: the at least one candidate bundle of access rights comprises a first set of access rights comprising a plurality of access rights having a common support count; and 
applying the at least one constraint excludes, from the at least one candidate bundle of access rights, a second set of access rights that is a subset of the first set of access rights.
However, Yang further discloses the conditional FP-tree may be generated by treating the m-conditional pattern base as a database and each prefix path as a record. This results in the frequent items (f:3, c:3, a:3), which are used to construct the m-conditional FP-tree (Yang: ¶ [0061])), the association rule table 510, association rules include one or more of the following information: an antecedent, a consequent, a confidence, a frequency of the antecedent and a frequency of the antecedent and consequent. For example, the first row of the association rules table 510 includes an antecedent of 'c', a consequent of 'f' (i.e. plurality of items with common support count) (Yang: ¶ [0073])), and removes redundant rules at 714A by defining a child rule to be of equal or lower confidence than a parent rule, where the child rule is defined as a rule including a same consequent as the parent rule and the antecedent includes the antecedent of the parent rule as a subset (FIG. 6) (i.e. excluding a second set…) (Yang: ¶ [0087])). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 5,
Claim 5 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. However, B’far does not explicitly disclose wherein: 
determining, for each access right of the plurality of access rights and based on the access right data obtained, a support count; and 
generating the tree data structure comprises generating the tree data structure based on one or more access rights of the plurality of access rights that are associated with a support count that meets a threshold support count.
However, Yang further discloses FP-growth algorithm is used for mining frequent item sets in the transactions 302 stored in the database 212. A server or node, such as base station 170A or 170B with a processing engine 202, begins the process of constructing an FP-tree (i.e. generating the tree data structure) by retrieving the item descriptors from the transaction database 212 and a minimum support count (e.g., min_sup=3) …, then performs a first scan of the database 212 to obtain the (i.e. determining a support count for each item) For all items in the database 212 with a frequency meeting or exceeding the minimum support count (e.g., min_sup=3) (i.e. threshold support count…), a header table 304 is constructed that contains the item ( e.g., item T) and its frequency count (e.g., 4). (Yang : ¶ [0056]). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 6,
Claim 6 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. B’far further discloses wherein: the at least one evaluation comprises a similarity evaluation (B’far: ¶ [0031] A "role" as defined above refers to a named role ascribed to an activity or responsibility to be performed by a person who holds a particular job or title, ¶ [0086] Match Candidate Privilege Clusters Against Existing Duties, ¶ [0088] When all Job Privileges have Authorizing Privilege Clusters, match the candidate clusters against existing named roles); and 
the similarity evaluation comprises: determining a similarity between the candidate bundle of access rights and a set of access rights associated with a user of the computing system (B’far: ¶ [0086] Match Candidate Privilege Clusters Against Existing Duties, ¶ [0088] When all Job Privileges have Authorizing Privilege Clusters, match the candidate clusters against existing named roles, ¶ [0031] A "role" as defined above refers to a named role ascribed to an activity or responsibility to be performed by a person who holds a particular job or title); and 
determining, based on the similarity, whether the user is eligible to be assigned a role corresponding to the candidate bundle of access rights (B’far: ¶ [0086] Match Candidate Privilege Clusters Against Existing Duties, ¶ [0088] When all Job Privileges have Authorizing Privilege Clusters, match the candidate clusters against existing named roles…, for each privilege cluster, record the M named roles with the highest degree of match
with the privileges in the privilege cluster and use the essence of the top M named roles to define a convenient name for the virtual role, ¶ [0055] assigning a set of permissions after discovering optimal roles that grant permissions and authorizations to jobs by analyzing permission clusters, ¶ [0068] observing hierarchical inheritance, creating a group of privileges (namely for the supplier management duty 20311) means that the three jobs are authorized to the two permissions through just two grants, ¶ [0031] A "role" as defined above refers to a named role ascribed to an activity or responsibility to be performed by a person who holds a particular job or title).

Regarding Claim 8,
Claim 8 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. However, B’far does not explicitly disclose wherein: 
the at least one evaluation comprises a confidence evaluation; and  
the confidence evaluation comprises determining, for the candidate bundle of access rights and based on the access right data obtained, a confidence that a first access right of the candidate bundle of access rights implies a second access right of the candidate bundle of access rights.
However, Yang further discloses association rules include one or more of the following

antecedent 4 and a frequency of antecedent and consequent 3 (i.e. confidence evaluation and determining a first access right implies a second access right…) (Yang : ¶ [0073], See also Fig. 5), 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 9,
Claim 9 is dependent on Claim 8, and the combination of B’far and Yang discloses all the limitations of Claim 8. However, B’far does not explicitly disclose wherein: selecting the candidate bundle of access rights at least based on the at least one evaluation comprises selecting the candidate bundle of access rights at least based on determining that the confidence meets a confidence threshold.
However, Yang further discloses generates association rules based on the frequent patterns and the combined-single node tables as discussed above (FIG. 5)… determines whether any of the
association rules have a confidence that is less than a threshold. If the confidence for any one association rule is less than the threshold, then the association rule is removed…, otherwise, if the confidence is greater than or equal to the threshold, then a set of association rules (including multiple consequents) is generated from the association rules…, thereby resulting in a set of
 (Yang : ¶ [0091], also see ¶ [0092]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 10,
Claim 10 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. B’far further discloses wherein: the at least one evaluation comprises an eligibility evaluation (B’far:  ¶ [0028] term "job" or "title" refers to a name ascribed to a person ( e.g., and employee or a contractor, etc.) who is tasked to perform applicable duties.¶ [0081] calculates number of jobs for which each and every permission in the candidate cluster is granted, ¶ [0082] Once the privileges have been authorized to a job by a candidate cluster, ¶ [0096]); and 
the eligibility evaluation comprises determining a count of one or more users of the computing system eligible to receive a role corresponding to the candidate bundle of access rights (B’far: ¶ [0081] calculates number of jobs for which each and every permission in the candidate cluster is granted, ¶ [0082] A permission cluster ( e.g., cluster of authorizations or privileges) will be prioritized for consideration as a role based on the number of jobs that inherit all of its privileges in combination with the number of privileges it contains. Once the privileges have been authorized to a job by a candidate cluster, ¶¶ [0040, 0025, 0028]).
Regarding Claim 12,
Claim 12 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. However, B’far further discloses wherein: the at least one evaluation comprises a coverage evaluation (B’far: ¶ [0010] sets can be optimized ( e.g., minimize number of sets, maximize coverage, etc.), ¶ [0077] Column NPs gives the number of permissions in the corresponding candidate cluster. Column Jobs enumerates the jobs for which each and every permission in the candidate cluster is granted. The column Njobs calculates the number of jobs for which each and every permission in the candidate cluster is granted, and the column The column Product is the arithmetic product of (NPs*Njobs ), ¶ [0096] optimizing ( e.g., ranking and selecting) the plurality of sets of the permissions based at least in part on a calculated extent of coverage over the at least one job); and 
the coverage evaluation comprises determining a coverage of the candidate bundle of access rights, wherein the coverage is based on a count of one or more users of the computing system eligible to receive a role corresponding to the candidate bundle of access rights and a count of the access rights of the candidate bundle of access rights (B’far: ¶ [0071] analyzing permission clusters results in ranking, ordering, sorting or otherwise distinguishing certain ( e.g., larger, greater coverage, etc.) clusters from certain other (e.g., smaller, lesser coverage, etc.) clusters, ¶ [0077] Column NPs gives the number of permissions in the corresponding candidate cluster. Column Jobs enumerates the jobs for which each and every permission in the candidate cluster is granted. The column Njobs calculates the number of jobs for which each and every permission in the candidate cluster is granted, and the column The column Product is the arithmetic product of (NPs*Njobs ), ¶ [0096] optimizing ( e.g., ranking and selecting) the plurality of sets of the permissions based at least in part on a calculated extent of coverage over the at least one job, ¶¶ [0010, 0028]).
Regarding Claim 14,
Claim 14 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. However, B’far does not explicitly disclose applying a minimum access right constraint.
However, Yang further discloses that constructing an FP-tree by retrieving the item
descriptors from the transaction database 212 and a minimum support count (e.g., min_sup=3). The node 170A/B then performs a first scan of the database 212 to obtain the frequency count of each item. For all items in the database 212 with a frequency meeting or exceeding the minimum support count (e.g., min_sup=3), a header table 304 is constructed that contains the item ( e.g., item T) and its frequency count (e.g., 4) (Yang : ¶ [0056]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 15,
Claim 15 is dependent on Claim 14, and the combination of B’far and Yang discloses all the limitations of Claim 14. However, B’far does not explicitly disclose wherein: the minimum access right constraint is applied during the traversing of the tree data structure; and 
applying the minimum access right constraint comprises excluding, from the at least one candidate bundle of access rights, a set of access rights having a count of access rights that does not meet a minimum access right count threshold.

descriptors from the transaction database 212 and a minimum support count (e.g., min_sup=3). The node 170A/B then performs a first scan of the database 212 to obtain the frequency count of each item. (i.e. traversing FP-tree ) For all items in the database 212 with a frequency meeting or exceeding the minimum support count (e.g., min_sup=3), a header table 304 is constructed that contains the item ( e.g., item T) and its frequency count (e.g., 4) (i.e. table contains items with three or more-min-sup=3) (Yang : ¶ [0056], See also Fig. 4 – 402, min_sup=3).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 16,
Claim 16 is dependent on Claim 14, and the combination of B’far and Yang discloses all the limitations of Claim 14. However, B’far does not explicitly disclose wherein: the minimum access right constraint is applied during an evaluation of the at least one evaluation; and 
selecting the candidate bundle of access rights at least based on the at least one evaluation comprises selecting the candidate bundle of access rights at least based on determining that the candidate bundle of access rights has a count of access rights that meets a minimum access right count threshold.
However, Yang further discloses retrieving the item descriptors from the transaction database 212 and a minimum support count (e.g., min_sup=3). The node 170A/B then performs a (i.e. selecting based on determining that the candidate bundle of access rights has a count of access rights that meets a minimum access right count threshold) (Yang : ¶ [0056]), and Frequency item table 508 shows the results of processing frequent item 'c' and contains item 'c' with a frequency of 4 and item 'c' with a
frequency of 3 (Yang : ¶ [0056]), each of the frequent items and the combined single-item node tables 506 for each of the frequent items, the processing engine 202 generates association rules, such as association rules in the association rule table 510 (Yang : ¶ [0072]), and the association rule table 510, association rules include one or more of the following information: an antecedent, a consequent, a confidence (i.e. minimum access constraint used for the association rules which includes the confidence) (Yang : ¶ [0073]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 18,
Claim 18 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. However, B’far does not explicitly disclose receiving user input characterizing a configuration of the at least one constraint; and configuring the at least one constraint based on the configuration received.
(Yang : ¶ [0056]), system may also include an input device (not shown) where one or more conditions or parameters of the association rules to be mined may be input. For example, the input device may be used to input the threshold conditions ( e.g., thresholds for lift, support, confidence, etc., as well as the type of algorithm to implement) for the association rule to be mined (i.e. input characterizing a configuration of the at least one constraint –i.e. support threshold) (Yang : ¶ [0035]), and data mining engine 208A then uses the association rule algorithm to generate data rules that satisfy the specified metrics, such as lift, support and confidence (i.e. configuration of the at least one constraint--i.e. support threshold) (Yang : ¶ [0045]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 19,
Claim 19 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. However, B’far does not explicitly disclose receiving user input characterizing a configuration of the at least one evaluation; and configuring the at least one evaluation based on the configuration received.

support, confidence, etc., as well as the type of algorithm to implement) for the association rule to be mined (i.e. input characterizing a configuration of the at least one evaluation—i.e. confidence) (Yang : ¶ [0035]), and data mining engine 208A then uses the association rule algorithm to generate data rules that satisfy the specified metrics, such as lift, support and confidence (i.e. configuration of the at least one evaluation—i.e. confidence) (Yang : ¶ [0045]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Yang in the teachings of B’far. A person having ordinary skill in the art would have been motivated to do so because to learn association rules directly from the FP-tree to thereby significantly reduce the computational time (Yang: ¶ [0077]), and reducing the size or complexity of the preliminary rule set 602 to form a final rule set 606 (Yang: ¶ [0075]).

Regarding Claim 20,
B’far disclose a system comprising (B’far: [Abstract] Systems and methods used in human resource management systems, ¶ [0099] computer system 600 suitable for implementing an embodiment of the present disclosure) one or more processors (B’far: ¶ [0099] a processor 607, a system memory 608 (e.g., R AM), a static storage device (e.g., ROM 609), a disk drive 610 (e.g., magnetic or optical)…,and an external data repository 631, ¶ [0101]), a data store storing access right data characterizing a plurality of access rights associated with a plurality of users of a computing system (B’far: ¶ [0030] "permission" or "privilege" or "authorization" refers to a granted ability perform a particular activity, ¶ [0048] a permissions descriptions database for storing and retrieving one or more permission descriptions 104..., a computer processor to perform analysis, ¶ [0010] a plurality of permissions for the respective duties of the job, ¶ [0028] "job" or "title" refers to a name ascribed to a person ( e.g., and employee or a contractor, etc.) who is tasked to perform applicable duties, ¶¶ [0048, 0062]), wherein individual access rights of the plurality of access rights are associated with a computing resource of the computing system (B’far: ¶ [0030] "permission" or "privilege" or "authorization" refers to a granted ability perform a particular activity …, a duty to approve a purchase order can be codified to a permission to read a purchase order from a database, and to view a corresponding authorization signature block, and to sign the purchase order, and to store the authorizing signature block in the database, ¶¶ [0048, 0099]), and memory storing instructions that, when executed by the one or more processors, cause the system to (B’far: ¶ [0099] a processor 607, a system memory 608 (e.g., R AM), a static storage device (e.g., ROM 609), a disk drive 610 (e.g., magnetic or optical)…,and an external data repository 631, ¶¶ [0101-0102]) and discloses all the limitations of Claim 20, in combination with Yang, as discussed in Claim 1. Therefore, Claim 20 is rejected using the same rationales as discussed in Claim 1.

11.	Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over B’far et al. (US 2014/0129268 A1, hereinafter B’far) in view of Yang et al. (US 2018/0107695 A1, hereinafter Yang) and further in view of Bertino et al. (US 2008/0320549 A1, hereinafter Bertino).

Regarding Claim 7,
Claim 7 is dependent on Claim 6, and the combination of B’far and Yang discloses all the limitations of Claim 6. However, the combination of B’far and Yang does not disclose wherein: 
However, Bertino et al. from the same field of endeavor as the claimed invention discloses that method for determining similarity of two policies includes providing a first policy with n rules and a second policy with m rules, wherein each rule is structured into a plurality of identifiable elements (Bertino: [Abstract]), and similarity score obtained between the rules is then used to find one->many mappings…,for each rule in the two policies… For each rule in a policy P 1 (P 2), the  mappings give similar rules in P2 (P 1) which satisfy a certain similarity threshold (Bertino: ¶ [0021]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Bertino in the teachings of B’far and Yang. A person having ordinary skill in the art would have been motivated to do so because policy similarity measure can serve as a filter before applying any additional logical reasoning or Boolean function comparison. It can provide a useful lightweight approach to pre-compile a list of policies and return the most similar policies for further exploration (Bertino: ¶ [0006]).

12.	Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over B’far et al. (US 2014/0129268 A1, hereinafter B’far) in view of Yang et al. (US 2018/0107695 A1, hereinafter Yang) and further in view of Chari et al. (US 2012/0246098 A1, hereinafter Chari).

Regarding Claim 11,
Claim 11 is dependent on Claim 10, and the combination of B’far and Yang discloses all the limitations of Claim 10. However, the combination of B’far and Yang does not explicitly disclose 
However, Chari from the same field of endeavor as the claimed invention discloses the problems of mining of user roles to specify access control policies from entitlement as well as logs which contain record of the usage of these entitlements  (Chari: [Abstract]), and very crucial to the performance of ATM is the choice of relevant user attributes to use in the model, as well as cleansing the values of these attributes…,using all user attributes results in poor performance often with a vast amount of over-assignments. A simple measure to identify relevant attributes is to discard any attribute value which is not assigned to more than a threshold number of users (Chari: ¶ [0082]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Chari in the teachings of B’far and Yang. A person having ordinary skill in the art would have been motivated to do so for performance improvements (Chari: ¶ [0073], ¶ [0082]).

13.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over B’far et al. (US 2014/0129268 A1, hereinafter B’far) in view of Yang et al. (US 2018/0107695 A1, hereinafter Yang) and further in view of Agarwal et al. (US 2016/0180229 Al, hereinafter Agarwal).

Regarding Claim 13,
Claim 13 is dependent on Claim 12, and the combination of B’far and Yang discloses all the limitations of Claim 12. However, the combination of B’far and Yang does not explicitly disclose wherein: selecting the candidate bundle of access rights at least based on the at least one evaluation 
However, Agarwal from the same field of endeavor as the claimed invention discloses that 
method and a system for interpreting a dataset comprising a plurality of items is described herein. The method may include computing a rule set pertaining to the dataset, generating a rule cover, calculating a plurality of distances between the plurality (Agarwal : [Abstract]), and the set of rules is generated, the data interpretation system may identify a rule cover from the set of rules. In an implementation, the data interpretation system may arrange the rules in a descending order of support. Thereafter, those rules are selected for which the coverage of the rules is above a pre-defined threshold value (Agarwal : ¶ [0019]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Agarwal in the teachings of B’far and Yang. A person having ordinary skill in the art would have been motivated to do so because only a subset of rules are selected which covers almost the same amount of data as covered by the original ruleset (See Agarwal: ¶ [0019]).

14.	Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over B’far et al. (US 2014/0129268 A1, hereinafter B’far) in view of Yang et al. (US 2018/0107695 A1, hereinafter Yang) and further in view of Whitson (US 2008/0168063 A1, hereinafter Whitson).

Regarding Claim 17,
Claim 17 is dependent on Claim 1, and the combination of B’far and Yang discloses all the limitations of Claim 1. However, the combination of B’far and Yang does not disclose providing an indication of at least one access right of the candidate bundle of access rights, wherein defining the 
providing an indication of at least one user eligible to receive the role, wherein provisioning the role comprises provisioning the role based on the indication of the at least one user.
However, Whitson from the same field of endeavor as the claimed invention discloses that 
 systems, methods and media for automatically generating a role based access control model (RBAC) for an organizational environment with a role based access control system such as a hierarchical RBAC (Whitson : [Abstract]), receive an indication of existing permissions granted to users of an organizational environment and a role mining module for communication with the environment
interface module. The role mining module may analyze the permissions to create permission characteristics and may also perform cladistics analysis on the permission characteristics to determine role perspective relationships between individual users of the organizational environment (i.e. providing an indication of at least one access right…), include a role perspective analyzer module in communication with the role mining module to generate an RBAC model based on the determined role perspective relationships (Whitson: ¶ [0009]), and performing cladistics analysis on the permission characteristics and generating an HRBAC model specifying role perspective relationships between individual users of the client organizational environment (Whitson: ¶ [0010]), receive an indication of one of more modifications to the determined role perspective relationships and to modify the role perspective relationships in response (Whitson: ¶ [0046]), and defining roles for various job functions in an organization and assigning permissions to perform certain operations to various roles. Users of the system may then be assigned particular roles and through those role assignments the user may acquire the permissions to perform particular system functions (Whitson: ¶ [0030]).
 (Whitson: ¶ [0047]).

Conclusion
15.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US-7953685-B2
US-8983877-B2
US-20170295183-A1
US-20180336256-A1
US-20190312881-A1
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMEERA WICKRAMASURIYA whose telephone number is (571)272-1507.  The examiner can normally be reached on MON-FRI 8AM-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W. KIM can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/SAMEERA WICKRAMASURIYA/
Examiner, Art Unit 2494


/Jeremy S Duffield/Primary Examiner, Art Unit 2498