Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This office action is responsive to communication filed on 12/09/2021. Claims 1-5, 7-15 and 17-20 have been examined.
Amendment to Drawings
Applicant has amended FIG. 8 to improve the quality. Applicant has amended FIG. 10 to add drawing labels "FIG. 10A" to page 11 and "FIG. 10B" to page 12. The amended drawings have been accepted.
Response to Arguments
Regarding 35 U.S.C. 103(a) applicant’s arguments, see page 15 - page 23 (all), filed on 12/09/2021, with respect to claims 1-5, 7-15 and 17-20 have been fully considered and are not persuasive. Claims 1, 11 and 20 were amended and claims 6 and 16 were cancelled. 
Applicant's amendment necessitated the new ground(s) of rejection presented in
this Office action. Hence a new ground of rejection is further presented in view of
Annett et al. (US20160162179A1), and further in view of Staggs et al. (US20130198799A1).

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.


Ascertaining the differences between the prior art and the claims at issue.

Resolving the level of ordinary skill in the pertinent art.

Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 7-11 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Morkovine et al. (US20200065343A1) hereinafter Morkovine in view of Wolff et al. (US20200259852A1) hereinafter Wolff in view of Annett et al. (US20160162179A1) hereinafter Annett, and further in view of Staggs et al. (US20130198799A1) hereinafter Staggs.
As per claim 1.  A system comprising: at least one processor; and 
a memory communicatively coupled to the at least one processor, the memory storing instructions executable by the at least one processor to perform a method comprising: (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory. Such instructions (e.g., program instructions 9021, program instructions 902 2, program instructions 902 3, etc.) can be contained in or can be read into a storage location or memory from any computer readable/usable storage medium such as a static storage device or a disk drive. The sequences can be organized to be accessed by one or more processing entities configured to execute a single process or configured to execute multiple concurrent processes to perform work).
collecting data about relationships (Morkovine, par0029 teaches when multiple users (e.g., collaborators) interact with these content objects using the third-party applications, the corresponding interaction events [data about relationships] are recorded at the content management system. As used herein, interaction events are data elements that describe a time-sequenced tracking history of user actions taken over one or more content objects. Such a history of user actions taken over one or more content objects can comprise user actions that are raised either at or by operation of a native application or raised at or by operation of a third-party application).
between applications and (Morkovine, par0037 teaches such integration may include registration of the applications with the content management system, establishment of application programming interfaces (APIs) to facilitate communication between the applications).
metadata associated (Morkovine, par0071 teaches the content object identifier can be used to, for example, query the object attributes (e.g., metadata) of the content object datastore to determine the content object type).
with the applications (Morkovine, par0085 teaches display generator 318 accesses the application display components 328 to identify certain components (e.g., icons, hyperlinks, etc.) associated with the applications (e.g., “appS”, “appD”, and “appF”) comprising recommended applications 116).
in a computing environment (Morkovine, par0102 teaches FIG. 9B depicts a block diagram of an instance of a cloud-based environment 9B00. Such a cloud-based environment supports access to workspaces through the execution of workspace access code (e.g., workspace access code 942 0, workspace access code 942 1, and workspace access code 942 2). Workspace access code can be executed on any of access devices 952 (e.g., laptop device 952 4, workstation device 952 5, IP phone device 952 3, tablet device 952 2, smart phone device 952 1, etc.), and can be configured to access any type of object. Strictly as examples, such objects can be folders or directories or can be files of any filetype. A group of users can form a collaborator group 958, and a collaborator group can be composed of any types or roles of users).
of an enterprise, (Morkovine,Fig5, par0073 teaches interaction events that involve interactions over the example PDF files by other users in the enterprise that comprises user “u1” might also be considered. The interaction events selected according to the foregoing criteria are added to the application activity graph (step 512). Specifically, the interaction events designated as an “enterprise-level event” are added to application activity graph 346 1. As can be observed, a set of “global-level event” data may also be added to application activity graph 346 1. Such “global-level event” data involves interactions over a content object (e.g., the example PDF file “ fN”) by any user who is considered to be external to the aforementioned enterprise).
the metadata (Morkovine, par0051 teaches in content objects 106 are characterized at least in part by a set of object attributes 340 (e.g., content object metadata) stored at storage devices 330).
including information concerning (Morkovine, par0059 teaches permissions service 316 accesses certain information to determine which applications from the list of scored applications are valid for presentation to a user).
a plurality of users accessing the applications; accessing the applications by the subset of users (Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figure is presented to describe one embodiment of a flow and data structure for recording and accessing interaction attributes pertaining to interaction events over users and/or content objects at a plurality of applications [a plurality of users accessing the applica], including third-party applications).
of the computing environment of the enterprise; (Morkovine, par0081 teaches a user may also be restricted by certain enterprise-wide application and/or content object permissions).
updating a graph database including, being recorded to the graph database (Morkovine, par0047 teaches application activity graphs are constructed from the recorded interaction events (step 224). The application activity graphs [graph database] might be continuously constructed [being recorded to] (e.g., created, updated, etc.) as interaction events are received, or constructed synchronous to receiving one or more instructions (e.g., requests).
nodes representing, and edges representing relationships between, the applications, relationships related to, the graph database (Morkovine, par0041 teaches in certain embodiments, the interaction events associated with the third-party application interaction activity are processed to construct various application activity graphs. As used herein, the application activity graphs describe the logical relationships (e.g., graph edges) between various entities (e.g., graph nodes), where the entities can correspond to the content objects, the users, or other entities, and the logical relationships can correspond to the third-party applications or other relationship characteristics (e.g., time). In response to a request for recommended applications [the applications], the application activity graphs [the graph database] are analyzed to identify a set of recommended applications for the request).
(Morkovine, par0057 teaches when a particular application activity graph is constructed (e.g., in response to a recommendation request), application recommendation engine 120 accesses the scoring service 314 to assign scores to the applications associated with the particular application activity graph [enriching the graph database by associating the nodes with metadata]. Each score is a quantitative measure of the relevance of a particular application to the context of the recommendation request, which context is characterized by certain attributes (e.g., user attributes, object attributes, interaction attributes, etc.) associated with the recommendation request. As such, the scores can be used to sort and/or rank the applications to determine the applications that are most relevant to the context (e.g., users, content objects, contemporaneous interaction events, etc.) of the recommendation request).
analyzing the graph database to identify a subset of nodes being accessed by a user of the plurality of users; (Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figure is presented to describe one embodiment of a flow and data structure for recording and accessing interaction attributes pertaining to interaction events over users and/or content objects at a plurality of applications, including third-party applications).
the subset of nodes and relationships between the nodes in the subset of the nodes; relationships between the nodes associated with (Morkovine, par0066 teaches the edges (e.g., arcs, lines, etc.) between the nodes [the subset of nodes] represent the pairwise relationships between the nodes (e.g., users, content objects). Such object relationships can have certain characteristics and/or attributes associated with them. For example, and as indicated in the figure, the object relationships are associated with at least the “appID” attribute (e.g., “apps” “appD” “appF” and “appN” of the corresponding interaction event).
a subset of users defined by at least one of a group, a role, and an organizational membership and, the subset of users; (Morkovine, par0102 teaches a group of users can form a collaborator group 958, and a collaborator group can be composed of any types or roles of users. For example, and as shown, a collaborator group can comprise a user collaborator, an administrator collaborator, a creator collaborator, etc. Any user can use any one or more of the access devices, and such access devices can be operated concurrently to provide multiple concurrent sessions and/or other techniques to access workspaces through the workspace access code).
the nodes representing (Morkovine, par0029 teaches as used herein, the application activity graphs describe the logical relationships (e.g., graph edges) between various entities (e.g., graph nodes), where the entities can correspond to the third-party applications, the content objects, the users, and/or other entities associated with the computing environment).
permitting a subset of communications between the nodes, (Morkovine, par0051 teaches content management server 108 might facilitate access to shared content in content objects 106 by the users (e.g., user 102 1, . . . , user 102 N) from a respective set of user devices (e.g., user device 302 1, . . . , user device 302 N). The content objects (e.g., files, folders, etc.) [application] in content objects 106 are characterized at least in part by a set of object attributes 340 (e.g., content object metadata) stored at storage devices 330. Furthermore, the users are characterized at least in part by a set of user attributes 342 stored in a set of user profiles 332 at storage devices 330).
identifying at least one user of the plurality of users permitted to access at least one application
(Morkovine, par0054, 0088 teaches processor 310 will access the user attributes 342 (e.g., user identifiers, etc.) stored in user profiles 332 and/or the object attributes 340 (e.g., content object identifiers, etc.)… permissions service 316 might access the user profiles 332 to identify any permissions constraints of the user (e.g., user “u1”) that affect the scored applications. Such constraints might pertain to the user not having access to certain applications and/or the user not being authorized to perform certain operations specified by certain applications).
to understand access currently allowed from the plurality of users to the applications (Morkovine, par0036 teaches the content management system provides instances of a native application that can be accessed by respective ones of the users 102 to facilitate a user's interactions with content objects 106 and/or with one another).
          Morkovine does not explicitly discloses enriching, metadata associated with, by associating user accounts associated with the plurality of users with, roles, organizations membership, privileges, and permissions associated with the plurality of users; organizations membership, displaying, a graphical representation of, via the graphical user interface, the permissions provided to the subset of users defined by at least one of the group, the role, and organizational unit, the applications; and in relation to the nodes representing, comparing the permissions with.
          Wolff however discloses enriching, metadata associated with (Wolff, par0054 teaches metadata associated with each item of data can be embedded into various formats for input into one or more algorithms responsible for modeling the importance of an item of data).
by associating user accounts associated with the plurality of users with (Wolff, par0024 teaches the repository can store information concerning each organization's accounts and the individual user accounts associated with each organization. In some instances, a user associated with an organization may have user accounts with various cloud applications, and the organization may also have administrative accounts with the cloud applications that have management authority over its user's accounts. By associating user accounts to their proper organization accounts, the resulting data may be used in various ways, including retrieving information about the user activity of users associated with an organization).
roles, organizations membership, privileges, and permissions associated with the plurality of users; (Wolff, par0032 teaches in various examples, state data can provide information about all the entities across a network or organization, such as users of the cloud service applications, installed applications, roles, policies, permissions, files, data packages, and other information that may not be identified by activity data. State data may, in some instances, include similar data such as a time stamp for the most recent activity that referenced or used an entity, but state data itself is generally not associated with a discrete event or activity. State data can provide information about intervals of time rather than information about the instant an activity occurred or the activity itself. State data for a user can represent or include, for example, user identifiers, user roles, user permissions, and/or user privileges for the cloud service applications).
organizations membership (Wolff, par0020  teaches FIG. 1 illustrates an example system 100 in which an organization uses a number of cloud service providers 102. The cloud service providers 102 can host application platforms that members of the organization can access to accomplish various computational tasks related to, for example, word processing, social networking, data storage and access, computer programming, email, or other computer-related tasks).
(Wolff, par000036-0037 teaches Once the entities are identified, they can be organized into a graph structure…..the graph can be analyzed manually via visual or textual exploration of the graph in its entirety, via exploration of subgraphs, exploration of individual nodes and/or edges in the graph, aggregations on top of the graph, or other interactive modalities).
via the graphical user interface, (Wolff, par0070  teaches a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification).
the applications and groups of users accessing the applications; (Wolff, par0056  teaches the application platforms 302 can be accessed through a network 332 (e.g., the Internet) by users of client devices 340-1, 340-2, 340-3 (collectively 340), such as smart phones, personal computers, tablet computers, and/or laptop computers. Other user client devices are possible. The users of the client devices 340 generally are members of or belong to an organization 342 that provides the users with access (e.g., via subscriptions) to the application platforms 302).
the permissions provided to the subset of users defined by at least one of the group, the role, and organizational unit, the applications; and (Wolff, par0046  teaches as an example of an abstracted permission model, in a first system or application, a user may be assigned a role, and each role may contain a collection of permissions that the user may engage in, for example, an ability to create new user accounts or delete files. In another application, a user may be assigned multiple different roles, each containing an overlapping set of permissions. In another application, a user may simply have no roles or permissions identified, and instead the permissions are inferred to be a minimal set of permissions a user can have in the application. To assess the permissions assigned to a user across all systems, different permissions models can be mapped to a joint model. In this example, a joint abstract model may allow for multiple roles with overlapping permissions, and all systems or applications can have models mapping into that system. For example, in the case of the application with no role assigned to the user, the user can be mapped to a model having a default role with default permissions).
in relation to the nodes representing (Wolff, par0006 teaches each node of the graphical representation represents a respective user of the application platforms and each edge connecting the nodes represents an activity among the users and/or entities in the application platforms).
comparing the permissions with (Wolff, par0049 teaches one or more models can be developed and used predict baseline permissions for users and then compare actual permissions with the predicted baselines, to identify users who have unwarranted permission).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of enriching, metadata associated with, by associating user accounts associated with the plurality of users with, roles, organizations membership, privileges, and permissions associated with the plurality of users; organizations membership, displaying, a graphical representation of, via the graphical user interface, the permissions provided to the subset of users defined by at least one of the group, the role, and organizational unit, the applications; and in relation to the nodes representing, comparing the permissions with, as taught by Wolff in the system of Morkovine, so using the graphs an organization can increase the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents, see Wolff par0004.
          Morkovine and Wolff do not explicitly disclose by generating a whitelist, the whitelist.
(Annett par0088 teaches the permissions repository 944 can include a map of users to the applications 936 they are permitted to access, a whitelist 946 that identifies users who are permitted access to the computing device 902 or applications 936, and a blacklist 948 that identifies users who are not permitted such access).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of by generating a whitelist, the whitelist, as taught by Annett in the system of Morkovine and Wolff, so when an unpermitted user is identified as trying to access an application (e.g., the user is on a blacklist, the user is not on a preapproved whitelist, the user is unidentified), the computing device can provide a notification to the relevant authority.
          Morkovine, Wolff and Annett do not explicitly disclose including Role Based Access Control (RBAC) rules and permissions associated with the plurality of users.
          Staggs however discloses including Role Based Access Control (RBAC) rules and permissions associated with the plurality of users. (Staggs par 0019, 0026, 0032 and 0033 teaches FIG. 1, system 100 includes Role-Based Access Control (RBAC) subsystem 102. RBAC subsystem 102 can perform various functions associated with controlling access to a system based on one or more roles. Those functions include functions such as, for example, those discussed above (e.g., create a role and/or associate access rights with a role)…. RBAC subsystem 102 can communicate information such as, for example, audit logs, security policies, training records, and other information to auditor 116. Auditor 116 can monitor the system for access records, system usage, permissions, etc….policy decision point 232 can determine a whitelist status of data client 220 and/or an antivirus state of data client 220. Further, user/application policy enforcement point 230 with support from policy decision point 232 can check an ID (e.g., unique identification information, such as system assigned identification information, LDAP token, etc.) of a user associated with data client 220 to determine that the user is valid (e.g., authenticated and authorized to access data server 222)….In some embodiments, provided the whitelist status, antivirus state, and user ID are determined to be adequate (approved by policy) the request can be communicated through the user/application policy enforcement point to the data server).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of including Role Based Access Control (RBAC) rules and permissions associated with the plurality of users, as taught by Staggs in the system of Morkovine, Wolff and Annett, so Role-based access control permissions allow for the binding of permissions to objects, a role can be set up and a scope of responsibility associated with the role can be defined see Staggs par0008.

As per claim 7.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 1.
          Morkovine further discloses wherein the at least one processor is further configured to:  (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory.
identify one or more of the permissions unutilized by at least one of the plurality of users; (Morkovine, par0059 teaches he permissions service 316 is accessed by application recommendation engine 120 to filter the scored applications according to various permissions-based constraints. Specifically, permissions service 316 accesses certain information to determine which applications from the list of scored applications are valid for presentation to a user. Any applications deemed by permissions service 316 as not being valid for presentation are removed from consideration as a recommended application. An application might be deemed invalid for several reasons. For example, a particular user and/or enterprise associated with the user may not have access to the application. Furthermore, the then-current status (e.g., online, disabled, maintenance, hidden, published, unpublished, etc.) of an application may result in the application being ineligible as a recommended application. Moreover, a user may not be authorized to perform certain operations over a content object as specified by the application (e.g., a user with merely viewing privileges cannot edit using the application).
generate a score reflecting an accuracy of the (Morkovine, par0057 teaches application recommendation engine 120 accesses the scoring service 314 to assign scores to the applications associated with the particular application activity graph. Each score is a quantitative measure of the relevance of a particular application to the context of the recommendation request, which context is characterized by certain attributes (e.g., user attributes, object attributes, interaction attributes, etc.) associated with the recommendation request. As such, the scores can be used to sort and/or rank the applications to determine the applications that are most relevant to the context (e.g., users, content objects, contemporaneous interaction events, etc.) of the recommendation request).
permissions provided to the plurality of users; and (Morkovine, par0013 teaches the presentation of the set of recommended applications are determined based at least in part on one or more permissions constraints, where the one or more permissions constraints correspond to at least one of, at least one user and his or her role or permission level, or at least one of the plurality of applications, or permissions pertaining to the shared content object itself).

          Wolff however discloses recommend the one or more of the permissions for removal from the permissions. (Wolff, par0031 teaches employees who have left an organization but may still be on group distribution lists, or individuals who have been removed from certain services but remain on others (e.g., removed from a source code repository but remain on email). To address the need to track unused profiles or entities, a set of all known entities can be compiled, and entities that are known to be inactive can be removed).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of recommend the one or more of the permissions for removal from the permissions, as taught by Wolff in the system of Morkovine, so using the graphs an organization can increase the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents, see Wolff par0004.

As per claim 8.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 7.
          Morkovine further discloses wherein the at least one processor is further configured to  (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory.
          Morkovine does not explicitly discloses score a risk associated with permissions for each of the applications to determine a criticality associated with the applications, and a degree of privilege associated with the plurality of users.
(Wolff, par0007 teaches a risk score for each user from the plurality of users, wherein the risk score is or includes an indication of a likelihood that the user will engage in unauthorized activity using the application platforms).
permissions for each of the applications to, determine a criticality associated with the applications, (Wolff, par0048 teaches these data features can be determined, for example, by direct collection of data from the underlying applications, aggregation of the underlying data from the applications, joining entities and activity between two different applications, and/or other available methods. The systems and methods described herein can measure or assess, based on metadata on the application and/or derived aggregation data from a global population of platform users, the following application features: a scope of permission associated with the application and a level of risk associated with the scope of permission; a prevalence [criticality] of the application within the organization and globally across all organizations on the platform; and/or a domain and company that developed the application).
a degree of privilege associated with the plurality of users (Wolff, par0048 teaches the model predictions can be used to flag risky user activities and/or privileges, and/or can be used to address harmful or unauthorized activity, preferably before such activity occurs. The systems and methods described herein can also be used to optimize user privileges with respect to the application platforms, for example, to ensure that each user's privileges are consistent with normal or desired practice).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of score a risk associated with permissions for each of the applications to determine a criticality associated with the applications, and a degree of privilege associated with the plurality of users, as taught by 

As per claim 9.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 8.
          Morkovine further discloses wherein the at least one processor is further configured to  (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory.
          Morkovine does not explicitly discloses determine an overall user access risk based on the accuracy of the permissions, the criticality associated with the applications, and the degree of privilege associated with the plurality of users.
          Wolff however discloses determine an overall user access risk based on the accuracy of the permissions (Wolff, par0050 teaches he function can use the user risk factors for each user (or entity) as input parameters and can provide as output a predicted [determining] overall risk assessment for the user (or entity). In some instances, for example, each user risk can factor can be associated with a weight that increases or decreases risk. The function or other model can combine the risk factors to generate a risk score for each user. The risk score can provide, for example, an indication of a likelihood that a user will engage (or has an ability to engage) in unauthorized or harmful activity with the cloud applications or data available therein. Users who have high risk scores can be flagged and appropriate action can be taken to prevent such users from engaging in harmful activity. Such action can include, for example, adjusting user permissions [accuracy of the permission] or user privileges associated with the cloud applications, in an effort to obtain a less risky combination of user risk factors.).
permissions for each of the applications to, , the criticality associated with the applications, (Wolff, par0048 teaches these data features can be determined, for example, by direct collection of data from the underlying applications, aggregation of the underlying data from the applications, joining entities and activity between two different applications, and/or other available methods. The systems and methods described herein can measure or assess, based on metadata on the application and/or derived aggregation data from a global population of platform users, the following application features: a scope of permission associated with the application and a level of risk associated with the scope of permission; a prevalence [criticality] of the application within the organization and globally across all organizations on the platform; and/or a domain and company that developed the application).
the degree of privilege associated with the plurality of users (Wolff, par0048 teaches the model predictions can be used to flag risky user activities and/or privileges, and/or can be used to address harmful or unauthorized activity, preferably before such activity occurs. The systems and methods described herein can also be used to optimize user privileges with respect to the application platforms, for example, to ensure that each user's privileges are consistent with normal or desired practice).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of determine an overall user access risk based on the accuracy of the permissions, the criticality associated with the applications, and the degree of privilege associated with the plurality of users, as taught by Wolff in the system of Morkovine, so using the graphs an organization can increase the efficiency with 

As per claim 10.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 1.
          Morkovine further discloses wherein the at least one processor is further configured to (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory.
          Morkovine does not explicitly discloses generate, based on the metadata associated with the accessing the applications by the plurality of users, further permissions for the plurality of users.
          Wolff however discloses generate, further permissions for the plurality of users (Wolff, par0050 teaches he function can use the user risk factors for each user (or entity) as input parameters and can provide as output a predicted [determining] overall risk assessment for the user (or entity). In some instances, for example, each user risk can factor can be associated with a weight that increases or decreases risk. The function or other model can combine the risk factors to generate a risk score for each user. The risk score can provide, for example, an indication of a likelihood that a user will engage (or has an ability to engage) in unauthorized or harmful activity with the cloud applications or data available therein. Users who have high risk scores can be flagged and appropriate action can be taken to prevent such users from engaging in harmful activity. Such action can include, for example, adjusting user permissions [generate further permission] or user privileges associated with the cloud applications, in an effort to obtain a less risky combination of user risk factors.).
 (Wolff, par0048 teaches these data features can be determined, for example, by direct collection of data from the underlying applications, aggregation of the underlying data from the applications, joining entities and activity between two different applications, and/or other available methods. The systems and methods described herein can measure or assess, based on metadata on the application and/or derived aggregation data from a global population of platform users, the following application features: a scope of permission associated with the application and a level of risk associated with the scope of permission; a prevalence [criticality] of the application within the organization and globally across all organizations on the platform; and/or a domain and company that developed the application).
based on the metadata (Wolff, par0048 teaches the systems and methods described herein can measure or assess, based on metadata on the application and/or derived aggregation data from a global population of platform users, the following application features: a scope of permission associated with the application and a level of risk associated with the scope of permission; a prevalence of the application within the organization and globally across all organizations on the platform; and/or a domain and company that developed the application).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of generate, based on the metadata associated with the accessing the applications by the plurality of users, further permissions for the plurality of users, as taught by Wolff in the system of Morkovine, so using the graphs an organization can increase the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents, see Wolff par0004.
As per claim 11.  A method comprising: (Morkovine, par0091 teaches computer system 9A00 performs specific operations [method] by data processor 907 executing one or more sequences of one or more program instructions contained in a memory. Such instructions (e.g., program instructions 9021, program instructions 902 2, program instructions 902 3, etc.) can be contained in or can be read into a storage location or memory from any computer readable/usable storage medium such as a static storage device or a disk drive. The sequences can be organized to be accessed by one or more processing entities configured to execute a single process or configured to execute multiple concurrent processes to perform work).
collecting data about relationships (Morkovine, par0029 teaches when multiple users (e.g., collaborators) interact with these content objects using the third-party applications, the corresponding interaction events [data about relationships] are recorded at the content management system. As used herein, interaction events are data elements that describe a time-sequenced tracking history of user actions taken over one or more content objects. Such a history of user actions taken over one or more content objects can comprise user actions that are raised either at or by operation of a native application or raised at or by operation of a third-party application).
between applications and (Morkovine, par0037 teaches such integration may include registration of the applications with the content management system, establishment of application programming interfaces (APIs) to facilitate communication between the applications).
metadata associated (Morkovine, par0071 teaches the content object identifier can be used to, for example, query the object attributes (e.g., metadata) of the content object datastore to determine the content object type).
(Morkovine, par0085 teaches display generator 318 accesses the application display components 328 to identify certain components (e.g., icons, hyperlinks, etc.) associated with the applications (e.g., “appS”, “appD”, and “appF”) comprising recommended applications 116).
in a computing environment (Morkovine, par0102 teaches FIG. 9B depicts a block diagram of an instance of a cloud-based environment 9B00. Such a cloud-based environment supports access to workspaces through the execution of workspace access code (e.g., workspace access code 942 0, workspace access code 942 1, and workspace access code 942 2). Workspace access code can be executed on any of access devices 952 (e.g., laptop device 952 4, workstation device 952 5, IP phone device 952 3, tablet device 952 2, smart phone device 952 1, etc.), and can be configured to access any type of object. Strictly as examples, such objects can be folders or directories or can be files of any filetype. A group of users can form a collaborator group 958, and a collaborator group can be composed of any types or roles of users).
of an enterprise, (Morkovine,Fig5, par0073 teaches interaction events that involve interactions over the example PDF files by other users in the enterprise that comprises user “u1” might also be considered. The interaction events selected according to the foregoing criteria are added to the application activity graph (step 512). Specifically, the interaction events designated as an “enterprise-level event” are added to application activity graph 346 1. As can be observed, a set of “global-level event” data may also be added to application activity graph 346 1. Such “global-level event” data involves interactions over a content object (e.g., the example PDF file “ fN”) by any user who is considered to be external to the aforementioned enterprise).
(Morkovine, par0051 teaches in content objects 106 are characterized at least in part by a set of object attributes 340 (e.g., content object metadata) stored at storage devices 330).
including information concerning (Morkovine, par0059 teaches permissions service 316 accesses certain information to determine which applications from the list of scored applications are valid for presentation to a user).
a plurality of users accessing the applications; accessing the applications by the subset of users (Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figure is presented to describe one embodiment of a flow and data structure for recording and accessing interaction attributes pertaining to interaction events over users and/or content objects at a plurality of applications [a plurality of users accessing the applica], including third-party applications).
of the computing environment of the enterprise; (Morkovine, par0081 teaches a user may also be restricted by certain enterprise-wide application and/or content object permissions).
updating a graph database including, being recorded to the graph database (Morkovine, par0047 teaches application activity graphs are constructed from the recorded interaction events (step 224). The application activity graphs [graph database] might be continuously constructed [being recorded to] (e.g., created, updated, etc.) as interaction events are received, or constructed synchronous to receiving one or more instructions (e.g., requests).
nodes representing, and edges representing relationships between, the applications, relationships related to, the graph database (Morkovine, par0041 teaches in certain embodiments, the interaction events associated with the third-party application interaction activity are processed to construct various application activity graphs. As used herein, the application activity graphs describe the logical relationships (e.g., graph edges) between various entities (e.g., graph nodes), where the entities can correspond to the content objects, the users, or other entities, and the logical relationships can correspond to the third-party applications or other relationship characteristics (e.g., time). In response to a request for recommended applications [the applications], the application activity graphs [the graph database] are analyzed to identify a set of recommended applications for the request).
enriching the graph database by associating the nodes with metadata associated with the applications; (Morkovine, par0057 teaches when a particular application activity graph is constructed (e.g., in response to a recommendation request), application recommendation engine 120 accesses the scoring service 314 to assign scores to the applications associated with the particular application activity graph [enriching the graph database by associating the nodes with metadata]. Each score is a quantitative measure of the relevance of a particular application to the context of the recommendation request, which context is characterized by certain attributes (e.g., user attributes, object attributes, interaction attributes, etc.) associated with the recommendation request. As such, the scores can be used to sort and/or rank the applications to determine the applications that are most relevant to the context (e.g., users, content objects, contemporaneous interaction events, etc.) of the recommendation request).
analyzing the graph database to identify a subset of nodes being accessed by a user of the plurality of users; (Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figure is presented to describe one embodiment of a flow and data structure for recording and accessing interaction attributes pertaining to interaction events over users and/or content objects at a plurality of applications, including third-party applications).
the subset of nodes and relationships between the nodes in the subset of the nodes; relationships between the nodes associated with (Morkovine, par0066 teaches the edges (e.g., arcs, lines, etc.) between the nodes [the subset of nodes] represent the pairwise relationships between the nodes (e.g., users, content objects). Such object relationships can have certain characteristics and/or attributes associated with them. For example, and as indicated in the figure, the object relationships are associated with at least the “appID” attribute (e.g., “apps” “appD” “appF” and “appN” of the corresponding interaction event).
a subset of users defined by at least one of a group, a role, and an organizational membership and, the subset of users; (Morkovine, par0102 teaches a group of users can form a collaborator group 958, and a collaborator group can be composed of any types or roles of users. For example, and as shown, a collaborator group can comprise a user collaborator, an administrator collaborator, a creator collaborator, etc. Any user can use any one or more of the access devices, and such access devices can be operated concurrently to provide multiple concurrent sessions and/or other techniques to access workspaces through the workspace access code).
the nodes representing (Morkovine, par0029 teaches as used herein, the application activity graphs describe the logical relationships (e.g., graph edges) between various entities (e.g., graph nodes), where the entities can correspond to the third-party applications, the content objects, the users, and/or other entities associated with the computing environment).
permitting a subset of communications between the nodes, (Morkovine, par0051 teaches content management server 108 might facilitate access to shared content in content objects 106 by the users (e.g., user 102 1, . . . , user 102 N) from a respective set of user devices (e.g., user device 302 1, . . . , user device 302 N). The content objects (e.g., files, folders, etc.) [application] in content objects 106 are characterized at least in part by a set of object attributes 340 (e.g., content object metadata) stored at storage devices 330. Furthermore, the users are characterized at least in part by a set of user attributes 342 stored in a set of user profiles 332 at storage devices 330).
identifying at least one user of the plurality of users permitted to access at least one application
(Morkovine, par0054, 0088 teaches processor 310 will access the user attributes 342 (e.g., user identifiers, etc.) stored in user profiles 332 and/or the object attributes 340 (e.g., content object identifiers, etc.)… permissions service 316 might access the user profiles 332 to identify any permissions constraints of the user (e.g., user “u1”) that affect the scored applications. Such constraints might pertain to the user not having access to certain applications and/or the user not being authorized to perform certain operations specified by certain applications).
to understand access currently allowed from the plurality of users to the applications (Morkovine, par0036 teaches the content management system provides instances of a native application that can be accessed by respective ones of the users 102 to facilitate a user's interactions with content objects 106 and/or with one another).
          Morkovine does not explicitly discloses enriching, metadata associated with, by associating user accounts associated with the plurality of users with, roles, organizations membership, privileges, and permissions associated with the plurality of users; organizations membership, displaying, a graphical representation of, via the graphical user interface, the permissions provided to the subset of users defined by at least one of the group, the role, and 
          Wolff however discloses enriching, metadata associated with (Wolff, par0054 teaches metadata associated with each item of data can be embedded into various formats for input into one or more algorithms responsible for modeling the importance of an item of data).
by associating user accounts associated with the plurality of users with (Wolff, par0024 teaches the repository can store information concerning each organization's accounts and the individual user accounts associated with each organization. In some instances, a user associated with an organization may have user accounts with various cloud applications, and the organization may also have administrative accounts with the cloud applications that have management authority over its user's accounts. By associating user accounts to their proper organization accounts, the resulting data may be used in various ways, including retrieving information about the user activity of users associated with an organization).
roles, organizations membership, privileges, and permissions associated with the plurality of users; (Wolff, par0032 teaches in various examples, state data can provide information about all the entities across a network or organization, such as users of the cloud service applications, installed applications, roles, policies, permissions, files, data packages, and other information that may not be identified by activity data. State data may, in some instances, include similar data such as a time stamp for the most recent activity that referenced or used an entity, but state data itself is generally not associated with a discrete event or activity. State data can provide information about intervals of time rather than information about the instant an activity occurred or the activity itself. State data for a user can represent or include, for example, user identifiers, user roles, user permissions, and/or user privileges for the cloud service applications).
organizations membership (Wolff, par0020  teaches FIG. 1 illustrates an example system 100 in which an organization uses a number of cloud service providers 102. The cloud service providers 102 can host application platforms that members of the organization can access to accomplish various computational tasks related to, for example, word processing, social networking, data storage and access, computer programming, email, or other computer-related tasks).
displaying, a graphical representation of (Wolff, par000036-0037 teaches Once the entities are identified, they can be organized into a graph structure…..the graph can be analyzed manually via visual or textual exploration of the graph in its entirety, via exploration of subgraphs, exploration of individual nodes and/or edges in the graph, aggregations on top of the graph, or other interactive modalities).
via the graphical user interface, (Wolff, par0070  teaches a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification).
the applications and groups of users accessing the applications; (Wolff, par0056  teaches the application platforms 302 can be accessed through a network 332 (e.g., the Internet) by users of client devices 340-1, 340-2, 340-3 (collectively 340), such as smart phones, personal computers, tablet computers, and/or laptop computers. Other user client devices are possible. The users of the client devices 340 generally are members of or belong to an organization 342 that provides the users with access (e.g., via subscriptions) to the application platforms 302).
(Wolff, par0046  teaches as an example of an abstracted permission model, in a first system or application, a user may be assigned a role, and each role may contain a collection of permissions that the user may engage in, for example, an ability to create new user accounts or delete files. In another application, a user may be assigned multiple different roles, each containing an overlapping set of permissions. In another application, a user may simply have no roles or permissions identified, and instead the permissions are inferred to be a minimal set of permissions a user can have in the application. To assess the permissions assigned to a user across all systems, different permissions models can be mapped to a joint model. In this example, a joint abstract model may allow for multiple roles with overlapping permissions, and all systems or applications can have models mapping into that system. For example, in the case of the application with no role assigned to the user, the user can be mapped to a model having a default role with default permissions).
in relation to the nodes representing (Wolff, par0006 teaches each node of the graphical representation represents a respective user of the application platforms and each edge connecting the nodes represents an activity among the users and/or entities in the application platforms).
comparing the permissions with (Wolff, par0049 teaches one or more models can be developed and used predict baseline permissions for users and then compare actual permissions with the predicted baselines, to identify users who have unwarranted permission).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of enriching, metadata associated with, by associating user accounts associated with the plurality of users with, roles, 
          Morkovine and Wolff do not explicitly disclose by generating a whitelist, the whitelist.
          Annett however discloses by generating a whitelist, the whitelist. (Annett par0088 teaches the permissions repository 944 can include a map of users to the applications 936 they are permitted to access, a whitelist 946 that identifies users who are permitted access to the computing device 902 or applications 936, and a blacklist 948 that identifies users who are not permitted such access).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of by generating a whitelist, the whitelist, as taught by Annett in the method of Morkovine and Wolff, so when an unpermitted user is identified as trying to access an application (e.g., the user is on a blacklist, the user is not on a preapproved whitelist, the user is unidentified), the computing device can provide a notification to the relevant authority.
          Morkovine, Wolff and Annett do not explicitly disclose including Role Based Access Control (RBAC) rules and permissions associated with the plurality of users.
(Staggs par 0019, 0026, 0032 and 0033 teaches FIG. 1, system 100 includes Role-Based Access Control (RBAC) subsystem 102. RBAC subsystem 102 can perform various functions associated with controlling access to a system based on one or more roles. Those functions include functions such as, for example, those discussed above (e.g., create a role and/or associate access rights with a role)…. RBAC subsystem 102 can communicate information such as, for example, audit logs, security policies, training records, and other information to auditor 116. Auditor 116 can monitor the system for access records, system usage, permissions, etc….policy decision point 232 can determine a whitelist status of data client 220 and/or an antivirus state of data client 220. Further, user/application policy enforcement point 230 with support from policy decision point 232 can check an ID (e.g., unique identification information, such as system assigned identification information, LDAP token, etc.) of a user associated with data client 220 to determine that the user is valid (e.g., authenticated and authorized to access data server 222)….In some embodiments, provided the whitelist status, antivirus state, and user ID are determined to be adequate (approved by policy) the request can be communicated through the user/application policy enforcement point to the data server).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of including Role Based Access Control (RBAC) rules and permissions associated with the plurality of users, as taught by Staggs in the method of Morkovine, Wolff and Annett, so Role-based access control permissions allow for the binding of permissions to objects, a role can be set up and a scope of responsibility associated with the role can be defined see Staggs par0008.

As per claim 17.  Morkovine, Wolff, Annett and Staggs disclose the method of claim 11.
          Morkovine further discloses further comprising: identifying one or more of the permissions unutilized by at least one of the plurality of users; (Morkovine, par0059 teaches he permissions service 316 is accessed by application recommendation engine 120 to filter the scored applications according to various permissions-based constraints. Specifically, permissions service 316 accesses certain information to determine which applications from the list of scored applications are valid for presentation to a user. Any applications deemed by permissions service 316 as not being valid for presentation are removed from consideration as a recommended application. An application might be deemed invalid for several reasons. For example, a particular user and/or enterprise associated with the user may not have access to the application. Furthermore, the then-current status (e.g., online, disabled, maintenance, hidden, published, unpublished, etc.) of an application may result in the application being ineligible as a recommended application. Moreover, a user may not be authorized to perform certain operations over a content object as specified by the application (e.g., a user with merely viewing privileges cannot edit using the application).
generate a score reflecting an accuracy of the (Morkovine, par0057 teaches application recommendation engine 120 accesses the scoring service 314 to assign scores to the applications associated with the particular application activity graph. Each score is a quantitative measure of the relevance of a particular application to the context of the recommendation request, which context is characterized by certain attributes (e.g., user attributes, object attributes, interaction attributes, etc.) associated with the recommendation request. As such, the scores can be used to sort and/or rank the applications to determine the applications that are most relevant to the context (e.g., users, content objects, contemporaneous interaction events, etc.) of the recommendation request).
permissions provided to the plurality of users; and (Morkovine, par0013 teaches the presentation of the set of recommended applications are determined based at least in part on one or more permissions constraints, where the one or more permissions constraints correspond to at least one of, at least one user and his or her role or permission level, or at least one of the plurality of applications, or permissions pertaining to the shared content object itself).
          Morkovine does not explicitly discloses recommend the one or more of the permissions for removal from the permissions.
          Wolff however discloses recommend the one or more of the permissions for removal from the permissions. (Wolff, par0031 teaches employees who have left an organization but may still be on group distribution lists, or individuals who have been removed from certain services but remain on others (e.g., removed from a source code repository but remain on email). To address the need to track unused profiles or entities, a set of all known entities can be compiled, and entities that are known to be inactive can be removed).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of recommend the one or more of the permissions for removal from the permissions, as taught by Wolff in the method of Morkovine, so using the graphs an organization can increase the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents, see Wolff par0004.

As per claim 18.  Morkovine, Wolff, Annett and Staggs disclose the method of claim 17.

          Wolff however discloses further comprising scoring a risk associated with (Wolff, par0007 teaches a risk score for each user from the plurality of users, wherein the risk score is or includes an indication of a likelihood that the user will engage in unauthorized activity using the application platforms).
permissions for each of the applications to, determine a criticality associated with the applications, (Wolff, par0048 teaches these data features can be determined, for example, by direct collection of data from the underlying applications, aggregation of the underlying data from the applications, joining entities and activity between two different applications, and/or other available methods. The systems and methods described herein can measure or assess, based on metadata on the application and/or derived aggregation data from a global population of platform users, the following application features: a scope of permission associated with the application and a level of risk associated with the scope of permission; a prevalence [criticality] of the application within the organization and globally across all organizations on the platform; and/or a domain and company that developed the application).
a degree of privilege associated with the plurality of users (Wolff, par0048 teaches the model predictions can be used to flag risky user activities and/or privileges, and/or can be used to address harmful or unauthorized activity, preferably before such activity occurs. The systems and methods described herein can also be used to optimize user privileges with respect to the application platforms, for example, to ensure that each user's privileges are consistent with normal or desired practice).


As per claim 19.  Morkovine, Wolff, Annett and Staggs disclose the method of claim 18.
          Morkovine does not explicitly discloses further comprising determining an overall user access risk based on the accuracy of the permissions, the criticality associated with the applications, and the degree of privilege associated with the plurality of users.
          Wolff however discloses further comprising determining an overall user access risk based on the accuracy of the permissions (Wolff, par0050 teaches he function can use the user risk factors for each user (or entity) as input parameters and can provide as output a predicted [determining] overall risk assessment for the user (or entity). In some instances, for example, each user risk can factor can be associated with a weight that increases or decreases risk. The function or other model can combine the risk factors to generate a risk score for each user. The risk score can provide, for example, an indication of a likelihood that a user will engage (or has an ability to engage) in unauthorized or harmful activity with the cloud applications or data available therein. Users who have high risk scores can be flagged and appropriate action can be taken to prevent such users from engaging in harmful activity. Such action can include, for example, adjusting user permissions [accuracy of the permission] or user privileges associated with the cloud applications, in an effort to obtain a less risky combination of user risk factors.).
permissions for each of the applications to, , the criticality associated with the applications, (Wolff, par0048 teaches these data features can be determined, for example, by direct collection of data from the underlying applications, aggregation of the underlying data from the applications, joining entities and activity between two different applications, and/or other available methods. The systems and methods described herein can measure or assess, based on metadata on the application and/or derived aggregation data from a global population of platform users, the following application features: a scope of permission associated with the application and a level of risk associated with the scope of permission; a prevalence [criticality] of the application within the organization and globally across all organizations on the platform; and/or a domain and company that developed the application).
the degree of privilege associated with the plurality of users (Wolff, par0048 teaches the model predictions can be used to flag risky user activities and/or privileges, and/or can be used to address harmful or unauthorized activity, preferably before such activity occurs. The systems and methods described herein can also be used to optimize user privileges with respect to the application platforms, for example, to ensure that each user's privileges are consistent with normal or desired practice).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprising determining an overall user access risk based on the accuracy of the permissions, the criticality associated with the applications, and the degree of privilege associated with the plurality of users, as taught by Wolff in the method of Morkovine, so using the graphs an organization can 

As per claim 20.  A non-transitory processor-readable medium having embodied thereon a program being executable by at least one processor to perform a method comprising: (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory. Such instructions (e.g., program instructions 9021, program instructions 902 2, program instructions 902 3, etc.) can be contained in or can be read into a storage location or memory from any computer readable/usable storage medium [non-transitory processor-readable medium] such as a static storage device or a disk drive. The sequences can be organized to be accessed by one or more processing entities configured to execute a single process or configured to execute multiple concurrent processes to perform work).
collecting data about relationships (Morkovine, par0029 teaches when multiple users (e.g., collaborators) interact with these content objects using the third-party applications, the corresponding interaction events [data about relationships] are recorded at the content management system. As used herein, interaction events are data elements that describe a time-sequenced tracking history of user actions taken over one or more content objects. Such a history of user actions taken over one or more content objects can comprise user actions that are raised either at or by operation of a native application or raised at or by operation of a third-party application).
(Morkovine, par0037 teaches such integration may include registration of the applications with the content management system, establishment of application programming interfaces (APIs) to facilitate communication between the applications).
metadata associated (Morkovine, par0071 teaches the content object identifier can be used to, for example, query the object attributes (e.g., metadata) of the content object datastore to determine the content object type).
with the applications (Morkovine, par0085 teaches display generator 318 accesses the application display components 328 to identify certain components (e.g., icons, hyperlinks, etc.) associated with the applications (e.g., “appS”, “appD”, and “appF”) comprising recommended applications 116).
in a computing environment (Morkovine, par0102 teaches FIG. 9B depicts a block diagram of an instance of a cloud-based environment 9B00. Such a cloud-based environment supports access to workspaces through the execution of workspace access code (e.g., workspace access code 942 0, workspace access code 942 1, and workspace access code 942 2). Workspace access code can be executed on any of access devices 952 (e.g., laptop device 952 4, workstation device 952 5, IP phone device 952 3, tablet device 952 2, smart phone device 952 1, etc.), and can be configured to access any type of object. Strictly as examples, such objects can be folders or directories or can be files of any filetype. A group of users can form a collaborator group 958, and a collaborator group can be composed of any types or roles of users).
of an enterprise, (Morkovine,Fig5, par0073 teaches interaction events that involve interactions over the example PDF files by other users in the enterprise that comprises user “u1” might also be considered. The interaction events selected according to the foregoing criteria are added to the application activity graph (step 512). Specifically, the interaction events designated as an “enterprise-level event” are added to application activity graph 346 1. As can be observed, a set of “global-level event” data may also be added to application activity graph 346 1. Such “global-level event” data involves interactions over a content object (e.g., the example PDF file “ fN”) by any user who is considered to be external to the aforementioned enterprise).
the metadata (Morkovine, par0051 teaches in content objects 106 are characterized at least in part by a set of object attributes 340 (e.g., content object metadata) stored at storage devices 330).
including information concerning (Morkovine, par0059 teaches permissions service 316 accesses certain information to determine which applications from the list of scored applications are valid for presentation to a user).
a plurality of users accessing the applications; accessing the applications by the subset of users (Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figure is presented to describe one embodiment of a flow and data structure for recording and accessing interaction attributes pertaining to interaction events over users and/or content objects at a plurality of applications [a plurality of users accessing the applica], including third-party applications).
of the computing environment of the enterprise; (Morkovine, par0081 teaches a user may also be restricted by certain enterprise-wide application and/or content object permissions).
updating a graph database including, being recorded to the graph database (Morkovine, par0047 teaches application activity graphs are constructed from the recorded interaction events (step 224). The application activity graphs [graph database] might be continuously constructed [being recorded to] (e.g., created, updated, etc.) as interaction events are received, or constructed synchronous to receiving one or more instructions (e.g., requests).
nodes representing, and edges representing relationships between, the applications, relationships related to, the graph database (Morkovine, par0041 teaches in certain embodiments, the interaction events associated with the third-party application interaction activity are processed to construct various application activity graphs. As used herein, the application activity graphs describe the logical relationships (e.g., graph edges) between various entities (e.g., graph nodes), where the entities can correspond to the content objects, the users, or other entities, and the logical relationships can correspond to the third-party applications or other relationship characteristics (e.g., time). In response to a request for recommended applications [the applications], the application activity graphs [the graph database] are analyzed to identify a set of recommended applications for the request).
enriching the graph database by associating the nodes with metadata associated with the applications; (Morkovine, par0057 teaches when a particular application activity graph is constructed (e.g., in response to a recommendation request), application recommendation engine 120 accesses the scoring service 314 to assign scores to the applications associated with the particular application activity graph [enriching the graph database by associating the nodes with metadata]. Each score is a quantitative measure of the relevance of a particular application to the context of the recommendation request, which context is characterized by certain attributes (e.g., user attributes, object attributes, interaction attributes, etc.) associated with the recommendation request. As such, the scores can be used to sort and/or rank the applications to determine the applications that are most relevant to the context (e.g., users, content objects, contemporaneous interaction events, etc.) of the recommendation request).
(Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figure is presented to describe one embodiment of a flow and data structure for recording and accessing interaction attributes pertaining to interaction events over users and/or content objects at a plurality of applications, including third-party applications).
the subset of nodes and relationships between the nodes in the subset of the nodes; relationships between the nodes associated with (Morkovine, par0066 teaches the edges (e.g., arcs, lines, etc.) between the nodes [the subset of nodes] represent the pairwise relationships between the nodes (e.g., users, content objects). Such object relationships can have certain characteristics and/or attributes associated with them. For example, and as indicated in the figure, the object relationships are associated with at least the “appID” attribute (e.g., “apps” “appD” “appF” and “appN” of the corresponding interaction event).
a subset of users defined by at least one of a group, a role, and an organizational membership and, the subset of users; (Morkovine, par0102 teaches a group of users can form a collaborator group 958, and a collaborator group can be composed of any types or roles of users. For example, and as shown, a collaborator group can comprise a user collaborator, an administrator collaborator, a creator collaborator, etc. Any user can use any one or more of the access devices, and such access devices can be operated concurrently to provide multiple concurrent sessions and/or other techniques to access workspaces through the workspace access code).
(Morkovine, par0029 teaches as used herein, the application activity graphs describe the logical relationships (e.g., graph edges) between various entities (e.g., graph nodes), where the entities can correspond to the third-party applications, the content objects, the users, and/or other entities associated with the computing environment).
permitting a subset of communications between the nodes, (Morkovine, par0051 teaches content management server 108 might facilitate access to shared content in content objects 106 by the users (e.g., user 102 1, . . . , user 102 N) from a respective set of user devices (e.g., user device 302 1, . . . , user device 302 N). The content objects (e.g., files, folders, etc.) [application] in content objects 106 are characterized at least in part by a set of object attributes 340 (e.g., content object metadata) stored at storage devices 330. Furthermore, the users are characterized at least in part by a set of user attributes 342 stored in a set of user profiles 332 at storage devices 330).
identifying at least one user of the plurality of users permitted to access at least one application
(Morkovine, par0054, 0088 teaches processor 310 will access the user attributes 342 (e.g., user identifiers, etc.) stored in user profiles 332 and/or the object attributes 340 (e.g., content object identifiers, etc.)… permissions service 316 might access the user profiles 332 to identify any permissions constraints of the user (e.g., user “u1”) that affect the scored applications. Such constraints might pertain to the user not having access to certain applications and/or the user not being authorized to perform certain operations specified by certain applications).
to understand access currently allowed from the plurality of users to the applications (Morkovine, par0036 teaches the content management system provides instances of a native application that can be accessed by respective ones of the users 102 to facilitate a user's interactions with content objects 106 and/or with one another).

          Wolff however discloses enriching, metadata associated with (Wolff, par0054 teaches metadata associated with each item of data can be embedded into various formats for input into one or more algorithms responsible for modeling the importance of an item of data).
by associating user accounts associated with the plurality of users with (Wolff, par0024 teaches the repository can store information concerning each organization's accounts and the individual user accounts associated with each organization. In some instances, a user associated with an organization may have user accounts with various cloud applications, and the organization may also have administrative accounts with the cloud applications that have management authority over its user's accounts. By associating user accounts to their proper organization accounts, the resulting data may be used in various ways, including retrieving information about the user activity of users associated with an organization).
roles, organizations membership, privileges, and permissions associated with the plurality of users; (Wolff, par0032 teaches in various examples, state data can provide information about all the entities across a network or organization, such as users of the cloud service applications, installed applications, roles, policies, permissions, files, data packages, and other information that may not be identified by activity data. State data may, in some instances, include similar data such as a time stamp for the most recent activity that referenced or used an entity, but state data itself is generally not associated with a discrete event or activity. State data can provide information about intervals of time rather than information about the instant an activity occurred or the activity itself. State data for a user can represent or include, for example, user identifiers, user roles, user permissions, and/or user privileges for the cloud service applications).
organizations membership (Wolff, par0020  teaches FIG. 1 illustrates an example system 100 in which an organization uses a number of cloud service providers 102. The cloud service providers 102 can host application platforms that members of the organization can access to accomplish various computational tasks related to, for example, word processing, social networking, data storage and access, computer programming, email, or other computer-related tasks).
displaying, a graphical representation of (Wolff, par000036-0037 teaches Once the entities are identified, they can be organized into a graph structure…..the graph can be analyzed manually via visual or textual exploration of the graph in its entirety, via exploration of subgraphs, exploration of individual nodes and/or edges in the graph, aggregations on top of the graph, or other interactive modalities).
via the graphical user interface, (Wolff, par0070  teaches a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification).
the applications and groups of users accessing the applications; (Wolff, par0056  teaches the application platforms 302 can be accessed through a network 332 (e.g., the Internet) by users of client devices 340-1, 340-2, 340-3 (collectively 340), such as smart phones, personal computers, tablet computers, and/or laptop computers. Other user client devices are possible. The users of the client devices 340 generally are members of or belong to an organization 342 that provides the users with access (e.g., via subscriptions) to the application platforms 302).
the permissions provided to the subset of users defined by at least one of the group, the role, and organizational unit, the applications; and (Wolff, par0046  teaches as an example of an abstracted permission model, in a first system or application, a user may be assigned a role, and each role may contain a collection of permissions that the user may engage in, for example, an ability to create new user accounts or delete files. In another application, a user may be assigned multiple different roles, each containing an overlapping set of permissions. In another application, a user may simply have no roles or permissions identified, and instead the permissions are inferred to be a minimal set of permissions a user can have in the application. To assess the permissions assigned to a user across all systems, different permissions models can be mapped to a joint model. In this example, a joint abstract model may allow for multiple roles with overlapping permissions, and all systems or applications can have models mapping into that system. For example, in the case of the application with no role assigned to the user, the user can be mapped to a model having a default role with default permissions).
in relation to the nodes representing (Wolff, par0006 teaches each node of the graphical representation represents a respective user of the application platforms and each edge connecting the nodes represents an activity among the users and/or entities in the application platforms).
comparing the permissions with (Wolff, par0049 teaches one or more models can be developed and used predict baseline permissions for users and then compare actual permissions with the predicted baselines, to identify users who have unwarranted permission).

          Morkovine and Wolff do not explicitly disclose by generating a whitelist, the whitelist.
          Annett however discloses by generating a whitelist, the whitelist. (Annett par0088 teaches the permissions repository 944 can include a map of users to the applications 936 they are permitted to access, a whitelist 946 that identifies users who are permitted access to the computing device 902 or applications 936, and a blacklist 948 that identifies users who are not permitted such access).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of by generating a whitelist, the whitelist, as taught by Annett in the non-transitory processor-readable medium of Morkovine and Wolff, so when an unpermitted user is identified as trying to access an application (e.g., the user is on a blacklist, the user is not on a preapproved whitelist, the user is unidentified), the computing device can provide a notification to the relevant authority.

          Staggs however discloses including Role Based Access Control (RBAC) rules and permissions associated with the plurality of users. (Staggs par 0019, 0026, 0032 and 0033 teaches FIG. 1, system 100 includes Role-Based Access Control (RBAC) subsystem 102. RBAC subsystem 102 can perform various functions associated with controlling access to a system based on one or more roles. Those functions include functions such as, for example, those discussed above (e.g., create a role and/or associate access rights with a role)…. RBAC subsystem 102 can communicate information such as, for example, audit logs, security policies, training records, and other information to auditor 116. Auditor 116 can monitor the system for access records, system usage, permissions, etc….policy decision point 232 can determine a whitelist status of data client 220 and/or an antivirus state of data client 220. Further, user/application policy enforcement point 230 with support from policy decision point 232 can check an ID (e.g., unique identification information, such as system assigned identification information, LDAP token, etc.) of a user associated with data client 220 to determine that the user is valid (e.g., authenticated and authorized to access data server 222)….In some embodiments, provided the whitelist status, antivirus state, and user ID are determined to be adequate (approved by policy) the request can be communicated through the user/application policy enforcement point to the data server).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of including Role Based Access Control (RBAC) rules and permissions associated with the plurality of users, as taught by Staggs in the non-transitory processor-readable medium of Morkovine, Wolff and Annett, so .

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Morkovine in view of Wolff, and further in view of.Boydstun et al. (US20080195670A1) hereinafter Boydstun.
As per claim 2.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 1.
          Morkovine further discoses access events of the users into the applications. (Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects).
          Morkovine, Wolff, Annett and Staggs do not disclose wherein the metadata includes network logs.
           Boydstun however discloses wherein the metadata includes network logs (Boydstun, par0023 teaches Referring to FIG. 3, the service manager 215 initializes and reads a configuration file from a configuration manager (both not depicted), where the configuration file contains information about the log volume 225 to get access to metadata files 300. When a user utilizes a client GUI 305 to query information in the log volume 225, a log query proxy 310 sends the request via the service manager 215. The client GUI 305 is illustrated as an example screen shot in FIG. 4. The log query functions read the metadata files 300 and sends the query results to a log query service 315 in a log manager 320. The query results are then returned to the user through the client GUI where they are printed, displayed, or otherwise saved for further use/retrieval. And it is through the GUI's query mechanism where it displays as though all log depositories are one logical central log repository).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the metadata includes network logs, as taught by Boydstun in the system of Morkovine, Wolff, Annett and Staggs, so testing and debugging is the methodical process used by developers to find and reduce the number of bugs, or defects, in the software program to further the goal of deploying the software product, see Boydstun par0003.

As per claim 12.  Morkovine, Wolff, Annett and Staggs disclose the method of claim 11.
          Morkovine further discoses access events of the users into the applications. (Morkovine, par0064 teaches FIG. 4 illustrates techniques for analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects).
          Morkovine, Wolff, Annett and Staggs do not disclose wherein the metadata includes network logs.
           Boydstun however discloses wherein the metadata includes network logs (Boydstun, par0023 teaches Referring to FIG. 3, the service manager 215 initializes and reads a configuration file from a configuration manager (both not depicted), where the configuration file contains information about the log volume 225 to get access to metadata files 300. When a user utilizes a client GUI 305 to query information in the log volume 225, a log query proxy 310 sends the request via the service manager 215. The client GUI 305 is illustrated as an example screen shot in FIG. 4. The log query functions read the metadata files 300 and sends the query results to a log query service 315 in a log manager 320. The query results are then returned to the user through the client GUI where they are printed, displayed, or otherwise saved for further use/retrieval. And it is through the GUI's query mechanism where it displays as though all log depositories are one logical central log repository).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the metadata includes network logs, as taught by Boydstun in the method of Morkovine, Wolff, Annett and Staggs, so testing and debugging is the methodical process used by developers to find and reduce the number of bugs, or defects, in the software program to further the goal of deploying the software product, see Boydstun par0003.

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Morkovine in view of Wolff, and further in view of Sievert et al. (US20190043534A1) hereinafter Sievert.
As per claim 3.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 1. 
          Morkovine, Wolff, Annett and Staggs do not disclose wherein the metadata includes telemetry data concerning, an amount of data written to or read, from the applications, types of operations conducted, access operations, time of day, and a client device used by the users.
           Sievert however discloses wherein the metadata includes telemetry data concerning  (Sievert, par0054 teaches metadata include: telemetry data (such as motion data, velocity data, and acceleration data)
an amount of data written to or read (Sievert, par0085 teaches the identifier generator 376 determines an amount of image data in the accessed [read] video frame)
(Sievert, par0077 teaches different client devices have different video editing interfaces 360 (in the form of native applications) that provide different functionalities due to different display sizes and different input means. As another example, the media server 130 provides the video editing interface 460 as a web page or browser application accessed by client devices).
types of operations conducted, access operations, time of day, and . (Sievert, par0088 teaches other extracted video data includes user data, device data, or any other metadata associated with the video, which may be contained in udta atom data 713, for example. The udta atom refers to the portion of an MP4 file that contains user-specified or device-specified data. The identifier generator 376 may extract metadata associated with the video such as a video duration, video capture time [time of day], video capture date [type of operation conducted], video resolution, video frame rate, user identifier, or a user-specified caption).
a client device used by the users. (Sievert, par0085 teaches the user device 140 is any computing device capable of receiving user inputs as well as transmitting and/or receiving data via the network 150. In one embodiment, the user device 140 is a conventional computer system, such as a desktop or a laptop computer).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the metadata includes telemetry data concerning, an amount of data written to or read, from the applications, types of operations conducted, access operations, time of day, and a client device used by the users, as taught by Sievert in the system of Morkovine, Wolff, Annett and Staggs, so by hashing an extracted subset of data from the video or image rather than hashing the entire video reduce 

As per claim 13.  Morkovine, Wolff, Annett and Staggs disclose the method of claim 11. 
          Morkovine, Wolff, Annett and Staggs do not disclose wherein the metadata includes telemetry data concerning, an amount of data written to or read, from the applications, types of operations conducted, access operations, time of day, and a client device used by the users.
           Sievert however discloses metadata includes telemetry data concerning  (Sievert, par0054 teaches metadata include: telemetry data (such as motion data, velocity data, and acceleration data)
an amount of data written to or read (Sievert, par0085 teaches the identifier generator 376 determines an amount of image data in the accessed [read] video frame)
from the applications, (Sievert, par0077 teaches different client devices have different video editing interfaces 360 (in the form of native applications) that provide different functionalities due to different display sizes and different input means. As another example, the media server 130 provides the video editing interface 460 as a web page or browser application accessed by client devices).
types of operations conducted, access operations, time of day, and . (Sievert, par0088 teaches other extracted video data includes user data, device data, or any other metadata associated with the video, which may be contained in udta atom data 713, for example. The udta atom refers to the portion of an MP4 file that contains user-specified or device-specified data. The identifier generator 376 may extract metadata associated with the video such as a video duration, video capture time [time of day], video capture date [type of operation conducted], video resolution, video frame rate, user identifier, or a user-specified caption).
a client device used by the users. (Sievert, par0085 teaches the user device 140 is any computing device capable of receiving user inputs as well as transmitting and/or receiving data via the network 150. In one embodiment, the user device 140 is a conventional computer system, such as a desktop or a laptop computer).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of metadata includes telemetry data concerning, an amount of data written to or read, from the applications, types of operations conducted, access operations, time of day, and a client device used by the users, as taught by Sievert in the method of Morkovine, Wolff, Annett and Staggs, so by hashing an extracted subset of data from the video or image rather than hashing the entire video reduce processing time and increase efficiency of generating a unique media identifier, see Sievert par0103.

Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Morkovine in view of Wolff, and further in view of.Ford (US20200076826A1) hereinafter Ford.
As per claim 4.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 1.
          Morkovine further discloses wherein the at least one processor is further configured to: (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory.
(Morkovine, par0070 teaches FIG. 5 illustrates aspects pertaining to analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figures are presented to illustrate one embodiment of certain steps and/or operations that facilitate constructing application activity graphs from interaction events performed at a plurality of applications. As depicted in the figure, the steps and/or operations are associated with step 224 of FIG. 2. A representative scenario is also shown in the figures to illustrate an example application of application activity graph generation technique 500).
          Morkovine, Wolff, Annett and Staggs do not disclose detect a violation by the user of an access right to at least one application of the applications; and in response to the violation, generate a security policy disallowing.
           Ford however discloses detect a violation by the user of an access right to at least one application of the applications; and in response to the violation, generate a security policy disallowing (Ford par0119 teaches users that have access rights to the protected data may be identified. However, in certain embodiments, it may be preferable to execute an operation, such as operation 844, to identify users that have actually accessed the protected information. In certain embodiments, security system records may be searched to identify users that have accessed protected facilities in which protected data, such as protected documents, are stored. Identification of users that have accessed such protected facilities may be particularly useful in situations in which an image watermark relating to a protected document has been detected. At operation 846, the investigation may turn to whether any of the identified users violated security policies. If security policies have been violated, the particular users and corresponding security violations may be identified at operation 848 and addressed with the user at operation 850. To this end, the user may need to be educated about the security policies of the company, warned about the violation, or dismissed from employment. Once the violations have been addressed at operation 850, a check may be made at operation 852 to determine whether there are any security policies that should be updated or modified in view of the security violation. If so, such modifications may be made at operation 826).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of detect a violation by the user of an access right to at least one application of the applications; and in response to the violation, generate a security policy disallowing, as taught by Ford in the system of Morkovine, Wolff, Annett and Staggs, so security systems monitor egress channels from the secured network to prevent movement of protected data outside of the secured network, see Ford par0002.

As per claim 14.  Morkovine, Wolff, Annett and Staggs disclose the method of claim 11.
          Morkovine further discloses further comprising: analyzing the graph database to, at least one relationship between the at least one application and at least one further application in the graph database. (Morkovine, par0070 teaches FIG. 5 illustrates aspects pertaining to analyzing application usage activity to dynamically determine a set of applications that are recommended for particular users and/or particular content objects. Specifically, the figures are presented to illustrate one embodiment of certain steps and/or operations that facilitate constructing application activity graphs from interaction events performed at a plurality of applications. As depicted in the figure, the steps and/or operations are associated with step 224 of FIG. 2. A representative scenario is also shown in the figures to illustrate an example application of application activity graph generation technique 500).
          Morkovine, Wolff, Annett and Staggs do not disclose detect a violation by the user of an access right to at least one application of the applications; and in response to the violation, generate a security policy disallowing.
           Ford however discloses detect a violation by the user of an access right to at least one application of the applications; and in response to the violation, generate a security policy disallowing (Ford par0119 teaches users that have access rights to the protected data may be identified. However, in certain embodiments, it may be preferable to execute an operation, such as operation 844, to identify users that have actually accessed the protected information. In certain embodiments, security system records may be searched to identify users that have accessed protected facilities in which protected data, such as protected documents, are stored. Identification of users that have accessed such protected facilities may be particularly useful in situations in which an image watermark relating to a protected document has been detected. At operation 846, the investigation may turn to whether any of the identified users violated security policies. If security policies have been violated, the particular users and corresponding security violations may be identified at operation 848 and addressed with the user at operation 850. To this end, the user may need to be educated about the security policies of the company, warned about the violation, or dismissed from employment. Once the violations have been addressed at operation 850, a check may be made at operation 852 to determine whether there are any security policies that should be updated or modified in view of the security violation. If so, such modifications may be made at operation 826).
.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Morkovine in view of Wolff, and further in view of.Koottayi et al. (US20170118218A1) hereinafter Koottayi.
As per claim 5.  Morkovine, Wolff, Annett and Staggs disclose the system of claim 1. 
          Morkovine further discloses wherein the at least one processor is further (Morkovine, par0091 teaches computer system 9A00 performs specific operations by data processor 907 executing one or more sequences of one or more program instructions contained in a memory.
          Morkovine does not explicitly discloses to classify behavior of the plurality of users into organizational units and roles associated with the plurality of users to represent organizational behavior associated with the plurality of users.
          Wolff however discloses to classify behavior of the plurality of users into organizational units and roles associated with the plurality of users to represent organizational behavior associated with the plurality of users (Wolff, par0028 teaches the consolidation of activity information in the repository concerning messaging, file access, application usage patterns and/or other event statistics enables the systems and methods described herein (e.g., the system 100) to establish baselines of expected and appropriate user behavior. Machine learning techniques can then be applied to detect threats and provide recommendations concerning how to respond to threats or unusual behavior. Threat models are developed and used to detect threats that are known or unknown or emerging. Threats can also be identified by comparing activity data with external threat intelligence information, such as information provided by third-party providers).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of to classify behavior of the plurality of users into organizational units and roles associated with the plurality of users to represent organizational behavior associated with the plurality of users, as taught by Wolff in the system of Morkovine, so using the graphs an organization can increase the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents, see Wolff par0004.
          Morkovine, Wolff, Annett and Staggs do not explicitly disclose configured to access an identity store.
          Koottayi however discloses configured to access an identity store. (Koottayi, par0080 teaches to create subject information upon establishing an access session, an identity store may be accessed for a subject, which may have the attributes of user as well as group membership information of the user).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of configured to access an identity store, as taught by Koottayi in the system of Morkovine, Wolff, Annett and Staggs, so an access management system can improve management of a session (e.g., server-side session) by storing session information for a session based on the attributes of the session information, see Koottayi par0015.

As per claim 15.  Morkovine, Wolff, Annett and Staggs disclose the method of claim 11. 
          Morkovine does not explicitly discloses to classify behavior of the plurality of users into organizational units and roles associated with the plurality of users to represent organizational behavior associated with the plurality of users.
          Wolff however discloses to classify behavior of the plurality of users into organizational units and roles associated with the plurality of users to represent organizational behavior associated with the plurality of users (Wolff, par0028 teaches the consolidation of activity information in the repository concerning messaging, file access, application usage patterns and/or other event statistics enables the systems and methods described herein (e.g., the system 100) to establish baselines of expected and appropriate user behavior. Machine learning techniques can then be applied to detect threats and provide recommendations concerning how to respond to threats or unusual behavior. Threat models are developed and used to detect threats that are known or unknown or emerging. Threats can also be identified by comparing activity data with external threat intelligence information, such as information provided by third-party providers).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of to classify behavior of the plurality of users into organizational units and roles associated with the plurality of users to represent organizational behavior associated with the plurality of users, as taught by Wolff in the method of Morkovine, so using the graphs an organization can increase the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents, see Wolff par0004.

          Koottayi however discloses further comprising accessing an identity store. (Koottayi, par0080 teaches to create subject information upon establishing an access session, an identity store may be accessed for a subject, which may have the attributes of user as well as group membership information of the user).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprising accessing an identity store, as taught by Koottayi in the method of Morkovine, Wolff, Annett and Staggs, so an access management system can improve management of a session (e.g., server-side session) by storing session information for a session based on the attributes of the session information, see Koottayi par0015.


Conclusion
The prior art made of record and not relied upon is considered pertinent are -
• Palma et al. (US7627671B1) – Related art in the area of a performance manager accesses and interprets application metadata and execution environment metadata, using a hierarchical entity to model complex relationships between application abstractions, components and resources.
• Chowdhury et al. (US20180232262A1) – Related art in the area of obtaining a first application-program interface (API) response from a first software-as-a-service (SaaS) 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONISHWAR MOHAN whose telephone number is (571)272-2907. The examiner can normally be reached Monday - Thursday 7:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on (571) 272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



/M.M./Examiner, Art Unit 2442                                                                                                                                                                                                        
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442