DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6-9, 13-16, 20 are rejected under 35 U.S.C. 103 as being unpatentable over FAITELSON et al (2011/0296490) in view of Roth et al (10,148,629).
With respect to claims 1, 8 and 15, FAITELSON discloses a method of providing dynamic permissions (Abstract, “automatically replacing”) for an enterprise authorization system, comprising (automatically replacing access permission including an authorization subsystem in an enterprise computer environment; Abstract; paras [0011], (0014]): establishing permissions rules for an authorization system of an enterprise (replacing a group-based security policy with a computer security policy resulting in changes in access permissions (establishing permissions rules), automatically notifying stakeholders using an authorization subsystem in the enterprise computer environment; paras (0009], [0011]); receiving permissions data from the enterprise, the permission data describing actions performed by users of the enterprise with respect to the As seen in FIG. 1D, the IT manager, alone or possible in consultation with an HR manager or other executive decides whether or not to approve the automatically generated recommendations. If the automatically generated recommendations are approved, they are implemented automatically without disrupting needed user access to the network objects residing in the enterprise computer environment”); evaluating the permissions rules (para [0028], a learned access permission subsystem learning the current access permissions) in view of the permission data (a learned access permission subsystem learning the current access permissions (evaluating the permissions rules) using actual access history (a context-based); paras [0028]-[0030]) to produce a context-based permissions policy for the authorization system, the context-based permissions policy evaluate one or more conditions to determine whether to grant permissions to users of the enterprise with respect to the authorization system (automatically replacing access permissions (the dynamic permissions policy) of user-security group-based access permissions (describing permissions of users of the enterprise) with respect to the authorization subsystem and actual access history (context-based); paras [0012], [0015], [0029]); and transmitting the context-based permissions policy to the enterprise (the computer security policy administration subsystem of the computer environment receiving the indications and operative to automatically replace the access permissions (transmitting the dynamic permissions policy); para [0030]), wherein the enterprise is adapted to implement the context-based permissions policy at the authorization system (the enterprise system simulating replacement of the user security group-based computer security policy by the computer security policy (to Implement the dynamic permissions policy) including the authorization subsystem automatically operative prior to execution of the replacement; para [0011], [0014]).
FAITELSON does not explicitly disclose a context-based. Since applicant does not explicitly disclose the claimed “context-based”, the actual access history of FAITELSON could be considered as the claimed “context-based”. Further Roth discloses an authorization system using a context-based permission policy (column 5, line 60 – column 6, line 16). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify FAITELSON by using the context-based of Roth to provide better security (taught by Roth, col 1, lines 15-25).

With respect to claims 2, 9 and 16, FAITELSON does not disclose wherein the context-based permissions policy evaluates one or more of the following conditions to determine whether to grant permissions to users of the enterprise: time of access; location of access. Roth discloses wherein the context-based permissions policy evaluates one or more of the following conditions to determine whether to grant permissions to users of the enterprise: time of access; location of access (col 5, line 65 -col 6, line 1, “the time of day of the access attempt, the number of times an access attempt has occurred”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify FAITELSON with the context-based of Roth for the same motivation discussed in claim 1 above.

With respect to claims 6, 13 and 20, refer to discussion in claim 1 above for the context-based. FAITELSON additionally discloses wherein transmitting the context-as previously disclosed by FAITELSON) comprises: receiving, from a permissions controller within the enterprise, a request for the context-based permissions policy (a pre-replacement notification subsystem (permissions controller within the enterprise) automatically requesting authorization given the changes in access permissions expected to take place as a result of the replacement (a request for the dynamic permissions policy); para [0011]); and transmitting the context-based permissions policy to the permissions controller within the enterprise in response to the request (receiving the authorization (transmitting the dynamic permissions policy) by the pre-replacement notification subsystem (permissions controller) based on the request for authorization; para [0011]); wherein the permissions controller is adapted to interact with the authorization system (the pre-replacement notification subsystem is operative along with the authorization subsystem (interact with the authorization system); para [0011]) to configure an infrastructure of the authorization system (to prevent execution of the replacement in some network objects (configure an infrastructure) for which authorization was not received by the authorization subsystem; para [0011]) to implement the context-based permissions policy at the authorization system (automatically replacing (implement) access permission (policy) for an authorization subsystem in an enterprise computer environment; abstract; para [0011],[0014]).

With respect to claims 7 and 14, refer to discussion in claim 1 above for the context-based. FAITELSON additionally discloses receiving a request from the enterprise for an updated context-based permissions policy (a request for authorization from the enterprise computer environment with respect to changes in access permissions expected to take place (an updated dynamic permissions policy); claim 3 of FAITELSON); reevaluating the permissions rules in view of new permissions data from the enterprise to produce an updated context-based permissions policy for the authorization system (the learned access permission subsystem continuously learning current access permissions (reevaluating the permissions rules) using actual access history from the continuously populated database (a new context) resulting in expected changes to access permissions to take place as a result of the replacement (updated dynamic permissions policy) used by the authorization subsystem; para [0028]-[0030], [0037]); and transmitting the updated context-based permissions policy to the authorization system in response to the request (the computer security policy administration subsystem of the computer environment receiving the indications and operative to automatically replace the access permissions (transmitting the updated dynamic permissions policy) according to the continuously populated access permissions database by the learned access permissions subsystem (response to the request); para [0030], [0037]).

Claims 3-4, 10-11, 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over FAITELSON et al (2011/0296490) in view of Roth et al (10,148,629) and Official Notice.
With respect to claims 3, 10 and 17, FAITELSON additionally discloses wherein establishing the permissions rules comprises: receiving permissions rules provided by an administrator of the enterprise (an administration subsystem of the enterprise computer network includes replacement initiation functionality which initiates automatic replacement of permissions based on a schedule (receiving permissions rules) determined by a human administrator; para [0010]), the permissions rules describing permissions policies applicable to the users of the enterprise in given contexts (the schedule of access permissions is predetermined (rules describing permissions policies) with respect to pre-selected user-security group-based access permission (applicable to the users of the enterprise) accessing network objects such as files, folders and user groups (in given contexts); para [0010], [0031]); and wherein the method further comprises: evaluating the permissions rules (para [0028], a learned access permission subsystem learning the current access permissions) in view of a context (a learned access permission subsystem learning the current access permissions (evaluating the permissions rules) using actual access history (a context); paras [0028]- [0030]) to produce a dynamic permissions policy for the authorization system (operative to automatically replace group-based access permissions with partially actual access- based access permissions (dynamic permissions policy) where the authorization subsystem notifies stakeholders of changes in the access permissions expected to take place; para [0030]; claim 3 of FAITELSON), the context describing an environment of the authorization system at a point in time (actual access history (context) provides an indication of which users have had actual access to which network objects (describing an environment of the authorization system), the history indicating which users have had actual access to which network objects (at a point in time); para [0021]; claim 9 of FAITELSON) and the dynamic permissions policy describing permissions of users of the enterprise with respect to the authorization system and the automatically replacing access permissions (the dynamic permissions policy) of user-security group- based access permissions (describing permissions of users of the enterprise) with respect to the authorization subsystem and actual access history (context); paras [0012], [0015], [0029]); and transmitting the dynamic permissions policy to the enterprise (the computer security policy administration subsystem of the computer environment receiving the indications and operative to automatically replace the access permissions (transmitting the dynamic permissions policy); para [0030]), wherein the enterprise is adapted to implement the dynamic permissions policy at the authorization system (the enterprise system simulating replacement of the user security group-based computer security policy by the computer security policy (to Implement the dynamic permissions policy) including the authorization subsystem automatically operative prior to execution of the replacement; para [0011], [0014)).
FAITELSON does not explicitly disclose describing the system at a point in time. Since FAITELSON discloses the history indicating which users have had actual access to which network objects (para [0021]), it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention that the claimed point in time would have been obvious. Further, the Official Notice is taken that the claimed “describing the system at a point in time’ limitation would have been known. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify FAITELSON by describing the system at a point in time to track the system at any desired times.

the learned actual access history (context) provides indications (state information) of which users had access to which network objects (describing an environment involving the enterprise) from the actual access history (a given point in time); claim 20 of FAITELSON) and wherein evaluating the permissions rules in view of the context to produce a dynamic permissions policy for the authorization system (as previously disclosed by FAITELSON) comprises: interpreting the permissions rules based on the state information within the context (prior to execution of said replacement, notifying predetermined stakeholders of changes in access permissions expected to take place as a result of said replacement (interpreting the permissions rules) according to the indications (state information) received with respect to the actual access history (context); para [0009]; claim 3 of FAITELSON) to programmatically determine the dynamic permissions policy for the authorization system (automatically (programmatically) replacing access permission (dynamic permissions policy) for the authorization subsystem in the enterprise computer environment; abstract; para [0011], [0014]).

Claims 5,12,19 are rejected under 35 U.S.C. 103 as being unpatentable over FAITELSON et al (2011/0296490) in view of Roth et al (10,148,629), Official Notice and SEIVER et al (2017/0078322).
an administration subsystem of the enterprise computer network includes replacement initiation functionality which initiates automatic replacement of permissions based on a schedule (receiving permissions rules) determined by a human administrator; para [0010]), the permissions rules describing permissions policies applicable to the users of the enterprise in given contexts (the schedule is predetermined (rules describing permissions policies) with respect to pre-selected user-security group-based access permission (applicable to the users of the enterprise) accessing network objects such as files, folders and user groups (in given contexts); para [0010], [0031]). FAITELSON does not disclose calculating a risk score, the risk score representing a likelihood that data stored on the authorization system is compromised; and based on the calculated risk score and the permissions rules, producing a dynamic permissions policy for the authorization system. SEIVER discloses calculating a risk score, the risk score representing a likelihood that data stored on the authorization system is compromised (determining a metric, or compromise risk value (score representing a likelihood), of a user account, or network device, being compromised, the compromise likelihood identifies a probability of the network device, or user account, being compromised (data stored on the authorization system is compromised), e.g., by an attacker; para [0067]); and based on the calculated risk score and the permissions rules, producing a dynamic permissions policy for the authorization system (using the metric (calculated risk score) and using account access rights (permissions rules) to update permissions that increase the value associated with the metric (dynamic permissions policy); para [0221], [0238]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of FAITELSON to include calculating a risk score, the risk score representing a likelihood that data stored on the authorization system is compromised; and based on the calculated risk score and the permissions rules, producing a dynamic permissions policy for the authorization system as disclosed by SEIVER, to gain the advantage of quantifying risks associated with the network and costs associated with a compromised level of access to assess privileges on the network (SEIVER; para [0006]).

Response to Arguments
Applicant's arguments filed 11/29/2021 have been fully considered but they are not persuasive.
With respect to applicant’s argument about the newly added limitation “context-based permissions policy” (page 14, 1st paragraph), refer to discussion in claim 1 above.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TU T NGUYEN whose telephone number is (571)272-2424. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on (571) 272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 


/TU T NGUYEN/Primary Examiner, Art Unit 2453                                                                                                                                                                                             02/25/2022