Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
2.	This office action is in response to an amendment filed on 02/23/2022. The amendment has been entered and considered. 
Response to amendment
3. 	Claims 1, 5, 8, 12, 15 and 19 are amended. Claims 1-21 are now pending in this office action. 

4. 	Applicant’s arguments with respect to the rejection of claims under 35 U.S.C. § 102 (a)(i) and 103(a) have been fully considered and are persuasive. However the newly introduced reference FILIP et al teaches the amended claim limitations, thus necessitated the new ground of rejection as presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
Claim Rejections - 35 U.S.C. § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1- 21 are rejected under 35 U.S.C. 103 as being unpatentable over Yared; Peter (US 20190199729 A1) in view of Tandon; Sanjay (US 20150012966 A1) and in further view of FILIP; Marcin (US 20210318998 A1).

	Regarding independent claim 1, Yared; Peter (US 20190199729 A1) teaches, an identity management system, comprising: a processor; a non-transitory, computer-readable storage medium, including computer instructions for: obtaining identity management data associated with a plurality of source systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identity management artifacts (e.g., such as an identity, entitlement, role, group, event, access profile or account activity) utilized in identity management in the distributed enterprise computing environment, including a set of identities, …database objects and entitlements associated with the … database objects (Paragraph [0039] Consolidated identity module 1206 performs various functions described herein, including authenticating user 101 based on identity information obtained from identity provider 402, which may be, for example an Active Directory. [0071] Referring now to FIG. 6, there is shown a diagram  (e.g., user or group), according to one embodiment. In this manner, user 101 can be known system-wide via dynamic account mapping after logging in at a single location. [0072] Many service providers (such as SAP, Salesforce …) include entitlements directly in records, specifying who is authorized to do what to each record (such as, for example, approve a purchase order) (i.e., entitlements associated with database objects such as purchase order). In at least one embodiment, the consolidated identity framework maps the identity of user 101 from identity provider 601 through to service provider 602), 
wherein: the plurality of source systems include an authoritative source system (Examiner interprets authoritative source system as Identity provider/active directory) and the identity management data (identity management—also referred to as identity and access management) comprises identity data on a set of identities obtained from the authoritative source system, wherein each of the set of identities is associated with a first identifier (i.e., user identifier) for that identity obtained from the authoritative source system (Paragraph [0065] Referring now to FIG. 4, there is shown a diagram depicting an example of a method of mapping a user's 101 identity to bind authorizations, according to one embodiment. User 101 logs in 403 via endpoint management system 401. Based on the log-in information, user 101 is matched 404 to user's account on identity provider 402 (which may, for example be an Active Directory), so as to determine which resources the user 101 is authorized to access. [0073], [0075] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider , 
the plurality of source systems include at least one … server and the identity management data comprises … object data on … database objects of the … server and entitlement data on a set of entitlements, wherein each of the set of entitlements is associated with a second identifier and an associated … database object of the … database objects (Paragraph [0071] Referring now to FIG. 6, there is shown a diagram depicting an example of a method of mapping the identity of a user 101 from an identity provider 402 (such as Active Directory 402) through to a service provider 602, importing entitlements, and filtering access based on user's 101 identity, according to one embodiment. In this manner, user 101 can be known system-wide via dynamic account mapping after logging in at a single location. [0073] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers (i.e., group called managers is second identifier and include entitlements are associated with second identifier/managers group). On service provider 602 (which in this example is SAP), user 101 is known as "smithj0422" ; 
receiving a criteria associated with a first identity of the set of identities (Paragraph [0073] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers (i.e., receiving criteria is “determining a group” with first identity from the set of identities/groups. In prior art group called managers is the criteria); 
Yared et al fails to explicitly teach, SQL database objects … SQL database objects,…. SQL server … SQL object data on SQL database objects of the SQL server … SQL database objects … SQL database objects; determining one or more entitlements to SQL database objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity, wherein the one or more entitlements are associated with the first identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity; and presenting the one or more entitlements and associated SQL database objects in association with the first identity.
Tandon; Sanjay (US 20150012966 A1) teaches, determining one or more entitlements to … database objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity (Paragraph [0189] It is also clearly evident that any attempt to accurately assess the cumulative set of a user's entitlements must take into account the cumulative set of a user's affiliations (i.e., based on user’s identity/first identity and first identifier, determining second identifier/group identifier with each set of entitlements),
wherein the one or more entitlements are associated with the first identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity (Paragraph [0325] The Cumulative Access Entitlement Inference & Assimilation 65 process involves the determination of the entity's cumulative access entitlement set 66 across the specified scope of the information system, based on the entity's cumulative system-level access grants 64 and based on a set of system-level operation to administrative task mappings 56 i.e. the set of all administrative tasks that the entity 58 is entitled to performing (i.e., based on second identifier), based on the entity's effective cumulative system-level access 64 across the specified scope of the information system (i.e., based on first identifier). This set of system-level operation to administrative task mappings 56 provide the mappings required to determine the administrative task that corresponds to a system-level operation authorized on a specific type of securable resource/objects. This step thus 
and presenting the one or more entitlements and associated … database objects in association with the first identity (Paragraph [0326] the Cumulative Entitlement Reporting (Output) 67 process reports the results of the cumulative access entitlement 68, which are in effect the same as 66, presented in a meaningful fashion.
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Yared et al by providing a method of determining one or more entitlements to objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity, wherein the one or more entitlements are associated with the firstSAIL1560-1- 61 -Customer ID: 44654 identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity; and presenting the one or more entitlements and associated objects in association with the first identity as taught by Tandon et al Paragraphs, [00325-326]);.
  One of the ordinary skill in the art would have been motivated to make this modification, by providing a method and system for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for 
Yared et al and Tandon et al fails to explicitly teach, SQL database objects … SQL database objects,…. SQL server … SQL object data on SQL database objects of the SQL server … SQL database objects … SQL database objects; … database objects …; … database objects…
	FILIP; Marcin (US 20210318998 A1) teaches, SQL database objects and entitlements associated with the SQL database objects,… (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, and views. Data dictionary 1482 can define various schema such as including user schema. A schema can include a collection of logical structures of data or schema data structure objects. A certain user's schema can be owned by the certain user to define the certain user's access rights to data in database 248 and, according to one embodiment, can have a name in common with the name of the certain user (database objects associated with entitlements/user rights to access the database object). A user schema of a certain user as specified in data dictionary 1482 can specify that certain user's ownership and access rights to data structure objects of data structure objects 1481 within database 24). Also see (Paragraph [0099] With use of appropriate annotations, an ORM framework like JPA can automatically provide data definition language (DDL) statements ;
	… source systems include at least one SQL server … (Examiner interprets SQL server as a relational database management system/server to execute SQL queries) SQL object data on SQL database objects of the SQL server … (Paragraph [0045] each of user A and user B may have invoked respective queries on database 248. However, whereas the database query invoked by user A was a modification query, the database operation invoked by user B was not a modification query, e.g., was only a read-only database operation such as a SELECT query in SQL (Examiner interprets SQL database objects as the objects accessed/modified using SQL on the database) … (Paragraph [0099] With use of appropriate annotations, an ORM framework like JPA can automatically provide data definition language (DDL) statements to define relational database queries, e.g., in SQL language for execution on database 248 in order to create tables, insert data, etc); 
	…identifier and an associated SQL database object of the SQL database objects; …SQL database objects based on the …identifier … ; … SQL database objects in association with the … identity.
 (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, and views. Data dictionary 1482 can define various schema such as including user schema. A schema can include a collection of logical structures of data or schema data structure objects. A certain user's schema can be owned by the certain user to define the certain user's access rights to data in database 248 and, according to one .
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Yared et al and Tandon et al by providing SQL database objects and entitlements associated with the SQL database objects,… source systems include at least one SQL server … SQL object data on SQL database objects of the SQL server …; SQL database object of the SQL database objects; SQL database objects based on the second identifier …; …identifier and an associated SQL database object of the SQL database objects, as taught by FILIP et al (Paragraph [0031], [0045]).
  One of the ordinary skill in the art would have been motivated to make this modification, by doing so would algorithm efficiency, memory usage efficiency, maintainability, and reliability as taught by FILIP et al (Paragraph [0004]).

Regarding dependent claim 2, Yared et al and Tandon et al teach, the identity management system of claim 1. 
wherein the first identifier and the second identifier is a Security Identifier (SID) (Paragraphs [0162]-[0163] user SID is first security identifier and group ID is second security identifier).  

Regarding dependent claim 3, Yared et al and Tandon et al teach, the identity management system of claim 1. 
Tandon et al further teaches, wherein the first identifier is associated with a group to which the first identity belongs (Paragraph [0167], in order for an access check to validate whether or not a user attempting access to a securable resource is in fact authorized such access, it should further take into account the SID of the user him/herself and list of all group SIDs to which the user might belong (i.e., first identifier is associated with a group to which the first identity/user belongs). 

Regarding dependent claim 4, Yared et al and Tandon et al teach, the identity management system of claim 3. 
Tandon et al further teaches, where at least one of the one or more entitlements is inherited by the first identity through the group (Paragraph [0186] it is evident from the illustration that John Doe's user account 500 is a direct member of seven groups 501, 502, 503, 504, 505, 506 and 507. Note that a simple inspection of the user's account will reveal that John Doe is only a member of seven groups. However, as we can see, each of these seven groups in turn is a member of numerous other groups. In fact, closer inspection reveals that John Doe is transitively a member of fourteen security groups. Paragraph [0187] from an access control perspective, ultimately, John is a member of all 

Regarding dependent claim 5, Yared et al and Tandon et al teach, the identity management system of claim 1. 
Tandon et al further teaches, wherein a first entitlement of the one or more entitlements is to a first …database object and a second entitlement of the one or more entitlements is to a second …database object that is a child object of the first … database object, and wherein the second entitlement was determined based on the second … database object being a child object of the first …database object (Fig. 6 Paragraph [0197]; first ACE 252 (i.e., first entitlement) allows the security principal S-1-5-123-456-789-001 Read Property access to the User Name attribute on this object (i.e., first database object); Paragraph [0202] , lines 51-55; ACE 256 (i.e., second entitlement) allows the security principal S-1-5-123-456-657-051 Create Child access to the User Name attribute on this object; this ACE thus grants the user represented by this SID the ability to create new objects (i.e., second database object) under this object).
	FILIP et al further teaches, entitlements is to a … entitlements is to a …SQL database object … SQL database object … SQL database object … SQL database …. SQL database object (Paragraph [0031] Database 248 can include, e.g., data .

Regarding dependent claim 6, Yared et al and Tandon et al teach, the identity management system of claim 5. 
Tandon et al further teaches, wherein the second entitlement was determined utilizing a …permission model (Paragraph [0207] if an ACE is marked as inheritable, the system automatically ensures that a copy of the ACE is added to the ACL of every object in the sub-tree rooted at the object at which the ACE was applied (i.e., the second entitlement is determined based on inheritance/ permission model).
…entitlement was determined utilizing a SQL permission model (Paragraph [0045] each of user A and user B may have invoked respective queries on database 248. However, whereas the database query invoked by user A was a modification query, the database operation invoked by user B was not a modification query, e.g., was only a read-only database operation such as a SELECT query in SQL (i.e., entitlement is determined based on SQL permission model).

Regarding dependent claim 7, Yared et al and Tandon et al teach, the identity management system of claim 1. 
Yared et al further teaches, wherein the at least one … server comprises multiple …servers and the one orATTORNEY DOCKET NO.PATENT APPLICATION SAIL1560-1- 62 -Customer ID: 44654 more entitlements comprises entitlements obtained from each of the multiple …servers (Paragraph [0031] Each electronic device may be, for example, a server, desktop computer, laptop computer, smartphone, tablet computer, and/or the like. As described herein, some devices used in connection with the system described herein are designated as client devices, which are generally operated by end users. Other devices are designated as servers, which generally conduct back-end operations and communicate with client devices (and/or with other servers) via a communications network such as the Internet. [0041] in at least one embodiment, consolidated identity module 1206 interacts with various components of the enterprise. Endpoint management systems 401 (for example including enterprise mobility management (EMM) systems), directories 1201, and identity providers 402 provide functionality for user authentication 1202, user identity/name 1203, access control groups 1204, and/or user attributes 1205 (i.e., Endpoint management systems comprises of 
FILIP et al further teaches, …SQLserver… (Examiner interprets SQL server as a relational database management system/server to execute SQL queries. Paragraph [0118] Resource pooling: the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). 

	Regarding independent claim 8, Yared; Peter (US 20190199729 A1) teaches, a method, comprising: obtaining identity management data associated with a plurality of source systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identity management artifacts (e.g., such as an identity, entitlement, role, group, event, access profile or account activity) utilized in identity management in the distributed enterprise computing environment, including a set of identities, … database objects and entitlements associated with the … database objects  (Paragraph [0039] Consolidated identity module 1206 performs various functions described herein, including authenticating user 101 based on identity information obtained from identity provider 402, which may be, for example an Active Directory. [0071] Referring now to FIG. 6, there is shown a diagram depicting an example of a method of mapping the identity of a user 101 from an identity provider 402 (such as Active Directory 402) through to a service provider 602, importing entitlements, and filtering access based on user's 101 identity  (e.g., user or group), according to one embodiment. In this manner, user 101 can be known system-wide via dynamic account mapping after logging in at a single location. [0072] Many service providers (such as SAP, Salesforce …) include entitlements directly in records, specifying who is authorized to do what to each record (such as, for example, approve a purchase order) (i.e., entitlements associated with database objects such as purchase order). In at least one embodiment, the consolidated identity framework maps the identity of user 101 from identity provider 601 through to service provider 602), 
wherein: the plurality of source systems include an authoritative source system (Examiner interprets authoritative source system as Identity provider/active directory) and the identity management data (identity management—also referred to as identity and access management) comprises identity data on a set of identities obtained from the authoritative source system, wherein each of the set of identities is associated with a first identifier (i.e., user identifier) for that identity obtained from the authoritative source system  (Paragraph [0065] Referring now to FIG. 4, there is shown a diagram depicting an example of a method of mapping a user's 101 identity to user's account on identity provider 402 (which may, for example be an Active Directory), so as to determine which resources the user 101 is authorized to access. [0073], [0075] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers. On service provider 602 (which in this example is SAP), user 101 is known as "smithj0422" and is entitled to see records (such as purchase orders 603) that have smithj0422 as approver (i.e., associating  "smithj0422" which is the first identifier obtained from identity provider/active directory /authoritative source for “jsmith” as an identity/user). Also, service provider 602 specifies that user 101 is able to approve purchase orders 604. Since these entitlements in the active purchase order can be copied into transient repository 1403, the consolidated identity framework imports the entitlements that originated from service provider 602, and can filter access appropriately based on user's 101 identity), 
the plurality of source systems include at least one …server and the identity management data comprises …object data on … database objects of the … server and entitlement data on a set of entitlements, wherein each of the set of entitlements is associated with a second identifier and an associated … database object of the …database objects  (Paragraph [0071] Referring now to FIG. 6, there is shown a diagram depicting an example of a method of mapping the identity of a user 101 from an identity provider 402 (such as Active Directory 402) through to a service provider 602, importing entitlements, and filtering access based on user's 101 identity, according to one embodiment. In this manner, user 101 can be known system-wide via dynamic is second identifier and include entitlements are associated with second identifier/managers group). On service provider 602 (which in this example is SAP), user 101 is known as "smithj0422" and is entitled to see records (such as purchase orders 603) that have smithj0422 as approver. Also, service provider 602 specifies that user 101 is able to approve purchase orders 604. Since these entitlements in the active purchase order can be copied into transient repository 1403, the consolidated identity framework imports the entitlements that originated from service provider 602, and can filter access appropriately based on user's 101 identity (i.e., source system includes source server/ server-[Wingdings font/0xE0]service provider name and set of entitlements for the objects). Also see [0041] consolidated identity module 1206 interacts with various components of the enterprise. Endpoint management systems 401 (for example including enterprise mobility management (EMM) systems), directories 1201, and identity providers 402 provide functionality for user authentication 1202, user identity/name 1203, access control groups 1204, and/or user attributes 1205);Attorney Docket No.Application No. 17/387,462 SAI L1560-1Customer ID: 44654 5 
receiving a criteria associated with a first identity of the set of identities (Paragraph [0073] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers (i.e., receiving criteria is “determining a group” with first identity from the set of identities/groups. In prior art group called managers is the criteria); 
 SQL database objects … SQL database objects, …SQL server … SQL object data on SQL database objects of the SQL server … SQL database object of the SQL database objects; determining one or more entitlements to SQL database objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity, wherein the one or more entitlements are associated with the first identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity; and presenting the one or more entitlements and associated SQL database objects in association with the first identity.
Tandon; Sanjay (US 20150012966 A1) teaches, determining one or more entitlements to …database objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity (Paragraph [0189] It is also clearly evident that any attempt to accurately assess the cumulative set of a user's entitlements must take into account the cumulative set of a user's affiliations (i.e., based on user’s identity/first identity and first identifier, determining second identifier/group identifier with each set of entitlements), wherein the one or more entitlements are associated with the first identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity (Paragraph [0325] The Cumulative Access Entitlement Inference & Assimilation 65 process involves the determination of the entity's cumulative access entitlement set 66 across the specified scope of the information system, based on the entity's cumulative system-level access grants 64 and based on a set of system-level which is Group SID/admin tasks that the user is entitled to associated with User SID/ which is user’s/entity's cumulative system-level access grants  for the first user/user name which is the first identity. For clarity on identifiers please see Paragraph [067]-[0169], [0189]);
and presenting the one or more entitlements and associated … database objects in association with the first identity (Paragraph [0326] the Cumulative Entitlement Reporting (Output) 67 process reports the results of the cumulative access entitlement 68, which are in effect the same as 66, presented in a meaningful fashion.
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Yared et al by providing a method of determining one or more entitlements to objects based on the second identifier associated with each of the set of entitlements and the first identifier 
  One of the ordinary skill in the art would have been motivated to make this modification, by providing a method and system for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user., as taught by Tandon et al (Abstract).
Yared et al and Tandon et al fails to explicitly teach, SQL database objects … SQL database objects, …SQL server … SQL object data on SQL database objects of the SQL server … SQL database object of the SQL database objects; … SQL database objects; SQL database objects.
FILIP; Marcin (US 20210318998 A1) teach, SQL database objects and entitlements associated with the SQL database objects,… (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, ,
…source systems include at least one SQL server … (Paragraph [0045] each of user A and user B may have invoked respective queries on database 248. However, whereas the database query invoked by user A was a modification query, the database operation invoked by user B was not a modification query, e.g., was only a read-only database operation such as a SELECT query in SQL (Examiner interprets SQL database objects as the objects accessed/modified using SQL on the database) … (Paragraph [0099] With use of appropriate annotations, an ORM framework like JPA can automatically provide data definition language (DDL) statements to define relational database queries, e.g., in SQL language for execution on database 248 in order to create tables, insert data, etc)
	…identifier and an associated SQL database object of the SQL database objects; …SQL database objects based on the …identifier … ; … SQL database objects in association with the … identity (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, and views. Data dictionary 1482 can define various schema such as including user schema. A schema can include a collection of logical structures of data or schema data structure objects. A certain user's schema can be owned by the certain user to define the certain user's access rights to data in database 248 and, according to one embodiment, can have a name in common with the name of the certain user (database objects associated with entitlements/user rights to access the database object). A user schema of a certain user as specified in data dictionary 1482 can specify that certain user's ownership and access rights to data structure objects of data structure objects 1481 within database 24). Also see (Paragraph [0099] With use of appropriate annotations, an ORM framework like JPA can automatically provide data definition language (DDL) statements to define relational database queries, e.g., in SQL language for execution on database 248 in order to create tables, insert data, etc).
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Yared et al and Tandon et al by providing SQL database objects and entitlements associated with the SQL database objects,… source systems include at least one SQL server … SQL object data on SQL database objects of the SQL server …; SQL database object of the SQL database objects; SQL database objects based on the second identifier …; 
  One of the ordinary skill in the art would have been motivated to make this modification, by doing so would algorithm efficiency, memory usage efficiency, maintainability, and reliability as taught by FILIP et al (Paragraph [0004]).

Regarding dependent claim 9, Yared et al and Tandon et al teach, the method of claim 8. 
Tandon et al further teaches, wherein the first identifier and the second identifier is a Security Identifier (SID) (Paragraphs [0162]-[0163] user SID is first security identifier and group ID is second security identifier).  

Regarding dependent claim 10, Yared et al and Tandon et al teach, the method of claim 8. 
Tandon et al further teaches, wherein the first identifier is associated with a group to which the first identity belongs (Paragraph [0167] in order for an access check to validate whether or not a user attempting access to a securable resource is in fact authorized such access, it should further take into account the SID of the user him/herself and list of all group SIDs to which the user might belong (i.e., first identifier is associated with a group to which the first identity/user belongs). 

Regarding dependent claim 11, Yared et al and Tandon et al teach, the method of claim 10. 
where at least one of the one or more entitlements is inherited by the first identity through the group (Paragraph [0186] it is evident from the illustration that John Doe's user account 500 is a direct member of seven groups 501, 502, 503, 504, 505, 506 and 507. Note that a simple inspection of the user's account will reveal that John Doe is only a member of seven groups. However, as we can see, each of these seven groups in turn is a member of numerous other groups. In fact, closer inspection reveals that John Doe is transitively a member of fourteen security groups. Col 27 Lines 51-58 (99) from an access control perspective, ultimately, John is a member of all these groups and thus is cumulatively granted the entirety of all permissions that may exist anywhere in the system for any one these fourteen groups. In effect, John is entitled to performing the set of all administrative tasks that are cumulatively authorized by the presence of the entire set of permissions that exist across the information system for all these fourteen groups (i.e., entitlements are inherited by the first identity through the groups).

Regarding dependent claim 12, Yared et al and Tandon et al teach, the method of claim 8. 
Tandon et al further teaches, wherein a first entitlement of the one or more entitlements is to a first … database object and a second entitlement of the one or more entitlements is to a second …. database object that is a child object of the first … database object, and wherein the second entitlement was determined based on the second … database object being a child object of the first …. database object (Fig. 6 Paragraph [0197] first ACE 252 (i.e., first entitlement) allows the security 
	FILIP et al further teaches, entitlements is to a … entitlements is to a …SQL database object … SQL database object … SQL database object … SQL database …. SQL database object (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, and views. Data dictionary 1482 can define various schema such as including user schema. A schema can include a collection of logical structures of data or schema data structure objects. A certain user's schema can be owned by the certain user to define the certain user's access rights to data in database 248 and, according to one embodiment, can have a name in common with the name of the certain user (database objects associated with entitlements/user rights to access the database object). A user schema of a certain user as specified in data dictionary 1482 can specify that certain user's ownership and access rights to data structure objects of data structure objects 1481 within database 24). Also see (Paragraph [0099] With use of appropriate annotations, an ORM framework like JPA can automatically provide data definition language (DDL) statements to define relational database queries, e.g., in SQL language for execution on database 248 in order to create tables, insert data, etc).

Regarding dependent claim 13, Yared et al and Tandon et al teach, the method of claim 12. 
Tandon et al further teaches, wherein the second entitlement was determined utilizing a … permission model  (Paragraph [0207] if an ACE is marked as inheritable, the system automatically ensures that a copy of the ACE is added to the ACL of every object in the sub-tree rooted at the object at which the ACE was applied (i.e., the second entitlement is determined based on inheritance/ permission model).
FILIP et al further teaches, …entitlement was determined utilizing a SQL permission model (Paragraph [0045] each of user A and user B may have invoked respective queries on database 248. However, whereas the database query invoked by user A was a modification query, the database operation invoked by user B was not a modification query, e.g., was only a read-only database operation such as a SELECT query in SQL (i.e., entitlement is determined based on SQL permission model).

Regarding dependent claim 14, Yared et al and Tandon et al teach, the method of claim 8. 
Yared et al further teaches, wherein the at least one …server comprises multiple … servers and the one or more entitlements comprises entitlements obtained from each of the multiple …servers (Paragraph [0031] Each electronic device may be, for example, a server, desktop computer, laptop computer, smartphone, tablet computer, and/or the like. As described herein, some devices used in connection with the system described herein are designated as client devices, which are generally operated by end users. Other devices are designated as servers, which generally conduct 
FILIP et al further teaches, …SQLserver… (Examiner interprets SQL server as a relational database management system/server to execute SQL queries. Paragraph [0118] Resource pooling: the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). 

Regarding independent claim 15, Yared; Peter (US 20190199729 A1) teaches, a non-transitory computer readable medium, comprising instructions for: Attorney Docket No.Application No. 17/387,462 SAI L1560-1Customer ID: 44654 6 obtaining identity management data associated with a plurality of source systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identity management artifacts (e.g., such as an identity, entitlement, role, group, event, access profile or account activity) utilized in identity management in the distributed enterprise computing environment, including a set of identities, …database objects and entitlements associated with the …database objects (Paragraph [0039] Consolidated identity module 1206 performs various functions described herein, including authenticating user 101 based on identity information obtained from identity provider 402, which may be, for example an Active Directory. [0071] Referring now to FIG. 6, there is shown a diagram depicting an example of a method of mapping the identity of a user 101 from an identity provider 402 (such as Active Directory 402) through to a service provider 602, importing entitlements, and filtering access based on user's 101 identity  (e.g., user or group), according to one embodiment. In this manner, user 101 can be known system-wide via dynamic account mapping after logging in at a single location. [0072] Many service providers (such as SAP, Salesforce …) include entitlements directly in records, specifying who is authorized to do what to each record (such as, for example, approve a purchase order) (i.e., entitlements associated with database objects such as purchase order). In at least one embodiment, the consolidated identity framework maps the identity of user 101 from identity provider 601 through to service provider 602), 
wherein: the plurality of source systems include an authoritative source system (Examiner interprets authoritative source system as Identity provider/active directory) and the identity management data (identity management—also referred to as identity and access management) comprises identity data on a set of identities obtained from the authoritative source system, wherein each of the set of identities is associated with a first identifier (i.e., user identifier) for that identity obtained from the authoritative source system (Paragraph [0065] Referring now to FIG. 4, there is shown a diagram depicting an example of a method of mapping a user's 101 identity to bind authorizations, according to one embodiment. User 101 logs in 403 via endpoint management system 401. Based on the log-in information, user 101 is matched 404 to user's account on identity provider 402 (which may, for example be an Active Directory), so as to determine which resources the user 101 is authorized to access. [0073], [0075] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers. On service provider 602 (which in this example is SAP), user 101 is known as "smithj0422" and is entitled to see records (such as purchase orders 603) that have smithj0422 as approver (i.e., associating  "smithj0422" which is the first identifier obtained from identity provider/active directory /authoritative source for “jsmith” as an identity/user). Also, service provider 602 specifies that user 101 is able to approve purchase orders 604. Since these entitlements in the active purchase order can be copied into transient repository 1403, the consolidated identity framework imports the entitlements that originated from service provider 602, and can filter access appropriately based on user's 101 identity), 
the plurality of source systems include at least one …server and the identity management data comprises … object data on … database objects of the … server and entitlement data on a set of entitlements, wherein each of the set of entitlements is associated with a second identifier and an associated … database object of the … database objects (Paragraph [0071] Referring now to FIG. 6, there is shown a diagram depicting an example of a method of mapping the identity of a user 101 from an identity provider 402 (such as Active Directory 402) through to a service provider 602, importing entitlements, and filtering access based on user's 101 identity, according to one embodiment. In this manner, user 101 can be known system-wide via dynamic account mapping after logging in at a single location. [0073] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers (i.e., group called managers is second identifier and include entitlements are associated with second identifier/managers group). On service provider 602 (which in this example is SAP), user 101 is known as "smithj0422" and is entitled to see records (such as purchase orders 603) that have smithj0422 as approver. Also, service provider 602 specifies that user 101 is able to approve purchase orders 604. Since these entitlements in the active purchase order can be copied into transient repository 1403, the consolidated identity framework imports the entitlements that originated from service provider 602, and can filter access appropriately based on user's 101 identity (i.e., source system includes source server/ server-[Wingdings font/0xE0]service provider name and set of entitlements for the objects). Also see [0041] consolidated identity module 1206 interacts with various components of the enterprise. Endpoint management systems 401 (for example including enterprise mobility management (EMM) systems), ; 
receiving a criteria associated with a first identity of the set of identities (Paragraph [0073] For example, as shown in FIG. 6, user 101 logs in 601 as "jsmith" with identity provider 402, and is determined to be a member of a group called Managers (i.e., receiving criteria is “determining a group” with first identity from the set of identities/groups. In prior art group called managers is the criteria); 
Yared et al fails to explicitly teach, SQL database objects … SQL database objects,  …SQL server … SQL object data on SQL database objects of the SQL server…, …. SQL database object of the SQL database objects; determining one or more entitlements to SQL database objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity, wherein the one or more entitlements are associated with the first identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity; and presenting the one or more entitlements and associated SQL database objects in association with the first identity.  
Tandon; Sanjay (US 20150012966 A1) teaches, determining one or more entitlements to … database objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity (Paragraph [0189] It is also clearly evident that any attempt to accurately assess the cumulative set of a user's entitlements must take into account the cumulative set of a user's affiliations 
wherein the one or more entitlements are associated with the first identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity (Paragraph [0325] The Cumulative Access Entitlement Inference & Assimilation 65 process involves the determination of the entity's cumulative access entitlement set 66 across the specified scope of the information system, based on the entity's cumulative system-level access grants 64 and based on a set of system-level operation to administrative task mappings 56 i.e. the set of all administrative tasks that the entity 58 is entitled to performing (i.e., based on second identifier), based on the entity's effective cumulative system-level access 64 across the specified scope of the information system (i.e., based on first identifier). This set of system-level operation to administrative task mappings 56 provide the mappings required to determine the administrative task that corresponds to a system-level operation authorized on a specific type of securable resource/objects. This step thus determines the set of all administrative tasks 66 that the entity 58 is entitled to perform across the specified scope of the information system, by virtue of the cumulative set of authorization intent specifications 62 that exists across the specified scope of the information system for the entity 58 or any of its security affiliations 60 (i.e., the cumulative entitlements determined by correlating the second identifier, which is Group SID/admin tasks that the user is entitled to associated with User SID/ which is user’s/entity's cumulative system-level access grants  for the first user/user name which is the first identity. For clarity on identifiers please see Paragraph [067]-[0169], [0189]);
and presenting the one or more entitlements and associated … database objects in association with the first identity (Paragraph [0326] the Cumulative Entitlement Reporting (Output) 67 process reports the results of the cumulative access entitlement 68, which are in effect the same as 66, presented in a meaningful fashion.
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Yared et al by providing a method of determining one or more entitlements to objects based on the second identifier associated with each of the set of entitlements and the first identifier for the first identity, wherein the one or more entitlements are associated with the firstSAIL1560-1- 61 -Customer ID: 44654 identity and are determined by correlating the second identifier associated with one or more entitlements with the first identifier for the first identity; and presenting the one or more entitlements and associated objects in association with the first identity as taught by Tandon et al Paragraphs, [00325-326]);.
  One of the ordinary skill in the art would have been motivated to make this modification, by providing a method and system for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user., as taught by Tandon et al (Abstract).
SQL database objects … SQL database objects,  …SQL server … SQL object data on SQL database objects of the SQL server…, …. SQL database object of the SQL database objects; …SQL database objects …;  …SQL database objects …
FILIP; Marcin (US 20210318998 A1) teach, SQL database objects and entitlements associated with the SQL database objects,… (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, and views. Data dictionary 1482 can define various schema such as including user schema. A schema can include a collection of logical structures of data or schema data structure objects. A certain user's schema can be owned by the certain user to define the certain user's access rights to data in database 248 and, according to one embodiment, can have a name in common with the name of the certain user (database objects associated with entitlements/user rights to access the database object). A user schema of a certain user as specified in data dictionary 1482 can specify that certain user's ownership and access rights to data structure objects of data structure objects 1481 within database 24). Also see (Paragraph [0099] With use of appropriate annotations, an ORM framework like JPA can automatically provide data definition language (DDL) statements to define relational database queries, e.g., in SQL language for execution on database 248 in order to create tables, insert data, etc),
	… source systems include at least one SQL server … (Examiner interprets SQL server as a relational database management system/server to execute SQL queries) SQL object data on SQL database objects of the SQL server … (Paragraph [0045] … (Paragraph [0099] With use of appropriate annotations, an ORM framework like JPA can automatically provide data definition language (DDL) statements to define relational database queries, e.g., in SQL language for execution on database 248 in order to create tables, insert data, etc); 
	…identifier and an associated SQL database object of the SQL database objects; …SQL database objects based on the …identifier … ; … SQL database objects in association with the … identity.
 (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, and views. Data dictionary 1482 can define various schema such as including user schema. A schema can include a collection of logical structures of data or schema data structure objects. A certain user's schema can be owned by the certain user to define the certain user's access rights to data in database 248 and, according to one embodiment, can have a name in common with the name of the certain user (database objects associated with entitlements/user rights to access the database object). A user schema of a certain user as specified in data dictionary 1482 can specify that certain user's ownership and access rights to data structure objects of data structure objects 1481 within database 24). Also see (Paragraph [0099] With use of appropriate .
Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Yared et al and Tandon et al by providing SQL database objects and entitlements associated with the SQL database objects,… source systems include at least one SQL server … SQL object data on SQL database objects of the SQL server …; SQL database object of the SQL database objects; SQL database objects based on the second identifier …; …identifier and an associated SQL database object of the SQL database objects, as taught by FILIP et al (Paragraph [0031], [0045]).
  One of the ordinary skill in the art would have been motivated to make this modification, by doing so would algorithm efficiency, memory usage efficiency, maintainability, and reliability as taught by FILIP et al (Paragraph [0004]).

Regarding dependent claim 16, Yared et al and Tandon et al teach, the non-transitory computer readable medium of claim 15. 
Tandon et al further teaches, wherein the first identifier and the second identifier is a Security Identifier (SID) (Paragraphs [0162]-[0163] user SID is first security identifier and group ID is second security identifier).  

Regarding dependent claim 17, Yared et al and Tandon et al teach, the non-transitory computer readable medium of claim 15. 
wherein the first identifier is associated with a group to which the first identity belongs (Paragraph [0167] in order for an access check to validate whether or not a user attempting access to a securable resource is in fact authorized such access, it should further take into account the SID of the user him/herself and list of all group SIDs to which the user might belong (i.e., first identifier is associated with a group to which the first identity/user belongs). 

Regarding dependent claim 18, Yared et al and Tandon et al teach, the non-transitory computer readable medium of claim 17. 
Tandon et al further teaches, where at least one of the one or more entitlements is inherited by the first identity through the group (Paragraph [0186] it is evident from the illustration that John Doe's user account 500 is a direct member of seven groups 501, 502, 503, 504, 505, 506 and 507. Note that a simple inspection of the user's account will reveal that John Doe is only a member of seven groups. However, as we can see, each of these seven groups in turn is a member of numerous other groups. In fact, closer inspection reveals that John Doe is transitively a member of fourteen security groups. Paragraph [0187] from an access control perspective, ultimately, John is a member of all these groups and thus is cumulatively granted the entirety of all permissions that may exist anywhere in the system for any one these fourteen groups. In effect, John is entitled to performing the set of all administrative tasks that are cumulatively authorized by the presence of the entire set of permissions that exist across the information system for all these fourteen groups (i.e., entitlements are inherited by the first identity through the groups).

Regarding dependent claim 19, Yared et al and Tandon et al teach, the non-transitory computer readable medium of claim 15. 
Tandon et al further teaches, wherein a first entitlement of the one or more entitlements is to a first …database object and aAttorney Docket No.Application No. 17/387,462 SAI L1560-1Customer ID: 44654 7 second entitlement of the one or more entitlements is to a second … database object that is a child object of the first … database object, and wherein the second entitlement was determined based on the second …database object being a child object of the first … database object (Fig. 6 Paragraph [0197]; first ACE 252 (i.e., first entitlement) allows the security principal S-1-5-123-456-789-001 Read Property access to the User Name attribute on this object (i.e., first databse object); Paragraph [0202] , lines 51-55; ACE 256 (i.e., second entitlement) allows the security principal S-1-5-123-456-657-051 Create Child access to the User Name attribute on this object; this ACE thus grants the user represented by this SID the ability to create new objects (i.e., second database object) under this object).
	FILIP et al further teaches, entitlements is to a … entitlements is to a …SQL database object … SQL database object … SQL database object … SQL database …. SQL database object (Paragraph [0031] Database 248 can include, e.g., data structure objects 1481, data dictionary 1482, and DBMS 1483. Data structure objects 1481 can include, e.g., tables, indexes, sequences, and views. Data dictionary 1482 can define various schema such as including user schema. A schema can include a collection of logical structures of data or schema data structure objects. A certain user's schema can be owned by the certain user to define the certain user's access rights to data in database 248 and, according to one embodiment, can have a name in common with the .

Regarding dependent claim 20, Yared et al and Tandon et al teach, the non-transitory computer readable medium of claim 19, 
Tandon et al further teaches, wherein the second entitlement was determined utilizing a …permission model (Paragraph [0207] if an ACE is marked as inheritable, the system automatically ensures that a copy of the ACE is added to the ACL of every object in the sub-tree rooted at the object at which the ACE was applied (i.e., the second entitlement is determined based on inheritance/ permission model).
FILIP et al further teaches, …entitlement was determined utilizing a SQL permission model (Paragraph [0045] each of user A and user B may have invoked respective queries on database 248. However, whereas the database query invoked by user A was a modification query, the database operation invoked by user B was not a modification query, e.g., was only a read-only database operation such as a SELECT query in SQL (i.e., entitlement is determined based on SQL permission model).

Regarding dependent claim 21, Yared et al and Tandon et al teach, the non-transitory computer readable medium of claim 15. 
Yared et al further teaches, wherein the at least one … server comprises multiple …servers and the one orATTORNEY DOCKET NO.PATENT APPLICATION SAIL1560-1- 62 -Customer ID: 44654 more entitlements comprises entitlements obtained from each of the multiple …servers (Paragraph [0031] Each electronic device may be, for example, a server, desktop computer, laptop computer, smartphone, tablet computer, and/or the like. As described herein, some devices used in connection with the system described herein are designated as client devices, which are generally operated by end users. Other devices are designated as servers, which generally conduct back-end operations and communicate with client devices (and/or with other servers) via a communications network such as the Internet. [0041] in at least one embodiment, consolidated identity module 1206 interacts with various components of the enterprise. Endpoint management systems 401 (for example including enterprise mobility management (EMM) systems), directories 1201, and identity providers 402 provide functionality for user authentication 1202, user identity/name 1203, access control groups 1204, and/or user attributes 1205 (i.e., Endpoint management systems comprises of multiple service providers and entitlements obtained from service providers). [0063] one benefit of federated identity is the ability to use an identity provider such as Active Directory Federation Services to enable single sign-on (SSO) across multiple service providers such as Salesforce and SAP. However, it is not uncommon to have multiple identity providers that provide authentication, whether due to mergers or for compliance reasons. In at least one embodiment, the consolidated identity framework described 
FILIP et al further teaches, …SQLserver… (Examiner interprets SQL server as a relational database management system/server to execute SQL queries. Paragraph [0118] Resource pooling: the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). 

Conclusion
Applicant’s amendment necessitated the rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory 
 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN RAJAPUTRA whose telephone number is (571) 272-4669. The examiner can normally be reached between 8:00 AM - 5:00 PM. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashish Thomas (571) 272-0631 can be reached. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/S. R./ 
Examiner, Art Unit 2164

/ASHISH THOMAS/Supervisory Patent Examiner, Art Unit 2164