Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .




DETAILED ACTION
This action is in response to the Amendment filed on 02/28/2022.
Claims 1, 3-7 and 9 are under examination. Claims 2, 8 and 10 have been cancelled.
 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-7 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US 2006/0218394 A1) and Daily et al. (US 2009/0089291 A1).
Regarding claim 1, Yang discloses A method for granting an operation permission via an authorization operator in a system, comprising: selecting one or more authorization operators; 5configuring one or more grantees for each of the selected one or more authorization operators [par. 0011, “When a system analyst sets up management rights, he/she also sets up functions and roles of the application system, and the relation between rights and roles”, par. 0056, “FIG. 3A shows how a user set up department and roles if this end-user is also a system administrator… This system not only sets up functions permission, but also provides hierarchy control among the roles, organizations, user-groups tree. It sets up multiple end-users as administrators to manage department and user of its child nodes”]; granting, by at least one of the selected one or more authorization operators, one or more operation permissions for at least one grantee requiring operation permission corresponding to the at least one of the selected one or more authorization operators [par. 0058, “Administrators can establish the relation of right and role, as shown in FIG. 5B and FIG. 5C”, par. 0004, “the administrator of each department has his/her own access role control branch to manage access roles of the members in his/her department”, claim 1, “determining whether the end-user is a department manager, and, if so, allowing the department manager to select to add or modify roles, privileges or functions to a new system or a new end-user”]; and executing, by the at least one grantee, a corresponding operation according to one of the granyed one or more operation 10permissions [claim 1, “the end-user can use the system with granted role and privileges, and predetermined functions”]; and the user is configured to obtain one or more operation permissions of the related said role or more roles [par. 0055, “If OUm administrator 38 is a system analyst as well as an end-user, we can assume manager=system analyst=end-user, then manager 38 is end-user 42, and therefore he owns 1 . . . M roles. If role 44 has rights 46 which owns function 1 . . . M, then end-user's 42 system login privilege 48 will have rights for function permission 49 of M.times.M. In another word an end-user's rights are defined by his role, the role's rights, and the functions permission the rights own. Every system login privilege 48 will obtain some functions permission through its rights, every end-user's role and rights set up the end-user's functions permission 50. Therefore, every OU administrator 34 and every end-user 42 will own his own functions and rights to distribute responsibility and resource sharing”].
Yang does not explicitly disclose wherein the at least one grantee comprises a role, wherein said role is independent which is not a group or class, and during a same period, said role is configured to be related to one user only, and said user is configured to be related to said role or more roles;
However Daily et al. teaches wherein the at least one grantee comprises a role, wherein said role is independent which is not a group or class [par. 0021, “a system and method for enabling Roles to be implemented as Entities in a system, independent of Groups and users... The invention contemplates a Role as an Entity or object in the system that helps to decouple these characteristics from the Group and user Entities”], and during a same period, said role is configured to be related to one user only, and said user is configured to be related to said role or more roles [par. 0061, “the PA 105 determines which Login-ID is to be assigned as the RoleOwner (step 305)” (one RO for a role), par. 0062, “The RDM utility 155 determines the Roles for which Login-ID is specified as a RoleOwner (step 352)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Daily et al. into the teaching of Yang with the motivation to enable creation, configuration, maintenance, ownership and usage of roles and for implementing relationships between the Role and other system entities, attributes and permissions as taught by Daily et al. [Daily et al.: abs.].
Regarding claim 5, the rejection of claim 1 is incorporated.
Yang further discloses the one or more grantees corresponding to one selected authorization operator do not comprise the one selected authorization operator [par. 0004, “If an organization's manager(s) is also a role system manager, he will be able to delegate his subordinates' roles and privileges, as well as distribute roles and access privileges in order to manage work duties and division of labor”].
Regarding claim 6, the rejection of claim 1 is incorporated.
Yang further discloses when one or more grantees are configured for one authorization operator, if one department is selected as one grantee, all roles under the said one department are configured to be the grantees corresponding to the one authorization operator, and any role or roles added subsequently under the said one department are configured to be the 10grantees corresponding to the one authorization operator [par. 0004, “If an organization's manager(s) is also a role system manager, he will be able to delegate his subordinates' roles and privileges, as well as distribute roles and access privileges in order to manage work duties and division of labor”, par. 0055, “Organization administrator and role administrator are explained below based on the traditional tree structure's organization and role relation. In right side of FIG. 2, the organization structure 30 is a tree structure 31, node 34 represents department administrator, and branch 36 represents departments under the node. Every department belongs to either root 32 or another node 34. The OU administrator can manage all the end-users and leaf-end-users under this OU. The left of FIG. 2 shows end-users' and roles relation of end-users' access role and rights 40”, claim 10, “means for department managers to add or modify the department personnel list, and manage the role and privileges assigned to end-users within the department, including: … subordinate departments”].   
Regarding claim 7, Yang discloses A method for granting an operation permission via an authorization operator in a system, comprising: selecting one or more authorization operators; configuring one or more operation authorized permissions to be granted to one or more grantees for each of the selected authorization operator respectively [par. 0011, “When a system analyst sets up management rights, he/she also sets up functions and roles of the application system, and the relation between rights and roles”, par. 0056, “FIG. 3A shows how a user set up department and roles if this end-user is also a system administrator… This system not only sets up functions permission, but also provides hierarchy control among the roles, organizations, user-groups tree. It sets up multiple end-users as administrators to manage department and user of its child nodes”]; granting, by at least one of the selected one or more authorization operators to at least one grantee, one or more operation permissions requiring grantee configuration [par. 0058, “Administrators can establish the relation of right and role, as shown in FIG. 5B and FIG. 5C”, par. 0004, “the administrator of each department has his/her own access role control branch to manage access roles of the members in his/her department”, claim 1, “determining whether the end-user is a department manager, and, if so, allowing the department manager to select to add or modify roles, privileges or functions to a new system or a new end-user”]; and executing, by the at least one grantee, a corresponding operation according to one of the granted one or more operation permissions [claim 1, “the end-user can use the system with granted role and privileges, and predetermined functions”]; and the user is configured to obtain one or more operation permissions of the related said role or more roles [par. 0055, “If OUm administrator 38 is a system analyst as well as an end-user, we can assume manager=system analyst=end-user, then manager 38 is end-user 42, and therefore he owns 1 . . . M roles. If role 44 has rights 46 which owns function 1 . . . M, then end-user's 42 system login privilege 48 will have rights for function permission 49 of M.times.M. In another word an end-user's rights are defined by his role, the role's rights, and the functions permission the rights own. Every system login privilege 48 will obtain some functions permission through its rights, every end-user's role and rights set up the end-user's functions permission 50. Therefore, every OU administrator 34 and every end-user 42 will own his own functions and rights to distribute responsibility and resource sharing”].
Yang does not explicitly disclose wherein the at least one grantee comprises a role, wherein said role is independent which is not a group or class, and during a same period, said role is configured to be related to one user only, and said user is configured to be related to said role or more roles;
However Daily et al. teaches wherein the at least one grantee comprises a role, wherein said role is independent which is not a group or class [par. 0021, “a system and method for enabling Roles to be implemented as Entities in a system, independent of Groups and users... The invention contemplates a Role as an Entity or object in the system that helps to decouple these characteristics from the Group and user Entities”], and during a same period, said role is configured to be related to one user only, and said user is configured to be related to said role or more roles [par. 0061, “the PA 105 determines which Login-ID is to be assigned as the RoleOwner (step 305)” (one RO for a role), par. 0062, “The RDM utility 155 determines the Roles for which Login-ID is specified as a RoleOwner (step 352)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Daily et al. into the teaching of Yang with the motivation to enable creation, configuration, maintenance, ownership and usage of roles and for implementing relationships between the Role and other system entities, attributes and permissions as taught by Daily et al. [Daily et al.: abs.].
Regarding claim 9, Yang discloses A method for granting an operation permission via an authorization operator in a system, comprising: selecting one or more authorization operators configuring one or more operation permissions to be granted to one or more grantees for each of the selected 5authorization operator respectively; configuring one or more grantees for each selected authorization operators respectively [par. 0011, “When a system analyst sets up management rights, he/she also sets up functions and roles of the application system, and the relation between rights and roles”, par. 0056, “FIG. 3A shows how a user set up department and roles if this end-user is also a system administrator… This system not only sets up functions permission, but also provides hierarchy control among the roles, organizations, user-groups tree. It sets up multiple end-users as administrators to manage department and user of its child nodes”]; granting, by at least one of the selected one or more authorization operators, one or more operation permissions corresponding to the at least one of the selected one or more authorization operators to at least one grantee corresponding to the at least one of the selected one or more authorization operator [par. 0058, “Administrators can establish the relation of right and role, as shown in FIG. 5B and FIG. 5C”, par. 0004, “the administrator of each department has his/her own access role control branch to manage access roles of the members in his/her department”, claim 1, “determining whether the end-user is a department manager, and, if so, allowing the department manager to select to add or modify roles, privileges or functions to a new system or a new end-user”]; and 10executing, by the at least one grantee, a corresponding operation according to one of the granted one or more operation permissions [claim 1, “the end-user can use the system with granted role and privileges, and predetermined functions”]; and the user is configured to obtain one or more operation permissions of the related said role or more roles [par. 0055, “If OUm administrator 38 is a system analyst as well as an end-user, we can assume manager=system analyst=end-user, then manager 38 is end-user 42, and therefore he owns 1 . . . M roles. If role 44 has rights 46 which owns function 1 . . . M, then end-user's 42 system login privilege 48 will have rights for function permission 49 of M.times.M. In another word an end-user's rights are defined by his role, the role's rights, and the functions permission the rights own. Every system login privilege 48 will obtain some functions permission through its rights, every end-user's role and rights set up the end-user's functions permission 50. Therefore, every OU administrator 34 and every end-user 42 will own his own functions and rights to distribute responsibility and resource sharing”].
Yang does not explicitly disclose wherein the at least one grantee comprises a role, wherein said role is independent which is not a group or class, and during a same period, said role is configured to be related to one user only, and said user is configured to be related to said role or more roles;
However Daily et al. teaches wherein the at least one grantee comprises a role, wherein said role is independent which is not a group or class [par. 0021, “a system and method for enabling Roles to be implemented as Entities in a system, independent of Groups and users... The invention contemplates a Role as an Entity or object in the system that helps to decouple these characteristics from the Group and user Entities”], and during a same period, said role is configured to be related to one user only, and said user is configured to be related to said role or more roles [par. 0061, “the PA 105 determines which Login-ID is to be assigned as the RoleOwner (step 305)” (one RO for a role), par. 0062, “The RDM utility 155 determines the Roles for which Login-ID is specified as a RoleOwner (step 352)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Daily et al. into the teaching of Yang with the motivation to enable creation, configuration, maintenance, ownership and usage of roles and for implementing relationships between the Role and other system entities, attributes and permissions as taught by Daily et al. [Daily et al.: abs.].


Claim 3 is are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US 2006/0218394 A1) and Daily et al. (US 2009/0089291 A1) as applied to claims  1, 5-7 and 9 above, and further in view of B’Far et al. (US 2014/0129268 A1) and Allababidi et al. (US 782,7615 B1).
Regarding claim 3, the rejection of claim 2 is incorporated.
Yang  and Daily et al. do not disclose when or after a role is created, a department is selected for the role, wherein the role belongs to the department; the role is authorized according to the work content of the role, a name of the role is unique under the department, and a number of the role is unique in the system.
B’Far et al. further teaches when or after a role is created, a department is selected for the role, wherein the role belongs to the department; the role is authorized according to the work content of the role, a name of the role is unique under the department, and a number of the role is unique in the system [par. 0054, “a role hierarchy can be constructed of roles (named roles and/or virtual roles), where the leaves of the role hierarchy are permissions. This hierarchical description can offer convenience and ease of understanding in that at upper levels of the role hierarchy the role is likely to correspond to a job”, see fig. 2A, par. 0067, “the person who fills the accounts payable manager job 202.sub.4 is the boss of the person who fills the accounts payable supervisor job 202.sub.6. The accounts payable supervisor job 202.sub.6 takes on the invoice registration duty 203.sub.9, the disbursement management duty 203.sub.10, and the supplier management duty 203.sub.11. Continuing, the supplier management duty 203.sub.11 needs certain permissions, specifically the create supplier permission 204.sub.7 and the create supplier contact permission 204.sub.8…”];
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of B’Far et al. into the teaching of Yang  and Daily et al. with the motivation to optimize the assignment of permissions (e.g., ability to write to a database, ability to create a new account, etc.) to jobs as taught by B’Far et al. [B’Far et al.: abs.].
They do not explicitly disclose when said user is transferred from a post, the user's 25relation to the original role is canceled, and the user configured to be is related to a new role.
However, Allababidi et al. teaches when said user is transferred from a post, the user's 25relation to the original role is canceled, and the user is configured to be related to a new role [col. 4, line 64-col. 5, line 6, “Before the transfer, the user Ann 114 had access to resources based on the billing user roles 122 assigned by the administrator Angela 104 to the user Ann 114 in the collections user group 110, which exclusively belongs to the administrator Angela 114. After the transfer, the user Ann 114 has access to resources based on the billing user roles 122 assigned by the administrator Barbara 106 to the user Ann 114 in the invoicing user group 116, which exclusively belongs to the administrator Barbara 106”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Allababidi et al. into the teaching of Yang, Daily et al. and B’Far et al. with the motivation to modify a user role for a user wherein the user accesses a resource based on the user role as taught by Allababidi et al. [Allababidi et al.: abs.].

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Yang (US 2006/0218394 A1) and Daily et al. (US 2009/0089291 A1)as applied to claims 1, 5-7 and 9 above, and further in view of Duncan et al. (US 2006/0048224 A1).
Regarding claim 4, the rejection of claim 1 is incorporated.
Yang discloses method for authorizing an authorization operator in a system; 
Yang and Daily et al. do not explicitly disclose recording the grant information of the operation permission of the selected one or more authorization operators.
However Duncan et al. teaches recording the grant information of the operation permission of the selected one or more authorization operators [par. 0060, “An audit trace log 80 is maintained in the permission wrapper 22 to provide a log file list of all changes in permission settings and the three different main Access Control Rules (Wrapper 40, Content 42 and Administrative 44). The audit trace log 80 provides information on the protected files 24 and directories 25 in the permission wrapper 22, user operations on protected files, requested changes to permission template settings, user add/modify/delete operations, and all sharing operations”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Duncan et al. into the teaching of Yang and Daily et al. with the motivation to provide information on requested changes to permission template settings and to provide audit capability describing what actions the user has performed as taught by Duncan et al. [Duncan et al.: abs., par. 0060].



Response to Arguments
Applicant’s arguments, filed on 02/28/2022, with respect to rejection under 35 USC § 103 have been considered but are moot in view of the new ground(s) of rejection.
At page 8 of the Remarks, Applicant argues that paragraph of Yang specifically teaches away from the claimed invention.
In response, the Examiner respectfully disagrees. Yang discloses a user can owns a plurality of roles (see par. 0055). Paragraph 0075 is under one embodiment such that administrator role and supervisor role cannot be given to same end-user, however the same end-user may have another role beside administrator role. Therefore, Yang does not teach away from the claimed invention.


Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 6202066 B1		Implementation of role/group permission association using object access type
US 20170126681 A1		DYNAMIC RUNTIME FIELD-LEVEL ACCESS CONTROL USING A HIERARCHICAL PERMISSION CONTEXT STRUCTURE
US 20080022370 A1		SYSTEM AND METHOD FOR ROLE BASED ACCESS CONTROL IN A CONTENT MANAGEMENT SYSTEM
US 20120246098 A1		Role Mining With User Attribution Using Generative Models
US 20200389463 A1		PERMISSION GRANTING METHOD AND SYSTEM BASED ON ONE-TO-ONE CORRESPONDENCE BETWEEN ROLES AND USERS
US 20160026717 A1		DIGITAL ASSET MANAGEMENT FOR ENTERPRISES
US 20070214497 A1		System and method for providing a hierarchical role-based access control

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM TO 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON CHIANG/Primary Examiner, Art Unit 2431