DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to the correspondence filed on 03/31/20.  Claims 1-20 are still pending and have been considered below.

Claim Objections
Claim 6 is objected to because of the following informalities:  line 1 of the instant claim should be amended to recite “…wherein creating the access control policy for…”.  Appropriate correction is required.
Claim 13 is objected to because of the following informalities:  line 1 of the instant claim should be amended to recite “…wherein to create the access control policy for…”.  Appropriate correction is required.
Claim 20 is objected to because of the following informalities:  line 1 of the instant claim should be amended to recite “The computer-readable medium of claim [[15]]19…”.  Appropriate correction is required.
Claim 20 is objected to because of the following informalities:  line 2 of the instant claim should be amended to recite “…the processing circuity to create the access control…”.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 8, 11, 13 and 14 recite the limitation "the access control policy" throughout the claims.  There is insufficient antecedent basis for this limitation in the claims.  Examiner notes that the preceding claim language appears to establish a first instance of “one or more access control policies” in addition to a separate and distinct instance of “an access control policy” (see lines 2 and 4 of Claim 8); thus, render the claims indefinite in that it is unclear as to which one the limitation in question should be in reference to.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because they are directed to a “computer-readable medium”, which in view of Applicant’s own disclosure, appears to reasonably encompass signals per se.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-3, 5-10, 12-17, 19 and 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Bhatti et al. (2015/0163252).
Claim 1:  Bhatti et al. discloses a method comprising:
receiving, with a controller device, a request to create an access control policy that permits a role to perform one or more functions in a network(receiving existing access policies from an external source for analyzing privacy compliance and deriving a new access policy) [page 3, paragraph 0031 | page 5, paragraph 0060];
determining, with the controller device, one or more operations performed on one or more objects in the network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the network(receives an access log having entries related to instances of medical record access) [page 3, paragraphs 0033 & 0039]; and
creating, with the controller device, the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the network(derives a new access policy) [page 5, paragraphs 0062-0063].
Claim 2:  Bhatti et al. discloses the method of claim 1, wherein determining the one or more operations performed on the one or more objects in the network to perform the one or more functions based at least in part on tracking the performance of the one or more functions in the network comprises: determining, based at least on one or more logs generated from performing the one or more functions in the network, the one or more operations performed on the one or more objects in the network(each log entry includes various attributes such as type of action performed on a specific medical record) [page 3, paragraphs 0033 & 0039].
Claim 3:  Bhatti et al. discloses the method of claim 2, wherein: the one or more logs comprise indications of a plurality of events streamed from one or more servers of the network, and each of the plurality of events indicate an operation performed on an object in the one or more servers of the network(actions performed on EMR database through mobile healthcare server) [page 3, paragraphs 0033 & 0039 | figure 6].
Claim 5:  Bhatti et al. discloses the method of claim 1, wherein each of the one or more operations performed on the one or more objects comprise one or more of create, read, update, and delete (CRUD) operations(action can indicate viewing, modifying, adding or delete a record) [page 3, paragraph 0039 | page 4, paragraph 0044].
Claim 6:  Bhatti et al. discloses the method of claim 5, wherein generating the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the network comprises: generating the access control policy for the role that includes an indication of each of the one or more objects and includes, for each respective object of the one or more objects, an indication of the one or more of CRUD operations that the role is permitted to perform for the respective object(derived new access policy includes a modified set of permissions for different roles, such as with certain unutilized permissions for corresponding roles to perform corresponding actions removed) [page 3, paragraph 0035 | page 5, paragraphs 0060 & 0063].
Claim 7:  Bhatti et al. discloses the method of claim 1, wherein receiving the request to create the access control policy that permits the role to perform the one or more functions in a network comprises: receiving indications of one or more user intents that indicate the one or more functions that the role is permitted to perform in the network(existing policy includes set of roles and corresponding set of accesses that are permitted for each role) [page 3, paragraph 0031 | page 5, paragraph 0060].
Claim 8:  Bhatti et al. discloses a device comprising:
memory configured to store one or more access control policies [figure 6];
processing circuitry operably coupled to the memory and configured to: 
receive a request to create an access control policy that permits a role to perform one or more functions in a network [page 3, paragraph 0031 | page 5, paragraph 0060]; 
determine one or more operations performed on one or more objects in the network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the network [page 3, paragraphs 0033 & 0039]; and
create the access control policy for the role that permits the role to perform the 
one or more operations on the one or more objects in the network [page 5, paragraphs 0062-0063].
Claim 9:  Bhatti et al. discloses the device of claim 8, wherein to determine the one or more operations performed on the one or more objects in the network to perform the one or more functions based at least in part on tracking the performance of the one or more functions in the network, the processing circuitry is further configured to: determine, based at least on one or more logs generated from performing the one or more functions in the network, the one or more operations performed on the one or more objects in the network [page 3, paragraphs 0033 & 0039].
Claim 10:  Bhatti et al. discloses the device of claim 9, wherein: the one or more logs comprise indications of a plurality of events streamed from one or more servers of the network, and each of the plurality of events indicate an operation performed on an object in the one or more servers of the network [page 3, paragraphs 0033 & 0039 | figure 6].
Claim 12:  Bhatti et al. discloses the device of claim 8, wherein each of the one or more operations performed on the one or more objects comprise one or more of create, read, update, and delete (CRUD) operations [page 3, paragraph 0039 | page 4, paragraph 0044].
Claim 13:  Bhatti et al. discloses the device of claim 12, wherein to generate the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the network, the processing circuitry is further configured to: generate the access control policy for the role that includes an indication of each of the one or more objects and includes, for each respective object of the one or more objects, an indication of the one or more of CRUD operations that the role is permitted to perform for the respective object [page 3, paragraph 0035 | page 5, paragraphs 0060 & 0063].
Claim 14:  Bhatti et al. discloses the device of claim 8, wherein to receive the request to create the access control policy that permits the role to perform the one or more functions in a network, the processing circuitry is further configured to: receive indications of one or more user intents that indicate the one or more functions that the role is permitted to perform in the network [page 3, paragraph 0031 | page 5, paragraph 0060].
Claim 15:  Bhatti et al. discloses a computer-readable medium comprising instructions that, when executed, cause processing circuitry executing an access control policy controller for a network to:
receive a request to create an access control policy that permits a role to perform one or more functions in the network [page 3, paragraph 0031 | page 5, paragraph 0060];
determine one or more operations performed on one or more objects in the network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the network [page 3, paragraphs 0033 & 0039]; and
create the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the network [page 5, paragraphs 0062-0063].
Claim 16:  Bhatti et al. discloses the computer-readable medium of claim 15, wherein the instructions that, when executed, cause the processing circuitry to determine the one or more operations performed on the one or more objects in the network to perform the one or more functions based at least in part on tracking the performance of the one or more functions in the network further cause the processing circuitry to: determine, based at least on one or more logs generated from performing the one or more functions in the network, the one or more operations performed on the one or more objects in the network [page 3, paragraphs 0033 & 0039].
Claim 17:  Bhatti et al. discloses the computer-readable medium of claim 16, wherein: the one or more logs comprise indications of a plurality of events streamed from one or more servers of the network, and each of the plurality of events indicate an operation performed on an object in the one or more servers of the network [page 3, paragraphs 0033 & 0039 | figure 6].
Claim 19:  Bhatti et al. discloses the computer-readable medium of claim 15, wherein each of the one or more operations performed on the one or more objects comprise one or more of create, read, update, and delete (CRUD) operations [page 3, paragraph 0039 | page 4, paragraph 0044].
Claim 20:  Bhatti et al. discloses the computer-readable medium of claim 15, wherein the instructions that, when executed, cause the processing circuitry to generate the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the network further cause the processing circuitry to: generate the access control policy for the role that includes an indication of each of the one or more objects and includes, for each respective object of the one or more objects, an indication of the one or more of CRUD operations that the role is permitted to perform for the respective object [page 3, paragraph 0035 | page 5, paragraphs 0060 & 0063].

Allowable Subject Matter
Claims 4, 11 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Ashley et al. (2014/0109168).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686. The examiner can normally be reached Monday-Friday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EDWARD ZEE/Primary Examiner, Art Unit 2435