DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a Non-Final Office Action in response to the communication filed on June 25, 2019.
Claims 1-21 have been examined.


Drawings
The drawings filed on June 25, 2019 are acceptable for examination proceedings.


Allowable Subject Matter 
Claims 6, 13, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
 The following is an examiner’s statement of reasons for allowance: 
Regarding dependent claims 6, 13, and 20:
The closest prior art Hecht discloses:
“…automatically developing, based on the analysis of the information, a least-privilege profile for the first identity, the least-privilege profile including permissions corresponding to the particular actions with respect to the particular network resources and excluding permissions that do not correspond to the particular actions with respect to the particular network resources…” (Abstract). 

The second closest prior art Denton discloses profile sharing between users (Para 0015).

The third closest prior art Shukla discloses: 
“…detecting and obtaining location and type of an application programming interface (API) call, system call, and privileged instruction that is executed by the executable binary code. The method includes the step of detecting and obtaining return address from an Al call and system call…” (Abstract).

However the prior arts alone or in combination fails to teach or suggest the claimed limitation of dependent claims 6, 13, and 20 “...recording code that is executed while interacting with the user interface during the workflow, wherein the recorded code includes the API calls; 
excluding, from the recorded code, API calls that are irrelevant to the workflow; 
obfuscating confidential data that is present in the recorded code; 
converting the recorded code into a script; and 
translating the script into a language usable by a processor to identify the API calls and the privileges” along with other limitations dependent claims 6, 13, and 20.
For this reason, the specific claim limitations recited in the dependent claims 6, 13, and 20 taken as whole are allowed.
	 Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.



Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 5, 8-9, 12, 15-16, and 19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Hecht et al. (U.S. Patent No.: US 10,148,701 B1 / or “Hecht” hereinafter).

Regarding claim 1, Hecht discloses “A method to determine a minimal set of privileges to execute a workflow in a virtualized computing environment, the method comprising” (Col 1:46-48, disclosed embodiments describe non-transitory computer readable media and methods for developing and enforcing least-privilege policies in a network environment): 
“capturing application program interface (API) calls that are made while executing the workflow on a user interface in the virtualized computing environment” (Fig. 2: Step 201; and Col 9:4-15, querying via an API types of actions taken by an identity); 
“identifying privileges that correspond to the captured API calls” (Fig. 2: Step 202; and Col 9:16-41, identifies particular actions); 
“and combining the identified privileges to form the minimal set of privileges” (Fig. 2: Step 203; and Col 9:60-66, forms least-privilege profile).

Regarding claim 2, in view of claim 1, Hecht discloses “wherein capturing the API calls includes identifying the API calls from a common format that is generated by recording interactions with the user interface while executing the workflow” (Col 14:60-67, populate a permission matrix for one or more identities i.e., a “common format”), 
“and wherein identifying the privileges includes identifying the privileges from API metadata that corresponds to the captured API calls” (Col 10:6-10: “…least privilege score may be developed based on a proportion of the particular actions taken with respect to the particular network resources to the permission policy corresponding to the first identity”).

Regarding claim 5, in view of claim 1, Hecht discloses “wherein the workflow pertains to management of elements in the virtualized computing environment” (Col 6:24-48, virtual environment is disclosed).

Regarding claim 8, Hecht discloses “A non-transitory computer-readable medium having instructions stored thereon, which in response to execution by one or more processors, cause the one or more processors to perform or control performance of operations to determine a minimal set of privileges to execute a workflow in a virtualized computing environment, the operations comprising” (Col 1:46-48, disclosed embodiments describe non-transitory computer readable media and methods for developing and enforcing least-privilege policies in a network environment):
 capturing application program interface (API) calls that are made while executing the workflow on a user interface in the virtualized computing environment; 
identifying privileges that correspond to the captured API calls; 
and combining the identified privileges to form the minimal set of privileges” (See rejection of claim 1).

Regarding claim 9, in view of claim 8, Hecht discloses “wherein capturing the API calls includes identifying the API calls from a common format that is generated by recording interactions with the user interface while executing the workflow, and wherein identifying the privileges includes identifying the privileges from API metadata that corresponds to the captured API calls” (See rejection of claim 2).

Regarding claim 12, in view of claim 8, Hecht discloses “wherein the workflow pertains to management of elements in the virtualized computing environment” (See rejection of claim 5).

Regarding claim 15, Hecht discloses “An apparatus determine a minimal set of privileges to execute a workflow in a virtualized computing environment, the apparatus comprising” (Col 1:46-48, disclosed embodiments describe non-transitory computer readable media and methods for developing and enforcing least-privilege policies in a network environment) 
“a display screen configured to present a user interface in the virtualized computing environment” (Col 6:24-48, virtual environment is disclosed); 
“an application program interface (API) converter configured to capture API calls that are made while executing the workflow on the user interface; 
and a processor coupled to the API converter and configured to: 
identify privileges that correspond to the captured API calls; 
and combine the identified privileges to form the minimal set of privileges” (See rejection of claim 1).

Regarding claim 16, in view of claim 15, Hecht discloses “wherein: to capture the API calls, the API converter is configured to identify the API calls from a common format that is generated from a recording of interactions with the user interface while executing the workflow, and to identify the privileges, the processor is configured to identify the privileges from API metadata that corresponds to the captured API calls” (See rejection of claim 2).

Regarding claim 19, in view of claim 15, Hecht discloses “wherein the workflow pertains to management of elements in the virtualized computing environment” (See rejection of claim 5).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 3-4, 10-11, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht in view of Denton et al. (U.S. Patent Application Publication No.: US 2020/0004829 A1 / or “Denton” hereinafter).
	
Regarding claim 3, in view of claim 1, Hecht discloses “further comprising: generating a model that associates the minimal set of privileges to the workflow” (Col 9:60-66, forms least-privilege profile; Col 1:35-42, a model is created); 
But Hecht fails to specially discloses applying the model to a subsequent user.
However, Denton discloses “and applying the model to a user to determine privileges to assign to the user to perform a same workflow” (Denton, Para 0015).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of applying the model to a subsequent user of Denton to the System of Hecht to create a system allowing “…common activity data related to both the first user and the second user in the content sharing platform…” and the ordinary person skilled in the art would have been motivated to combine to content sharing among users (Denton, Para 0015).

Regarding claim 4, in view of claim 3, Hecht in view of Denton disclose “further comprising updating the model” (Denton, Para 0048, updates profile).


Regarding claim 10, in view of claim 8, Hecht in view of Denton disclose “wherein the operations further comprise: generating a model that associates the minimal set of privileges to the workflow; and applying the model to a user to determine privileges to assign to the user to perform a same workflow” (See rejection of claim 3).

Regarding claim 11, in view of claim 10, Hecht in view of Denton disclose “wherein the operations further comprise: updating the model” (See rejection of claim 4).

Regarding claim 17, in view of claim 15, Hecht in view of Denton disclose “wherein the processor is further configured to: generate a model that associates the minimal set of privileges to the workflow; and apply the model to a user to determine privileges to assign to the user to perform a same workflow” (See rejection of claim 3).

Regarding claim 18, in view of claim 17, Hecht in view of Denton disclose “wherein processor is further configured to update the model” (See rejection of claim 4).


Claims 7, 14, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht in view of Jayant Shukla (U.S. Patent Application Publication No.: US 2019/0138715 A1 / or “Denton” hereinafter).

Regarding claim 7, in view of claim 1, Hecht discloses forming of least-privilege profile (Col 9:60-66), and creation of a profile model (Col 1:35-42).
But Hecht fails to specially discloses intercepting API calls during run-time.
However, Shukla discloses “wherein capturing the API calls includes intercepting the API calls during run-time, separately from a recording of interactions that involve the API calls” (Shukla, Para 0081: monitor API calls during run-time).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of intercepting API calls during run-time of Shukla to the System of Hecht to create a system where “…API calls can also be used in monitoring mode to generate a rule list dynamically. …” and the ordinary person skilled in the art would have been motivated to combine in order for  “…validation can also be enforced by inserting the validation code after the API call and validating the return to address” (Shukla, Para 0082).

Regarding claim 14, in view of claim 8, Hecht in view of Shukla disclose “wherein capturing the API calls includes intercepting the API calls during run-time, separately from a recording of interactions that involve the API calls” (See rejection of claim 7).

Regarding claim 21, in view of claim 15, Hecht in view of Shukla disclose “wherein to capture the API calls, the API converter is configured to intercept the API calls during run-time, separately from a recording of interactions that involve the API calls” (See rejection of claim 7).




Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Brown et al. (U.S. Patent No.: US 9,531,805 B1) discloses:
		…When an API call has been sent by a first application since a last recurring checkpoint, the sent API call is processed one of several ways. Sometimes the API call is immediately terminated. Alternatively, the first application server waits a waiting period for an answer to the API call, and during the waiting period any new API calls are captured and not sent. Upon completion of the waiting period, if no answer has been returned, the API call is terminated. Then a new checkpoint of the application is taken in order to obtain a new checkpoint data set. The application is then migrated to another application server using the new checkpoint data set (Abstract).


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431