DETAILED ACTION
This office action is in response to the application filed on 12/16/2020.  Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 2/22/2022 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 17-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  	The claims recite “computer readable medium” and is rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter (i.e., signal per se).  
	It has been noted that the ordinary and customary meaning of "computer readable storage medium" to a person of ordinary skill in the art was broad enough to encompass both non-transitory and transitory media.  See Ex Parte Mewherter (Appeal 2012-007692) (Precedential).
	Transitory, propagating signals such as carrier waves are not within any of the four statutory categories (process, machine, manufacture or composition of matter).  Therefore, a claim directed to computer instructions embodied in a signal is not statutory under 35 U.S.C. 101.  In re Nuijten, 500 F.3d 1346, 1354 (Fed. Cir. 2007).
	Dependent does/do not remedy the deficiencies of their respective parent claim(s) and is/are therefore also directed to non-statutory subject matter.	The specification does not remedy the rejection either.  Wording such as “non-transitory computer readable storage medium” would overcome the rejection.
 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 5-6, 9-11, 13-14, 17, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Parimi et al. (US 2017/0295197 A1), in view of Zettel et al. (US 2019/0268354 A1). 
Regarding claims 1, 11, and 17, Parimi teaches:
“An apparatus comprising: 	a processor (Parimi, ¶ 53 teaches processor); and 	a memory on which is stored machine-readable instructions that cause the processor (Parimi, ¶ 53 and 271 teaches processor, memory, computer readable medium implementations to execute method steps) to: 	identify activities of an entity on a plurality of resources over a predetermined period of time (Parimi, ¶ 69, user 104, making references to elements in Fig 17, teaches using client device 102 accesses cloud based services 108A and 108B which are monitored over a period of time by monitoring module 202. Parimi, Fig. 17, ¶ 261 states that the dynamic privilege adjustment builds on Figs 1-16), wherein the entity is to use permissions assigned to the entity over the plurality of resources to perform the identified activities (Parimi, ¶ 69, making references to elements in Fig 17, teaches access privilege 110 for one of a given cloud resources is adjusted dynamically based on the user behavior); 	identify which of a plurality of groups of permissions includes the permissions the entity used to perform the identified activities (Parimi, ¶ 65-66 making references to elements in Fig 17, teaches that users are assigned to multiple groups of privileges based on their role.  Parimi, ¶ 196-199 further teaches that the user activities 1712, user permissions 1708 and role privileges 1708 are analyzed for privilege patterns 1714); 	determine permutations of the identified plurality of groups of permissions (Parimi, Fig. 14, ¶ 254, making references to elements in Fig 17, infrastructure security server 100 simulates various scenarios when rarely used privileges are removed for various groups and their corresponding change in risk); 	calculate respective scores for each of the determined permutations to identify permutations of the groups of permissions (Parimi, Fig. 14, ¶ 161-162, 164, and 254, risk scores are calculated at the lowest levels of granularity including activities and privileges, then aggregated based on groupings); and 	output information pertaining to the determined permutations (Parimi, Fig. 14, ¶ 253-254, user interface shows the risk score and permuted risk score having a much lower and improved risk based on the reduction of privileges)”.
	Parimi, does not, but in related art Zettel Fig. 3, ¶ 60 depicts and discusses a GUI with risk analysis that is sorted based on risk with the lowest risk elements being identified and displayed at the bottom of the list.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Parimi and Zettel, to modify the dynamic permission adjustment system of Parimi to include the method to arrange, identify and display information regarding the lowest risk elements of a set by ordering them at the bottom.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
 
Regarding claim 2, Parimi, in view of Zettel teaches:
“The apparatus of claim 1 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein each of the plurality of groups of permissions corresponds to a particular role within an organization (Parimi, ¶ 65-66 teaches that role privileges which further correspond to a position like the CEO which may encompass several roles)”.

Regarding claim 3, Parimi, in view of Zettel teaches:
“The apparatus of claim 1 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein at least one of the plurality of groups of permissions includes permissions that the entity did not use to perform the identified activities on the plurality of resources over the predetermined period of time (Parini, ¶ 65 and 69, risk analysis is performed on the permission that a given user group may have which include unused privileges that unnecessarily increase risk exposure)”.

Regarding claims 5 and 13, Parimi, in view of Zettel teaches:
“The apparatus of claim 3 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein the values correspond to respective attack surfaces of the permissions (Parimi, ¶ 110-111 teaches determining the attack surface of a given permission configuration)”.

Regarding claims 6, 14, and 19, Parimi, in view of Zettel teaches:
“The apparatus of claim 1 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein the instructions further cause the processor to: identify a current set of permissions assigned to the entity over the plurality of resources (Parimi, Fig. 14, ¶ 253-254, user interface shows the current risk score based on the existing permissions and permuted risk score having a much lower and improved risk based on the reduction of privileges); 	calculate a score of the current set of permissions (Parimi, Fig. 14, ¶ 253-254, user interface shows the current risk score based on the existing permissions and permuted risk score having a much lower and improved risk based on the reduction of privileges); 	determine which of the permutations of groups have scores that are below the score of the current set of permissions (Parimi, Fig. 14, ¶ 253-254, user interface shows the current risk score based on the existing permissions and permuted risk score having a much lower and improved risk based on the reduction of privileges); and 	output information pertaining to the determined permutations that have scores that are below the score of the current set of permissions (Parimi, Fig. 14, ¶ 253-254, user interface shows the current risk score based on the existing permissions and permuted risk score having a much lower and improved risk based on the reduction of privileges)”.

Regarding claim 9, Parimi, in view of Zettel teaches:
“The apparatus of claim 1 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein the instructions cause the processor to arrange the permutations of groups in an ascending order according to the calculated respective scores of the permutations (Parimi, Fig. 14, ¶ 253-254, user interface shows the risk score and permuted risk score having a much lower and improved risk based on the reduction of privileges.  Zettel Fig. 3, ¶ 60 depicts and discusses a GUI with risk analysis that is sorted based on risk with the lowest risk elements being identified and displayed at the bottom of the list)”.

Regarding claim 10, Parimi, in view of Zettel teaches:
“The apparatus of claim 1 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein the instructions cause the processor to: identify the permutation of groups having a lowest calculated score; and 	assign the permissions in the identified permutation of groups to the entity over the plurality of resources (Parimi, Fig. 14, ¶ 161-162, 164, and 254, risk scores are calculated at the lowest levels of granularity including activities and privileges, then aggregated based on groupings.  Parimi, ¶ 69, permissions are dynamically adjusted based on activity and analysis of risk)”.

Regarding claim 20, Parimi, in view of Zettel teaches:
	“The computer-readable medium of claim 17 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein the instructions further cause the processor to: 	identify the permutation of groups having a lowest calculated score (Zettel Fig. 3, ¶ 60 depicts and discusses a GUI with risk analysis that is sorted based on risk with the lowest risk elements being identified and displayed at the bottom of the list); and 	assign the permissions in the identified permutation of groups to the entity over the plurality of resources (Parimi, Fig. 14, ¶ 161-162, 164, and 254, risk scores are calculated at the lowest levels of granularity including activities and privileges, then aggregated based on groupings.  Parimi, ¶ 69, permissions are dynamically adjusted based on activity and analysis of risk)”. 
Claim(s) 4, 8, 12, 16, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Parimi, in view of Zettel in view of Rabin et al. (US 2021/0203687 A1).
Regarding claims 4, 12, and 18, Parimi, in view of Zettel teaches:
“The apparatus of claim 3 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein each of the permissions that the entity used to perform the identified activities and each of the permissions that the entity did not use to perform the identified activities is assigned one of a plurality of values (Parini, ¶ 65 and 69, risk analysis is performed on the permission that a given user group may have which include unused privileges that unnecessarily increase risk exposure)”.
Parimi, in view of Zettel does not, but in related art, Rabin teaches:	“wherein to calculate the respective scores, the instructions cause the processor to: for each of the permutations of groups, multiply the values assigned to the permissions in the permutations of groups to calculate the score for the permutation of groups (Rabin, Fig. 7, ¶ 61 and 150 teach combining risk score by multiplying them by various weight factors and combining them)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Parimi, Rabin, and Zettel, to modify the dynamic permission adjustment system of Parimi and Zettel to include the method to multiplicatively combine risk elements as taught in Rabin.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Regarding claims 8 and 16, Parimi, in view of Zettel teaches:
“The apparatus of claim 6 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein each of the plurality of permissions is assigned one of a plurality of values that correspond to respective attack surfaces  of the plurality of permissions and wherein the instructions further cause the processor to (Parimi, ¶ 110-111 teaches determining the attack surface of a given permission configuration)”. 		Parimi, in view of Zettel does not, but in related art, Rabin teaches:	“multiply the values assigned to the permissions in the current set to calculate the score of the current set of permissions (Rabin, Fig. 7, ¶ 61 and 150 teach combining risk score by multiplying them by various weight factors and combining them)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Parimi, Rabin, and Zettel, to modify the dynamic permission adjustment system of Parimi and Zettel to include the method to multiplicatively combine risk elements as taught in Rabin.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Claim(s) 7 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Parimi, in view of Zettel in view of Hecht et al. (US 2021/0194913 A1). 
Regarding claims 7 and 15, Parimi, in view of Zettel teaches:
“The apparatus of claim 6 (Parimi, in view of Zettel teaches the limitations of the parent claims as discussed above), wherein the instructions further cause the processor to: 
calculate the score of the current set of permissions as a score of the low level permissions (Parimi, Fig. 14, ¶ 161-162, 164, and 254, risk scores are calculated at the lowest levels of granularity including activities and privileges, then aggregated based on groupings.  Parimi, ¶ 69, permissions are dynamically adjusted based on activity and analysis of risk)”.
Parimi, in view of Zettel does not, but in related art, Hecht teaches:	“map the current set of permissions to low level permissions (Hecht, ¶ 90, and 140-142 teaches determining the risk of the existing policy framework as the baseline for analysis with alternative settings)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Parimi, Hecht, and Zettel, to modify the dynamic permission adjustment system of Parimi and Zettel to include the method to analyze the current permission settings as taught in Hecht.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435