DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4,6-11,13-18,20 are rejected under 35 U.S.C. 103 as being unpatentable over Richard et al (EP 3 617 917) in view of Joseph et al (CN 109792439) (see attached translation) and Official Notice. 
With respect to claims 1,8,15, Richard discloses a method of providing dynamic permissions (Abstract) for an enterprise authorization system (fig 1) comprising: establishing permissions rules for an authorization system 108 (fig 1) of an enterprise (fig 1); receiving permissions data 310 (fig 3), the permissions data describing actions performed by users with respect to the authentication (para [0081], “environment security alert levels may be based on system security logs, security event system logs, application logs, ransomware and cyberattack monitors, data protection activity (e.g., dramatic changes in deduplication ratios or unusual increases in backup traffic may indicate a ransomware attack), and others”); evaluating the permissions rules in view of the permissions data to produce a context- based permissions policy for the authorization system, the context-based permissions policy evaluating one or more conditions to determine whether to grant permissions to users of the enterprise with respect to the authorization system 704 (fig 7); and transmitting the context-based permissions policy to the enterprise, wherein the enterprise is adapted to implement the context-based permissions policy at the authorization system (Abstract; 308 (fig 3); 706 (fig 7)).
Richard discloses security alert levels may be based on application logs, security event system logs or data protection activity (para [0081]) (it would have been obvious that the logs or activity are created based on the user’s action). Richard does not explicitly disclose the one or more conditions including a time of access condition that is determined based at least on when the users perform the actions. Joseph discloses a security method using dynamic permissions (abstract) comprising: one or more one or more conditions including a time of access condition that is determined based at least on when the users perform the actions (pages 11-12, “In some embodiments, after the user login account, Web proxy server (Web proxy) can continue to monitor and understand user activity and behavior, and triggering the abnormal (so that presents additional challenges to the user). For example, a user may attempt to transfer a large pen. This motion can trigger system presents additional challenges to the user. In some embodiments, the proxy server may provide another source of information (e.g., flow), and real-time feed and analyzing the collected data. when the user is accessing the protected application/non-application by the cloud proxy, the proxy server can determine the activity of the user, e.g., the user removing some website downloading information. proxy server can monitor user activity, and provides the collected data to blacklisting of the user information. In addition, the proxy server may provide historical information such that when the user visits new sites, granting access rights to the user may take into account historical information associated with the user”)  (“proving historical information such that when the user visits new site” could be considered as the time (when) the user perform the action (visits the site)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Richard with the one or more conditions including a time of access condition that is determined based at least on when the users perform the actions (taught by Joseph) to provide possible security threat warning (taught by Joseph, page 2).
Richard does not explicitly disclose the enterprise. The Official Notice is taken that the claimed enterprise would have been known. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Richard to use with the known enterprise to provide security protection for the enterprise network.

With respect to claims 2,9,16,  Richard discloses wherein the context-based permissions policy further evaluates one or more of the following conditions to determine whether to grant permissions to users of the enterprise: time of access; location of access (para [0064]); Internet Protocol (IP) address; or user login or logout state (para [0099]).

With respect to claims 3,10,17, refer to discussion in claim 1 above for the implement the dynamic permission. Richard further discloses the context describing an environment of the authorization (paras [0115] – [0117], “environment status”, “environmental monitors”, “environment security”) system. Richard does not explicitly disclose describing the system at a point in time. The Official Notice is taken that the claimed “describing the system at a point in time’ limitation would have been known. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Richard by describing the system at a point in time to track the system at any desired times.

With respect to claims 4,11,18, refer to discussion in claim 3 above for the point in time. Further, Richard discloses interpreting the permissions rule based on the state information (paras [0008], [0009], “state analysis”) and programmatically determine the policy (para [0017], “machine-learning”).

With respect to claims 6,13,20, refer to discussion in claim 1 above for implementing the permission policy. Richard disclose a permission controller 110 (fig 2). Richard does not explicitly disclose a request for the policy. Since Richard discloses checking traditional static permissions 310 (fig 3). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention that Richard would have to request for the static permission.

With respect to claims 7,14, refer to claim 1 for evaluating the policy. Richard discloses updating the permission policy 706 (fig 7).

Claims 5,12,19 are rejected under 35 U.S.C. 103 as being unpatentable over Richard et al (EP 3 617 917) in view of Joseph et al (CN 109792439) (see attached translation) and Official Notice and SEIVER et al (2017/0078322).
With respect to claims 5, 12, 19, refer to discussion in claim 3 above for the evaluating and transmitting step. Richard does not disclose calculating a risk score, the risk score representing a likelihood that data stored on the authorization system is compromised; and based on the calculated risk score and the permissions rules, producing a dynamic permissions policy for the authorization system. SEIVER discloses calculating a risk score, the risk score representing a likelihood that data stored on the authorization system is compromised (determining a metric, or compromise risk value (score representing a likelihood), of a user account, or network device, being compromised, the compromise likelihood identifies a probability of the network device, or user account, being compromised (data stored on the authorization system is compromised), e.g., by an attacker; para [0067]); and based on the calculated risk score and the permissions rules, producing a dynamic permissions policy for the authorization system (using the metric (calculated risk score) and using account access rights (permissions rules) to update permissions that increase the value associated with the metric (dynamic permissions policy); para [0221], [0238]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the Richard  to include calculating a risk score, the risk score representing a likelihood that data stored on the authorization system is compromised; and based on the calculated risk score and the permissions rules, producing a dynamic permissions policy for the authorization system as disclosed by SEIVER, to gain the advantage of quantifying risks associated with the network and costs associated with a compromised level of access to assess privileges on the network (SEIVER; para [0006]).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TU T NGUYEN whose telephone number is (571)272-2424. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on (571) 272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/TU T NGUYEN/Primary Examiner, Art Unit 2453                                                                                                                                                                                             07/13/2022