Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 06/26/2020.
Claims 1-20 are under examination.
The Information Disclosure Statements filed on 06/26/2020 and 07/29/2021 has been entered and considered.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 10-11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Marcjan et al. (US 2005/0251675 A1) and Tulshibagwale (US 2016/0134638 A1).
Regarding claim 1, Marcjan et al. discloses An apparatus comprising: a processor; and a memory on which is stored machine-readable instructions that cause the processor to: identify a privilege level assigned to a principal over a resource [par. 0029, “By looking at these various data sources, the systems and methods of the present invention can, for example, determine not only what share space could be created and identify who should have access rights”]; determine whether the assigned privilege level is to be maintained or modified for the principal over the resource [par. 0029, “can also recommend which access rights (e.g., correspond to particular user(s)) should be modified (e.g., identify users that should be removed from an access list)”, claim 19, “the suggestion comprising any one of the following: restrict access rights; remove access rights; add access rights; split access rights; suspend access rights; and maintain access rights”]; 
Marcjan et al. does not explicitly disclose based on a determination that the assigned privilege level is to be maintained for the principal, determine whether access by the principal over the resource is to be limited; and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.
However Tulshibagwale teaches based on a determination that the assigned privilege level is to be maintained for the principal, determine whether access by the principal over the resource is to be limited; and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource [abs, “A privilege level for the consumer is determined, where the privilege level is based at least in part on certain actions of the consumer taken with respect to content previously consumed by the consumer. Content portions can then be provided to the consumer based on the minimum privilege levels of the content portions and the privilege level of the consumer”, par. 0028, “a user with a first privilege level who accesses a website is permitted access to all basic content, such as text and certain images, but premium content is obfuscated (e.g., blurred, scrambled, etc.), blocked, hidden, or otherwise not shown”, par. 0030, maintain a particular privilege level].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Tulshibagwale into the teaching of Marcjan et al. with the motivation for associating portions of digital content with respective minimum privilege levels and providing access to the content portions to a consumer based on a privilege level associated with the consumer as taught by Tulshibagwale [Tulshibagwale: par. 0001].
Regarding claim 2, the rejection of claim 1 is incorporated.
Marcjan et al. further disclose determine a length of inactivity by the principal with the resource; and determine whether the assigned privilege level is to be maintained or modified for the principal based on the determined length of inactivity by the principal with the resource [par. 0008, “after monitoring activity of share space users over a designated period of time, it can be determined that a user has not accessed the share space or content during the prescribed time period. Consequently, the system or method can suggest to the owner of the shared content that any corresponding access rights should be disassociated or taken away from the idle user”].
Regarding claim 3, the rejection of claim 2 is incorporated.
Marcjan et al. further disclose determine a feature of the principal and/or the resource; and determine whether the assigned privilege level is to be maintained or modified for the principal also based on the determined feature of the principal and/or the resource [par. 0006, “Access determinations can be based in part on cross-referencing various data sources related to the particular resources. Examples of such data sources include but are not limited to changes in various access and distribution lists, changes in user behavior (with respect to shared content), changes in user-granted access rights, and/or organizational structure changes (e.g., in a corporate or business environment)”].
Regarding claim 10, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 11, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Marcjan et al. further disclose based on the determined length of inactivity by the entity exceeding a predefined threshold and the determined feature of the entity and/or the resource, determine that the privilege level assigned to the entity over the resource is to be maintained [par. 0019 “maintain access right”, claim 20, the access rights are maintained when user indicates a period of temporary inactivity].

Claims 4-7, 12-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Marcjan et al. (US 2005/0251675 A1) and Tulshibagwale (US 2016/0134638 A1) as applied to claims 1-3, 10-11 and 17 above, and further in view of Gopalakrishnan et al. (US 2018/0102952 A1).
Regarding claim 4, the rejection of claim 3 is incorporated.
Marcjan et al. discloses determine whether modify the privilege level assigned to the principal over the resource based on the determined length of inactivity [par. 0053].
They do not explicitly disclose determine a modification score based on the determined length of inactivity and the determined feature of the principal and/or the resource; determine whether the modification score exceeds a predefined modification threshold; and based on a determination that the modification score exceeds the predefined modification threshold, modify the privilege level assigned to the principal over the resource.
However Gopalakrishnan et al. teaches determine a modification score based on the determined length of inactivity and the determined feature of the principal and/or the resource [par. 0032, “the metadata may include an access level of the user, a language of the report accessed, a timestamp of the access, and duration of the access”, par. 0034, “if twenty reports are created providing the same data in different languages and seven of those reports were not accessed, the access data analyzer may identify those seven reports that were not accessed since the reports were generated. In some embodiments, the report may be determined to be inactive if the report has been accessed a number of times below a predetermined threshold within the period of time”]; determine whether the modification score exceeds a predefined modification threshold; and based on a determination that the modification score exceeds the predefined modification threshold, modify the privilege level assigned to the principal over the resource [par. 0035, “the access data analyzer compares access profile data for each user permitted to access a report to a predetermined user threshold to identify inactive users. Based on the comparison, the access data analyzer may identify users that have not accessed the report in a predetermined period of time. The access data analyzer may be configured to automatically revoke a user's access to the report if the user is identified as inactive. The access data analyzer may be configured to send instructions to the host computing device to update access rules stored in the host computing device to prevent inactive users from accessing the report. More specifically, the access rules are updated to remove the inactive users' permission to view, edit, or otherwise retrieve the report”, par. 0084].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gopalakrishnan et al. into the teaching of Marcjan et al. and Tulshibagwale with the motivation to update access rules stored in the host computing device to prevent inactive users from accessing the report. More specifically, the access rules are updated to remove the inactive users' permission to view, edit, or otherwise retrieve the report as taught by Gopalakrishnan et al. [Gopalakrishnan et al.: par. 0035].
Regarding claim 5, the rejection of claim 1 is incorporated.
Marcjan et al. discloses determine whether modify the privilege level assigned to the principal over the resource based on the determined length of inactivity [par. 0053].
They do not explicitly disclose determine an access frequency of the principal to the resource over a predetermined time period; and determine whether access by the principal to the resource is to be limited based on the determined access frequency of the principal to the resource over the predetermined time period.
However Gopalakrishnan et al. teaches determine an access frequency of the principal to the resource over a predetermined time period; and determine whether access by the principal to the resource is to be limited based on the determined access frequency of the principal to the resource over the predetermined time period [par. 0032, “the metadata may include an access level of the user, a language of the report accessed, a timestamp of the access, and duration of the access”, par. 0034, “if twenty reports are created providing the same data in different languages and seven of those reports were not accessed, the access data analyzer may identify those seven reports that were not accessed since the reports were generated. In some embodiments, the report may be determined to be inactive if the report has been accessed a number of times below a predetermined threshold within the period of time” ].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gopalakrishnan et al. into the teaching of Marcjan et al. and Tulshibagwale with the motivation to update access rules stored in the host computing device to prevent inactive users from accessing the report. More specifically, the access rules are updated to remove the inactive users' permission to view, edit, or otherwise retrieve the report as taught by Gopalakrishnan et al. [Gopalakrishnan et al.: par. 0035].
Regarding claim 6, the rejection of claim 5 is incorporated.
Marcjan et al. further disclose determine a feature of the principal and/or the resource; and determine whether the assigned privilege level is to be maintained or modified for the principal also based on the determined feature of the principal and/or the resource [par. 0006, “Access determinations can be based in part on cross-referencing various data sources related to the particular resources. Examples of such data sources include but are not limited to changes in various access and distribution lists, changes in user behavior (with respect to shared content), changes in user-granted access rights, and/or organizational structure changes (e.g., in a corporate or business environment)”].
Regarding claim 7, the rejection of claim 6 is incorporated.
Tulshibagwale teaches based on a determination that the assigned privilege level is to be maintained for the principal, determine whether access by the principal over the resource is to be limited; and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource [abs, par. 0028, par. 0030].
Gopalakrishnan et al. further teaches determine an access limiting score based on the determined access frequency of the principal to the resource over the predetermined time period and the determined feature of the principal and/or the resource; determine whether the access limiting score exceeds a predefined access threshold; and based on a determination that the access limiting score exceeds the predefined access threshold, apply the limited access by the principal over the 242000.0125US1/408575-US-NPPATENT APPLICATION resource [par. 0032, “the metadata may include an access level of the user, a language of the report accessed, a timestamp of the access, and duration of the access”, par. 0034, “if twenty reports are created providing the same data in different languages and seven of those reports were not accessed, the access data analyzer may identify those seven reports that were not accessed since the reports were generated. In some embodiments, the report may be determined to be inactive if the report has been accessed a number of times below a predetermined threshold within the period of time”, par. 0035, “the access data analyzer compares access profile data for each user permitted to access a report to a predetermined user threshold to identify inactive users. Based on the comparison, the access data analyzer may identify users that have not accessed the report in a predetermined period of time. The access data analyzer may be configured to automatically revoke a user's access to the report if the user is identified as inactive. The access data analyzer may be configured to send instructions to the host computing device to update access rules stored in the host computing device to prevent inactive users from accessing the report. More specifically, the access rules are updated to remove the inactive users' permission to view, edit, or otherwise retrieve the report”, par. 0084].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gopalakrishnan et al. into the teaching of Marcjan et al. and Tulshibagwale with the motivation to update access rules stored in the host computing device to prevent inactive users from accessing the report. More specifically, the access rules are updated to remove the inactive users' permission to view, edit, or otherwise retrieve the report as taught by Gopalakrishnan et al. [Gopalakrishnan et al.: par. 0035].
Regarding claim 12, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.

Claims 8-9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Marcjan et al. (US 2005/0251675 A1) and Tulshibagwale (US 2016/0134638 A1) as applied to claims 1-3, 10-11 and 17 above, and further in view of Albero et al. (US 20210092124 A1).
Regarding claim 8, the rejection of claim 1 is incorporated.
Marcjan et al. and Tulshibagwale disclose determine whether the assigned privilege level is to be maintained or modified for the principal over the resource.
They do not explicitly disclose generate a predictive model using a training set of data that includes features pertaining to principals and resources and outputs corresponding to multiple combinations of the features; input data pertaining to the principal and/or the resource into the predictive model; and apply the predictive model on the input data to predict an output for the principal, wherein the output identifies whether the assigned privilege level is to be maintained or modified for the principal and whether access by the principal to the resource is to be limited.
However Albero et al. teaches generate a predictive model using a training set of data that includes features pertaining to principals and resources and outputs corresponding to multiple combinations of the features; input data pertaining to the principal and/or the resource into the predictive model [par. 0046, “Generally, real-time dynamic control computing platform 110 may monitor a hundred thousand instances of activities, with millions of network activity data points. For example, every time an enterprise user is on the network, badging in to a building, logging in to a computing device, printing a document, accessing a web resource, sending and/or receiving an electronic communication, and so forth, such data may be incorporated into one or more statistical models, and the models may be analyzed based on a business role, a geographic region, a group of users, and so forth, to determine central tendencies for an enterprise organization, a business role, a user role, sand so forth. Accordingly, deviations may be determined from such central tendencies to detect a plurality of anomalies”]; and apply the predictive model on the input data to predict an output for the principal, wherein the output identifies whether the assigned privilege level is to be maintained or modified for the principal and whether access by the principal to the resource is to be limited [par. 0076, “real-time dynamic control computing platform 110 may apply the machine learning model to adjust additional access controls associated with the enterprise user. For example, the machine learning model may learn that it is typical for an enterprise user to attach a document in an electronic communication after the enterprise user visits a web resource. Accordingly, real-time dynamic control computing platform 110 may apply the machine learning model to detect user activity with the web resource, and dynamically adjust an attachment size for the electronic communication”, par. 0077].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Albero et al. into the teaching of Marcjan et al. and Tulshibagwale with the motivation to real-time management of access controls as taught by Albero et al. [Albero et al.: abs.].
Regarding claim 9, the rejection of claim 8 is incorporated.
Albero et al. further teaches the data pertaining to the principal and/or the resource comprises usage history of the resource by the principal, a type of the principal, an importance of the principal, an importance of the resource, a type of the resource, and/or a health of the resource [par. 0046, “the models may be analyzed based on a business role, a geographic region, a group of users, and so forth, to determine central tendencies for an enterprise organization, a business role, a user role, sand so forth. Accordingly, deviations may be determined from such central tendencies to detect a plurality of anomalies”, par. 0050, “he central tendency may be based on data for a history of interactions of the enterprise user with the network device. For example, real-time dynamic control computing platform 110 may retrieve data about user interactions with a network device”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Albero et al. into the teaching of Marcjan et al. and Tulshibagwale with the motivation to real-time management of access controls as taught by Albero et al. [Albero et al.: abs.].
Regarding claim 16, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.

 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 11392707 B2		Systems And Methods For Mediating Permissions
US 10944758 B1		Computer Resource Vulnerability Assessment And Remediation
US 10116679 B1		Privilege Inference And Monitoring Based On Network Behavior
US 20170293581 A1		INDICATING A PRIVILEGE LEVEL
US 20110307831 A1		User-Controlled Application Access To Resources
US 20050097595 A1		Method And System For Controlling Access To Content
US 20200412726 A1		SECURITY MONITORING PLATFORM FOR MANAGING ACCESS RIGHTS ASSOCIATED WITH CLOUD APPLICATIONS
US 20130086581 A1		PRIVILEGE LEVEL AWARE PROCESSOR HARDWARE RESOURCE MANAGEMENT FACILITY


Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JASON CHIANG/Primary Examiner, Art Unit 2431