Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is a reply to the application filed on 12/11/2020, in which, claim(s) 1-20 are pending. Claim(s) 1, 5 and 13 are independent.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d). Receipt is acknowledged of papers submitted under 35 U.S.C. 119(a)-(d), which papers have been placed of record in the file.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/07/2021 and 03/08/2022, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Examiner’s Note
Claim 1 recites “system comprising: an access control analyzer comprising … instructions that, when executed, cause the one or more processors to” and has been analyzed for 35 USC 101. No 35 U.S.C. 101 deemed necessary since the processor is interpreted as hardware processor in order to “execute” instructions. Therefore the examiner has viewed the system as meeting 35 U.S.C. 101 eligibility requirements.

Drawings
The drawings filed on 12/11/2020 are accepted by The Examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kreutzer et al. (US 2018/0247073 A1, cited by applicant in the 03/08/2022 IDS) in view of Wuest et al. (US 2020/0336489 A1).
Regarding Claim 1, Kreutzer discloses A system, comprising: 
an access control analyzer comprising one or more processors and one or more memories to store computer-executable instructions (Abstract, “Controlling access to nodes”, [0061], “processing unit 402 and a system memory”) that, when executed, cause the one or more processors to: 
determine a first node in a graph, wherein the first node corresponds to a first role in a provider network hosting a plurality of services and resources, wherein the first role is associated with a first access control policy, and wherein the first access control policy grants or denies access to a first one of the services and resources ([0017], “a relational graph with nodes describing entities and a set of accompanying properties of those entities”, [0022], “One or more access control lists are maintained in the nodes specifying which security contexts allow access to the associated entity or property, and which security contexts deny access to the associated entity”, “users may belong to one of several security groups based on their roles in an organization”, [0023], “a group security context of “Information Technology Professionals” may have a first security node”, “the names or descriptions of the policies”); 
determine a second node in the graph, wherein the second node corresponds to a second role in the provider network, wherein the second role is associated with a second access control policy, and wherein the second access control policy grants or denies access to a second one of the services and resources ([0022], “One or more access control lists are maintained in the nodes specifying which security contexts allow access to the associated entity or property, and which security contexts deny access to the associated entity”, “users may belong to one of several security groups based on their roles in an organization”, [0023], “a machine security context of “devices running Operating system X” may have a second security node”);  
perform a role reachability analysis that determines a role for a particular state of one or more key-value tags ([0024], “For each access-controlled node, the numeric representations of the security nodes are included in a listed set of access key/value (tag) pairs in a permit list and a deny list, respectively listing the security contexts that permit and deny access to the associated entity of the node”, [0022], “users may belong to one of several security groups based on their roles in an organization”), 
Kreutzer does not explicitly teach but Wuest teaches
perform analysis that determines whether the first role can assume the second role, wherein the one or more role assumption steps provide temporary access during a role session  ([0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”, [0080], “user Bob in Account A assuming Role Developer in Account B” therefore providing temporary access during the role session);
wherein the analysis determines a third access control policy authorizing a complement of a role assumption request for the second role ([0080], “if user “Bob” 1500 in Account A 1502 assumes Role 1504 in Account B 1506”, see Fig. 15), wherein the analysis determines whether the first role can assume the second role based at least in part on an analysis of the third access control policy with respect to a role assumption policy for the second role ([0080], “(user Bob in Account A assuming Role Developer in Account B), the identity chain represented is then “User Bob, Role Developer.””), and wherein the role assumption request is not authorized if the third access control policy does not include the role assumption policy for the second role ([0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”),
based at least in part on the analysis, grant or deny access to the second one of the services and resources to a principal in the first role ([0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”),   
Kreutzer and Wuest are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wuest with the disclosure of Kreutzer. The motivation/suggestion would have been to achieve improved data security and reduced risk (Wuest, [0070]).

Regarding Claims 2, 7 and 15, the combined teaching of Kreutzer and Wuest teaches 
wherein the role assumption policy for 25the second role is extended to include one or more statements denying requests that fail to satisfy one or more conditions of the role assumption policy for the second role (Wuest, [0066], “The PolicyEntry 804 has a PermissionList 806 that allows or denies individual Permissions”, [0075], “assigned through granting access to a role… denied through conditions (i.e. statements) that exist on any of the above policies”).

Regarding Claim 3, the combined teaching of Kreutzer and Wuest teaches
wherein one or more conditions of the role assumption policy for the second role comprise one or more wildcards for the one or more key-value tags (Kreutzer, [0017], “Each property can be considered a key/value pair—a name of the properties and its value. In other examples, entities represented as nodes that include documents, meetings, communication, etc., as well as edges representing relations among these entities, such as an edge between a person node and a document node representing that person's authorship, modification, or view of the document”). 

Regarding Claim 4, the combined teaching of Kreutzer and Wuest teaches
wherein the role reachability analysis selects one or more representative values for the one or more key-value tags from a range of potential values for the one or more key-value tags, wherein the range of potential values 20is determined based at least in part on the one or more wildcards, and wherein the particular state of the one or more key-value tags is determined based at least in part on the one or more representative values for the one or more key-value tags (Kreutzer, [0017], “Each property can be considered a key/value pair—a name of the properties and its value. In other examples, entities represented as nodes that include documents, meetings, communication, etc., as well as edges representing relations among these entities, such as an edge between a person node and a document node representing that person's authorship, modification, or view of the document”).

Regarding Claim 5, Kreutzer discloses A method, comprising:  
determining, by an access control analyzer, a first node in a graph, wherein the first node corresponds to a first role in a provider network hosting a plurality of resources, wherein the first role is associated with a first access control policy, and wherein the first access control policy grants or denies access to a first one or more of the resources ([0017], “a relational graph with nodes describing entities and a set of accompanying properties of those entities”, [0022], “One or more access control lists are maintained in the nodes specifying which security contexts allow access to the associated entity or property, and which security contexts deny access to the associated entity”, “users may belong to one of several security groups based on their roles in an organization”, [0023], “a group security context of “Information Technology Professionals” may have a first security node”, “the names or descriptions of the policies”); 
determining, by the access control analyzer, a second node in the graph, wherein the second node corresponds to a second role in the provider network, wherein the second role is associated with a second access control policy, and wherein the second access control policy grants or denies access to a second one or more of the resources ([0022], “One or more access control lists are maintained in the nodes specifying which security contexts allow access to the associated entity or property, and which security contexts deny access to the associated entity”, “users may belong to one of several security groups based on their roles in an organization”, [0023], “a machine security context of “devices running Operating system X” may have a second security node”); and 
performing, by the access control analyzer, a role reachability analysis that determines a role for a particular state of one or more attributes ([0024], “For each access-controlled node, the numeric representations of the security nodes are included in a listed set of access key/value pairs (as particular state of one or more attributes) in a permit list and a deny list, respectively listing the security contexts that permit and deny access to the associated entity of the node”, [0022], “users may belong to one of several security groups based on their roles in an organization”),   
Kreutzer does not explicitly teach but Wuest teaches
performing analysis that determines whether the first role can assume the second role ([0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”, [0080], “user Bob in Account A assuming Role Developer in Account B”), the analysis comprising:  
determining a third access control policy authorizing a negation of a role assumption request for the second role ([0080], “(user Bob in Account A assuming Role Developer in Account B), the identity chain represented is then “User Bob, Role Developer.””); and 
determining whether the first role can assume the second role based at least in part on analysis of the third access control policy with respect to a role assumption policy for the second role ([0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”, [0080], “(user Bob in Account A assuming Role Developer in Account B), the identity chain represented is then “User Bob, Role Developer.”),  
Kreutzer and Wuest are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wuest with the disclosure of Kreutzer. The motivation/suggestion would have been to achieve improved data security and reduced risk (Wuest, [0070]).

Regarding Claim 6, the combined teaching of Kreutzer and Wuest teaches 
based at least in part on the role reachability analysis, granting or denying access to the second one or more of the resources to a principal in the first role (Wuest, [0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”).

Regarding Claim 8, the combined teaching of Kreutzer and Wuest teaches
wherein the role assumption request is not authorized if the third access control policy does not comprise the role assumption policy 30for the second role for the particular state of the one or more attributes (Wuest, [0066], “The PolicyEntry 804 has a PermissionList 806 that allows or denies individual Permissions”, [0075], “assigned through granting access to a role… denied through conditions (i.e. statements) that exist on any of the above policies, Kreutzer, [0024], “For each access-controlled node, the numeric representations of the security nodes are included in a listed set of access key/value pairs in a permit list and a deny list, respectively listing the security contexts that permit and deny access to the associated entity of the node”).

Regarding Claim 9, the combined teaching of Kreutzer and Wuest teaches
wherein the role reachability analysis calls a policy comparison service that determines an equivalence result for the third access control policy and the role assumption policy for the second role for the particular state of the one or more attributes (Kreutzer, [0039], “one or more of a device identifier, a software version identifier, a remote desktop indicator, or the like are included as security context data to compare against machine security contexts”, “a username for the subject or one or more user group to which the subject belongs are included as security context data to compare against machine security contexts or for the access control system 140 to lookup additional security context data for the subject”).

Regarding Claim 10, the combined teaching of Kreutzer and Wuest teaches
wherein one or more conditions of the role assumption policy for the second role comprise one or more wildcards for the one or more attributes (Kreutzer, [0017], “Each property can be considered a key/value pair—a name of the properties and its value. In other examples, entities represented as nodes that include documents, meetings, communication, etc., as well as edges representing relations among these entities, such as an edge between a person node and a document node representing that person's authorship, modification, or view of the document”). 

Regarding Claim 11, the combined teaching of Kreutzer and Wuest teaches
wherein performing the role reachability analysis further comprises: selecting one or more representative values for the one or more attributes from a range of potential values for the one or more attributes, wherein the range of potential values is determined based at least in part on the one or more wildcards, and wherein the particular state of the one or more attributes is determined based at least in part on the one or more representative values for the one or more attributes (Kreutzer, [0017], “Each property can be considered a key/value pair—a name of the properties and its value. In other examples, entities represented as nodes that include documents, meetings, communication, etc., as well as edges representing relations among these entities, such as an edge between a person node and a document node representing that person's authorship, modification, or view of the document”).

Regarding Claims 12 and 20, the combined teaching of Kreutzer and Wuest teaches
based at least in part on determining that the first role can assume the second role, generating a notification of a security finding regarding an access control policy configuration (Wuest, [0035], “security alerts (e.g., over-privileged users with access to PII, failed privilege escalation attempts, audit functions disabled by user, unusual data movement, separation of duties violations, data movement to public network, shared credential violations, etc.)”).

Regarding Claim 13, Kreutzer discloses
determining, by an access control analyzer, a first node in a graph, wherein the first node corresponds to a first role in a provider network hosting a plurality of services or resources, wherein the first role is associated with a first access control policy, and wherein the first access control policy grants or denies access to a first one or more of the services or resources ([0017], “a relational graph with nodes describing entities and a set of accompanying properties of those entities”, [0022], “One or more access control lists are maintained in the nodes specifying which security contexts allow access to the associated entity or property, and which security contexts deny access to the associated entity”, “users may belong to one of several security groups based on their roles in an organization”, [0023], “a group security context of “Information Technology Professionals” may have a first security node”, “the names or descriptions of the policies”); 
determining, by the access control analyzer, a second node in the graph, wherein the second node corresponds to a second role in the provider network, wherein the second role is associated with a second access control policy, and wherein the second access control policy grants or denies access to a second one or more of the services or resources ([0022], “One or more access control lists are maintained in the nodes specifying which security contexts allow access to the associated entity or property, and which security contexts deny access to the associated entity”, “users may belong to one of several security groups based on their roles in an organization”, [0023], “a machine security context of “devices running Operating system X” may have a second security node”); and 
performing, by the access control analyzer, a role reachability analysis that determines a role for a particular state of one or more tags ([0024], “For each access-controlled node, the numeric representations of the security nodes are included in a listed set of access key/value pairs (as particular state of one or more tags) in a permit list and a deny list, respectively listing the security contexts that permit and deny access to the associated entity of the node”, [0022], “users may belong to one of several security groups based on their roles in an organization”),   
Kreutzer does not explicitly teach but Wuest teaches
performing analysis that determines whether the first role can assume the second role ([0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”, [0080], “user Bob in Account A assuming Role Developer in Account B”), the analysis comprising:  
determining a third access control policy authorizing a complement of a role assumption request for the second role ([0080], “(user Bob in Account A assuming Role Developer in Account B), the identity chain represented is then “User Bob, Role Developer.””); and 
determining whether the first role can assume the second role based at least in part on analysis of the third access control policy with respect to a role assumption policy for the second role ([0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”, [0080], “(user Bob in Account A assuming Role Developer in Account B), the identity chain represented is then “User Bob, Role Developer.”),  
Kreutzer and Wuest are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wuest with the disclosure of Kreutzer. The motivation/suggestion would have been to achieve improved data security and reduced risk (Wuest, [0070]).

Regarding Claim 14, the combined teaching of Kreutzer and Wuest teaches 
based at least in part on the role reachability analysis, granting or denying access to the second one or more of the services or resources to a user in the first role (Wuest, [0075], “granting access to a role in a same account, another account or even another cloud, overridden through policies at a group and/or account level, denied through conditions that exist on any of the above policies”).

Regarding Claim 16, the combined teaching of Kreutzer and Wuest teaches
wherein the role assumption request is not authorized if the third access control policy does not comprise the role assumption policy for the second role for the particular state of the one or more tags (Wuest, [0066], “The PolicyEntry 804 has a PermissionList 806 that allows or denies individual Permissions”, [0075], “assigned through granting access to a role… denied through conditions (i.e. statements) that exist on any of the above policies, Kreutzer, [0024], “For each access-controlled node, the numeric representations of the security nodes are included in a listed set of access key/value (tag) pairs in a permit list and a deny list, respectively listing the security contexts that permit and deny access to the associated entity of the node”).

Regarding Claim 17, the combined teaching of Kreutzer and Wuest teaches
wherein the role reachability analysis calls a policy comparison service that determines an equivalence result for the third access control policy and the role assumption policy for the second role for the particular state of the one or more tags (Kreutzer, [0039], “one or more of a device identifier, a software version identifier, a remote desktop indicator, or the like are included as security context data to compare against machine security contexts”, “a username for the subject or one or more user group to which the subject belongs are included as security context data to compare against machine security contexts or for the access control system 140 to lookup additional security context data for the subject”).

Regarding Claim 18, the combined teaching of Kreutzer and Wuest teaches
wherein one or more conditions of the role assumption policy for the second role comprise one or more wildcards for the one or more tags (Kreutzer, [0017], “Each property can be considered a key/value pair—a name of the properties and its value. In other examples, entities represented as nodes that include documents, meetings, communication, etc., as well as edges representing relations among these entities, such as an edge between a person node and a document node representing that person's authorship, modification, or view of the document”). 

Regarding Claim 19, the combined teaching of Kreutzer and Wuest teaches
selecting one or more representative values for the one or more tags from a range of potential values for the one or more tags, wherein the range of potential values is determined based at least in part on the one or more wildcards, and wherein the particular state of the one or more tags is determined based at least in part on the one or more representative values for the one or more tags (Kreutzer, [0017], “Each property can be considered a key/value pair—a name of the properties and its value. In other examples, entities represented as nodes that include documents, meetings, communication, etc., as well as edges representing relations among these entities, such as an edge between a person node and a document node representing that person's authorship, modification, or view of the document”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497