Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 06/30/2020.
Claims 1-20 are under examination.
The Information Disclosure Statements filed on 06/30/2020 has been entered and considered.


Claim Objections
Claim 6 is objected to because of the following informalities:  Claim 6 recites abbreviation “UIs” without indication of what does it stand for.  Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-8, 11-12, 14-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Parimi et al. (US 2020/0403996 A1) and Hecht et al. (US 10,148,701 B1).
Regarding claim 1, Parimi et al. discloses A computing platform, comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions [fig. 8, pars. 0079-0080] that, when executed by the at least one processor, cause the computing platform to: acquire, via the communication interface, access permission data, wherein the access permission data is aggregated from a plurality of data sources [fig. 4, par. 0047, fig. 6, par. 0076, “The security server 130 receives 605 permissions data describing permissions of users of an enterprise with respect to resources on one or more authorization systems 110… the permissions data includes user identities and resources of the authorization systems, as well as logs describing actions performed or attempted by users of the enterprise with respect to resources of the authorization systems”, par. 0037]; identify user-specific entitlements based on the normalized permission data [par. 0078, “The permissions data describes permissions for users of an enterprise on the infrastructure. For example, the permissions data includes user identities, actions, and resources of the infrastructure 114”, par. 0035]; classify user roles for a plurality of enterprise users, wherein classifying the user roles for the plurality of enterprise users produces user role classification data [par. 0021, “ the enterprise directory 112 stores data for each user of the enterprise including one or more user identities, one or more user roles, a name of the user, and other data identifying the user of the enterprise”]; tag the [[normalized]] permission data based on the user role classification data [par. 0049, “permission=action+identity+resource”]; based on tagging the [[normalized]] permission data, identify at least one enterprise user of the plurality of enterprise users having one or more toxic access permissions [par. 0053, “the permissions analysis module 410 analyzes the permissions graph to identify permissions granted to particular users that are never or rarely used by the users”]; in response to identifying the at least one enterprise user of the plurality of enterprise users having the one or more toxic access permissions, trigger an access review process for the at least one enterprise user of the plurality of enterprise users having the one or more toxic access permissions; based on triggering the access review process for the at least one enterprise user of the plurality of enterprise users having the one or more toxic access permissions, revoke one or more incompatible access permissions, wherein revoking the one or more incompatible access permissions produces updated access permission data [pars. 0055-0056, “The permissions interface module 415 generates user interfaces allowing administrators of enterprise systems 120 to view, organize, and change data describing permissions enforced on one or more authorization systems 110”, “the generated interface allows an administrator to navigate, organize, and edit permissions data. For example, the permissions interface module 415 generates an interface that allows the administrator of the enterprise system 120 to view and manipulate the permissions graph. Through these views, the administrator can view all user identifiers associated with a given permission, all permissions associated with a user identifier, permissions used in a specified time period (e.g., all permissions used in the last day, all permissions used in the last week). In another example, the permissions interface module 415 generates an interface that allows the administrator of the enterprise system 120 to view all actions of a certain type (e.g., all deletions performed). The administrator can use the views provided by the permissions interface module 415 to edit permissions policies and thereby grant and revoke permissions for users”]; and transmit, via the communication interface, to a system of record, the updated access permission data, wherein transmitting the updated access permission data to the system of record causes the system of record to store the updated access permission data [[in a database]] and limit access to enterprise resources based on the updated access permission data [par. 0057, “The multi-tenant store 420 receives and stores data describing the identities, actions, resources, permissions, and activities. As mentioned above, permissions describe policies applicable in given contexts, such as permissions applicable within specific time windows and/or in response to certain sequences of events”, par. 0023, “ the sentry 118 receives updated permissions from the enterprise system 120 and stores the updated permissions for use by the infrastructure 114”].
Parimi et al. does not explicitly disclose convert the access permission data into a normalized format, wherein converting the access permission data into the normalized format produces normalized permission data; store the updated access permission data in a database.
However Hecht et al. teaches convert the access permission data into a normalized format, wherein converting the access permission data into the normalized format produces normalized permission data [col. 11, lines 52-55, “ the system 130 may normalize and aggregate permissions information for the identities associated with an entity to populate the entity permissions matrix 400”]; store the updated access permission data in a database [col. 8, lines 23-27, “The databases or other files may include, for example, records of permission policy modifications, identity activity in the network environment 110, or records of a privilege management user's changes to the privilege management system”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hecht et al. into the teaching of Parimi et al. with the motivation to construct and display a permissions matrix to enable visualization of the privilege profile for an identity as taught by Hecht et al. [Hecht et al.: col. 10, lines 60-64].
Regarding claim 6, the rejection of claim 1 is incorporated.
Parimi et al. further discloses triggering the access review process comprises sending one or more UIs to an enterprise security system [pars. 0055-0056, “The permissions interface module 415 generates user interfaces allowing administrators of enterprise systems 120 to view, organize, and change data describing permissions enforced on one or more authorization systems 110”].
Regarding claim 7, the rejection of claim 1 is incorporated.
Parimi et al. further discloses generate a graphical representation of the [[normalized]] permission data; and send, via the communication interface, to an enterprise security system, the graphical representation of the normalized permission data, wherein sending the graphical representation of the [[normalized]] permission data to the enterprise security system causes the enterprise security system to display the graphical representation of the [[normalized]] permission data.  [pars. 0055-0056, “The permissions interface module 415 generates user interfaces allowing administrators of enterprise systems 120 to view, organize, and change data describing permissions enforced on one or more authorization systems 110”, “the generated interface allows an administrator to navigate, organize, and edit permissions data. For example, the permissions interface module 415 generates an interface that allows the administrator of the enterprise system 120 to view and manipulate the permissions graph. Through these views, the administrator can view all user identifiers associated with a given permission, all permissions associated with a user identifier, permissions used in a specified time period (e.g., all permissions used in the last day, all permissions used in the last week). In another example, the permissions interface module 415 generates an interface that allows the administrator of the enterprise system 120 to view all actions of a certain type (e.g., all deletions performed). The administrator can use the views provided by the permissions interface module 415 to edit permissions policies and thereby grant and revoke permissions for users”].
Hecht et al. teaches convert the access permission data into a normalized format, wherein converting the access permission data into the normalized format produces normalized permission data [col. 11, lines 52-55, “ the system 130 may normalize and aggregate permissions information for the identities associated with an entity to populate the entity permissions matrix 400”]; store the updated access permission data in a database [col. 8, lines 23-27, “The databases or other files may include, for example, records of permission policy modifications, identity activity in the network environment 110, or records of a privilege management user's changes to the privilege management system”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hecht et al. into the teaching of Parimi et al. with the motivation to construct and display a permissions matrix to enable visualization of the privilege profile for an identity as taught by Hecht et al. [Hecht et al.: col. 10, lines 60-64].
Regarding claim 8, the rejection of claim 1 is incorporated.
Parimi et al. further discloses generate a graphical representation of the updated access permission data; and send, via the communication interface, to an enterprise security system, the graphical representation of the updated access permission data, wherein sending the graphical representation of the updated access permission data to the enterprise security system causes the enterprise security system to display the graphical representation of the updated access permission data [pars. 0030, “The security server 130 analyzes the permissions data and provides an interface with which an administrator of the enterprise can view and change the permissions. For example, the security server 130 may provide a cloud-based service including a secure portal accessible to the administrator”, par. 0032, “An enterprise administrator can view the current permissions policies for multiple authorization systems 110…”, par. 0056, “the permissions interface module 415 generates an interface that allows the administrator of the enterprise system 120 to view and manipulate the permissions graph”].
Regarding claim 11, the rejection of claim 1 is incorporated.
Parimi et al. further discloses monitor identification of enterprise users having one or more toxic access permissions; generate a notification indicating a presence of the toxic access permissions amongst the enterprise users; and send, via the communication interface, to an enterprise security system, the notification indicating the presence of the toxic access permissions amongst the enterprise users  [pars. 0053, “ the permissions analysis module 410 analyzes the permissions graph to identify permissions granted to particular users that are never or rarely used by the users. For this analysis, the permissions analysis module 410 identifies the nodes associated with a particular user and traverse the graph to determine the set of permissions available to the user. The permissions analysis module 410 also accesses permissions data associated with the identity to determine which actions the identity performed on which resources. The permissions analysis module 410 compares the user permissions with the activities performed by the user to identify permissions that the user never or rarely used, where “rarely” means used less than a threshold number of times within a time period”, par. 0055, “the permissions interface module 415 displays data generated by the permissions analysis module 410 in conjunction with the permissions data received by the permissions data receipt module 405. An administrator of an enterprise can view the user interfaces by accessing the portal provided by security server 130 using the enterprise system 120 or another device, such as a client computer system”].
Regarding claim 12, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 11. The reason for the rejection of claim 11 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 11. The reason for the rejection of claim 11 is incorporated herein.

Claims 2-3, 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Parimi et al. (US 2020/0403996 A1) and Hecht et al. (US 10,148,701 B1) as applied to claims 1, 6-8, 11-12, 14-17 and 19-20 above, and further in view of Schwantes et al. (US 2020/0242536 A1).
Regarding claim 2, the rejection of claim 1 is incorporated.
Parimi et al. and Hecht et al. discloses classifying the user roles for the plurality of enterprise users.
They do not explicitly disclose determining, for each enterprise user of the plurality of enterprise users, an enterprise role for the enterprise user based on organizational hierarchy information and the enterprise user's association with at least one computing environment of a plurality of enterprise computing environments.
However Schwantes et al. teaches determining, for each enterprise user of the plurality of enterprise users, an enterprise role for the enterprise user based on organizational hierarchy information and the enterprise user's association with at least one computing environment of a plurality of enterprise computing environments [par. 0019, “a binary user-to-entitlement matrix X may be constructed, where X_ij is equal to one if user i has access to entitlement j. A binary user-to-job responsibility matrix D may also be constructed, where D_ij is equal to one if user j has job responsibility i. A “job responsibility” can be defined using any combination of attributes related to a user's role or responsibilities within the enterprise, such as job family, job level, department, reporting hierarchy, organization, etc”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Schwantes et al. into the teaching of Parimi et al. and Hecht et al. with the motivation for improving assignment of entitlements to users of an enterprise computer system as taught by Schwantes et al. [Schwantes et al.: par. 0017].
Regarding claim 3, the rejection of claim 2 is incorporated
Schwantes et al. further teaches determining, for each enterprise user of the plurality of enterprise users, the enterprise role for the enterprise user comprises determining the enterprise role for the enterprise user to be one of development, quality assurance, production, or DevOps [par. 0063, DevOps].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Schwantes et al. into the teaching of Parimi et al. and Hecht et al. with the motivation for improving assignment of entitlements to users of an enterprise computer system as taught by Schwantes et al. [Schwantes et al.: par. 0017].
Regarding claim 13, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.

Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Parimi et al. (US 2020/0403996 A1), Hecht et al. (US 10,148,701 B1) and Schwantes et al. (US 2020/0242536 A1) as applied to claims 2-3, 13 and 18 above, and further in view of Terkowitz et al. (US 10,803,166 B1).
Regarding claim 4, the rejection of claim 2 is incorporated.
Parimi et al., Hecht et al. and Schwantes et al. do not explicitly disclose the plurality of enterprise computing environments comprises a production environment and a non-production environment.
However Terkowitz et al. teaches the plurality of enterprise computing environments comprises a production environment and a non-production environment [fig. 2, col. 2, lines 58-60, The networked environment 200 includes a testing computing environment 203, a production computing environment 206].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Terkowitz et al. into the teaching of Parimi et al., Hecht et al. and Schwantes et al. with the motivation to use the tesing environment to determine a list of minimal permissions for application such that if the application is compromised or has defects involving stability, the impact of the compromise or defects are contained to the minimum set of resources as taught by Terkowitz et al. [Terkowitz et al.: col. 1, lines 48-56].
Regarding claim 5, the rejection of claim 4 is incorporated.
Terkowitz et al. further teaches the non-production environment comprises one or more of: a development environment, a testing environment, or a quality assurance environment [fig. 2, col. 2, lines 58-60, The networked environment 200 includes a testing computing environment 203, a production computing environment 206].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Terkowitz et al. into the teaching of Parimi et al., Hecht et al. and Schwantes et al. with the motivation to use the tesing environment to determine a list of minimal permissions for application such that if the application is compromised or has defects involving stability, the impact of the compromise or defects are contained to the minimum set of resources as taught by Terkowitz et al. [Terkowitz et al.: col. 1, lines 48-56].

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Parimi et al. (US 2020/0403996 A1) and Hecht et al. (US 10,148,701 B1) as applied to claims 1, 6-8, 11-12, 14-17 and 19-20 above, and further in view of Hashmi et al. (US 2016/0381032 A1).
Regarding claim 9, the rejection of claim 1 is incorporated.
Hecht et al. discloses converting the access permission data into a normalized format comprises converting the access permission data into the normalized format.
They do not explicitly disclose converting the access permission data into the normalized format using one or more of: regular expression, data wrangling operations, structured query language, or natural language processing.
However Hashmi et al. teaches converting the access permission data into the normalized format using one or more of: regular expression, data wrangling operations, structured query language, or natural language processing [claim 4, “the comparing of the obtained stored permissions information with the command and the one or more computing nodes includes matching the command to one or more regular expressions stored in the obtained stored permissions information”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hashmi et al. into the teaching of Parimi et al. and Hecht et al. with the motivation for comparing of the obtained stored permissions information as taught by Hashmi et al. [Hashmi et al.: claim 4].

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Parimi et al. (US 2020/0403996 A1) and Hecht et al. (US 10,148,701 B1) as applied to claims 1, 6-8, 11-12, 14-17 and 19-20 above, and further in view of Parks et al. (US 2021/0144144 A1).
Regarding claim 10, the rejection of claim 1 is incorporated.
Parimi et al. and Hecht et al. discloses identifying user-specific entitlements based on the normalized permission data.
They do not explicitly disclose identifying user-specific entitlements using machine learning.
However Parks et al. teaches identifying user-specific entitlements using machine learning [pa. 0024, “a machine learning algorithm may be used to group similar permissions. The system may then determine the permissions that a user is likely to used based on what has been logged. Permissions may be grouped into permission sets and roles, and users may be identified as being associated with permission sets and roles”, par. 0038].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Parks et al. into the teaching of Parimi et al. and Hecht et al. with the motivation to determine the permissions that a user is likely to use as taught by Parks et al. [Parks et al.: par. 0024].

 
 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20220182386 A1	METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR CONTROLLING ACCESS IN A NETWORK OF SERVERS
US 11308234 B1	Methods For Protecting Data
US 20180183801 A1	METHOD, APPARATUS, AND COMPUTER PROGRAM PRODUCT FOR MANAGING ACCESS PERMISSIONS FOR A SEARCHABLE ENTERPRISE PLATFORM
US 20170295197 A1	METHOD AND SYSTEM TO DETECT DISCREPANCY IN INFRASTRUCTURE SECURITY CONFIGURATIONS FROM TRANSLATED SECURITY BEST PRACTICE CONFIGURATIONS IN HETEROGENEOUS ENVIRONMENTS
US 9582673 B2	Separation Of Duties Checks From Entitlement Sets
US 20150370824 A1	IDENTIFYING UNUSED PRIVILEGES IN A DATABASE SYSTEM
US 20080052102 A1	System And Method For Collecting And Normalizing Entitlement Data Within An Enterprise

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON CHIANG/Primary Examiner, Art Unit 2431