DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.    This action is responsive to the application filed on 02/24/2020.
2.    Claims 1 – 26 are pending.
3.    Claims 1 – 26 are rejected.


Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 02/24/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-11, 13-24, and 26 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable by Sean Wang et al (US 10089480 B1), hereinafter “Wang”.

Regarding Claim 1, Wang discloses a system for enterprise access control governance in a computerized information technology (IT) architecture (Wang, Col 2, lines 16-18, system for enterprise access control governance in a computerized information technology (IT) architecture, wherein the system includes a server computing device), the system comprising a server computing device having a memory that stores computer-executable instructions and a processor that executes the computer-executable instructions to (Wang, Col 5, lines 58-62, server computing device contains memory and processor):
determine a set of access control entitlements for each of a plurality of users of the computerized IT architecture (Wang, Col 5, lines 66-67 – Col 6, lines 1-4, server contains an entitlement matrix generation module and an entitlement recommendation and discrepancy identification module. Col 6, lines 57-67 – Col 7, lines 1-3, entitlement data is stored on a server computing device, wherein the entitlement data includes one or more attributes of an entitlement (e.g., ability to access) for one or more computing resources in the IT architectures);
convert each set of access control entitlements for each of the plurality of users into a multidimensional vector (Wang, Col 5, lines 8-16, system includes a server computing device that executes a vector space generation module. Col 9, lines 5-27, vector spaces (i.e., user vector space and entitlement vector space) are generated by the module of the server computing device, wherein the vector spaces comprises users and entitlement access. Vector spaces comprise multidimensional vector spaces, where user nodes are connected to each other and entitlement nodes are also connected to each other);
generate a vector space comprising a plurality of nodes, each node in the vector space corresponding to a multidimensional vector associated with the access control entitlements (Wang, Col 8, lines 48-55, vector space generation module of server computing device retrieves user data and entitlement data from data store. The vector space generation module generates vector spaces comprising a plurality of user nodes. Col 9, lines 5-27, vector spaces (i.e., user vector space and entitlement vector space) are generated by the module of the server computing device, wherein the vector spaces comprises users and entitlement access. Vector spaces comprise multidimensional vector spaces, where user nodes are connected to each other and entitlement nodes are also connected to each other);
determine one or more clusters of nodes in the vector space by using a similarity measure to compare each node in the vector space to the other nodes, the similarity measure based upon one or more dimensions of the multidimensional vector (Wang, Col 11, lines 28-48, entitlement recommendation and discrepancy module of server computing device computes a similarity score for each user based upon a comparison of the user’s existing access control entitlements to the recommended set of entitlements for the user and then aggregates the similarity score of all users within a defined group);
identify a job role associated with each of the one or more clusters of nodes in the vector space based upon one or more access control entitlements that are common to at least a portion of the nodes in each cluster (Wang, Col 6, lines 42-51, user data includes one or more attributes of a user (e.g., an employee, consultant, etc.) of one or more computing resources in the IT architecture. For example, job attributes can include data elements such as a job role of the user, a job title of the user, a job function of the user, and the like. Some or all of these data elements can help define which computing resources in the IT architecture that the user should or should not have access to. Col 6, lines 57-67 – Col 7, lines 1-8, selecting entitlements for users. Col 7, lines 25-36, entitlements for different users in a group);
locate one or more outlier nodes in the vector space, the one or more outlier nodes positioned at least a predetermined distance away from at least one of the one or more clusters in the vector space (Wang, Col 11, lines 28-48, the resulting aggregation of similarity scores can then be used as a metric for describing the general "health" of a particular user group based upon how similar the access entitlements are between members of the group. This metric can help administrators identify groups that may have outliers (e.g., users whose entitlements deviate from expected or recommended entitlements), users who have toxic combinations of access that violate organizational requirements or policies, and so forth);
- - 30 - -U.S. Patent ApplicationAttorney Docket No. FID-380determine at least one difference between the set of access control entitlements for each of the one or more outlier nodes and the set of access control entitlements for at least one node in the nearest one or more clusters (Wang, Col 7, lines 25-36, entitlement discrepancy data represents one or more differences between existing user entitlements to certain computing resources in the IT architecture. Col 11, lines 28-42, determination of the difference in entitlements);
adjust the set of existing access control entitlements for the each of the users associated with the one or more outlier nodes based upon the determined difference between the set of access control entitlements for each of the one or more outlier nodes and the set of access control entitlements for at least one node in the nearest one or more clusters (Wang, Col 7, lines 48-59, adjusting existing access permissions in order to mitigate and prevent potential security risks. Col 11, lines 28-42, the difference in entitlements can be determined as a discrepancy, and assigned a value to indicate, e.g., how much of an outlier the user is from the other group members and/or the entitlement is from the recommended set of entitlements for the user's group or the existing set of entitlements for others in the user's group. Col 11, lines 57-67, once the module has determined one or more discrepancies between a user and the set of recommended access control entitlements or the set of existing access control entitlements for other users in the same group, the module adjusts the set of existing access control entitlements for the user based upon the discrepancy).


Regarding Claim 2, Wang discloses the system of claim 1 above, wherein the difference comprises an entitlement in the set of access control entitlements for the one or more outlier nodes that is not included in the set of access control entitlements for at least one node in the nearest one or more clusters (Wang, Col 3, lines 43-55, discrepancy comprises an entitlement in the set of existing entitlements for the first user that is not included in the set of recommended entitlements for the first user. Col 11, lines 36-56, determine outliers from users in other groups).

Regarding Claim 3, Wang discloses the system of claim 1 above, wherein the difference comprises an entitlement in the set of access control entitlements for at least one node in the nearest one or more clusters that is not included in the set of access control entitlements for the one or more outlier nodes (Wang, Col 3, lines 43-55, discrepancy comprises an entitlement in the set of existing entitlements for the first user that is not included in the set of recommended entitlements for the first user. Col 11, lines 36-62, determine outliers from users in other groups or in the same group).

Regarding Claim 4, Wang discloses the system of claim 1 above, wherein the difference comprises an entitlement in the set of access control entitlements for at least one node in the nearest one or more clusters that is not included in the set of access control entitlements for the one or more outlier nodes (Wang, Col 3, lines 43-55, discrepancy comprises an entitlement in the set of existing entitlements for the first user that is not included in the set of recommended entitlements for the first user. Col 11, lines 36-62, determine outliers from users in other groups or in the same group).

Regarding Claim 5, Wang discloses the system of claim 1 above, wherein the server computing device identifies one or more access control security risks based upon the difference (Wang, Col 3, lines 56-63, Col 7, lines 36-40, Col 8, lines 41-47, server computing device identifies one or more access control security risks based upon discrepancy).

Regarding Claim 6, Wang discloses the system of claim 5 above, wherein the server computing device executes access control workflow instructions in an information technology access control system to adjust the set of access control entitlements for the one or more outlier nodes based upon the identified access control security risks (Wang, Col 7, lines 36-59, identifying security risks. The IT access control system receives certain information, including user entitlement recommendation data and entitlement discrepancy data, from the server computing device and integrates the data, with existing IT resource access procedures in order to generate actionable instructions and workflows to adjust existing access permissions and conduct detailed reviews of access permissions in order to mitigate and prevent potential security risks. Col 11, lines 57-67, module adjusts the set of existing access control entitlements for the user based on discrepancy).

Regarding Claim 7, Wang discloses the system of claim 6 above, wherein the access control workflow instructions comprise one or more of:
adding new entitlements to the set of access control entitlements for the one or more outlier nodes, changing one or more values of an entitlement in the set of access control entitlements for the one or more outlier nodes, or removing one or more entitlements from the set of access control entitlements for the one or more outlier nodes (Wang, Col 3, lines 56-67 – Col 4, lines 1-2, Col 11, lines 67 – Col 12, lines 1-22, revising permissions in the IT access control system, adding new entitlements to the users, changing values of entitlements to the users, removing entitlements to the user).

Regarding Claim 8, Wang discloses the system of claim 1 above, wherein the job role comprises one or more job role attributes, including: a job function, a title, a manager to which the job role is assigned, a business unit to which the job role is assigned, and an organization to which the job role is assigned (Wang, Col 4, lines 3-13, the one or more attributes of the user include: a job function of the user, a job role of the user, a title of the user, a manager to which the user is assigned, a business unit to which the user is assigned, and an organization to which the user is assigned. Col 6, lines 45-48, the attributes can include data elements such as a job role of the user, a job title of the user, a job function of the user, a manager of the user, an organization or business unit to which the user is assigned, and the like).

Regarding Claim 9, Wang discloses the system of claim 1 above, wherein each entitlement in the set of access control entitlements comprises one or more entitlement attributes, including: a name of the entitlement, a description of the entitlement, one or more privileged access flags, an application to which the entitlement is assigned, and a computing system to which the entitlement is assigned (Wang, Col 6, lines 1 - Col 7, lines 1-8, the attributes can include data elements such as a name of the entitlement, a description of the entitlement, one or more flags that indicate if the entitlement maps to a privileged access, an application to which the entitlement relates, a computing system to which the entitlement relates, and the like).

Regarding Claim 10, Wang discloses the system of claim 1 above, wherein the similarity measure is a cosine similarity based upon a normalized dot product of (i) a dimension of the multidimensional vector for a first node and (ii) the corresponding dimension of the multidimensional vector for each other node (Wang, Col 9, lines 19-27, vector spaces corresponding to users of the IT architecture comprise multidimensional vector spaces where user nodes can be connected to each other based on the same or similar attributes of the user nodes and the entitlement nodes can be connected to each other based on the same or similar attributes of the entitlement nodes. Col 11, lines 7-21, similarity between users).

Regarding Claim 11, Wang discloses the system of claim 10 above, wherein the server computing device generates a one-dimensional distance matrix based upon the similarity measure and scales the one-dimensional distance matrix to a multidimensional distance matrix using a distance-preserving manifold learning method (Wang, Col 6, lines 4-8, vector space generation module includes programming that comprises specific computer learning-based techniques (such as a multi-layered neural network) for use in carrying out the techniques. Col 9, lines 28-37, The entitlement matrix generation module 112 receives the user vector space and the entitlement vector space from the vector space generation module 110. The entitlement matrix generation module 112 creates (306) an entitlement utility matrix by mapping one or more nodes in the first vector space (e.g., nodes 402a-402z in user vector space 402) to one or more nodes in the second vector space (e.g., nodes 404a-404z in entitlement vector space 404) based upon existing user entitlements to access computing resources in the IT architecture.).


Regarding Claim 13, Wang discloses the system of claim 1 above, wherein the server computing device generates a two-dimensional graphical representation of the vector space that depicts the one or more clusters and the one or more outlier nodes color-coded according to the identified job role (Wang, Col 12, lines 36-55, nodes have different colors based on user’s entitlement’s acceptable range).



Claim 14 carries similar limitations as discussed with regards to Claim 1 above and therefore is rejected for the same reason.


Regarding Claim 15, this claimed limitation is the same as the limitation addressed to Claim 2 above. Therefore it is rejected under the same rationale.

Regarding Claim 16, this claimed limitation is the same as the limitation addressed to Claim 3 above. Therefore it is rejected under the same rationale.

Regarding Claim 17, this claimed limitation is the same as the limitation addressed to Claim  4 above. Therefore it is rejected under the same rationale.
Regarding Claim 18, this claimed limitation is the same as the limitation addressed to Claim 5 above. Therefore it is rejected under the same rationale.

Regarding Claim 19, this claimed limitation is the same as the limitation addressed to Claim 6 above. Therefore it is rejected under the same rationale.

Regarding Claim 20, this claimed limitation is the same as the limitation addressed to Claim 7 above. Therefore it is rejected under the same rationale.

Regarding Claim 21, this claimed limitation is the same as the limitation addressed to Claim 8 above. Therefore it is rejected under the same rationale.

Regarding Claim 22, this claimed limitation is the same as the limitation addressed to Claim 9 above. Therefore it is rejected under the same rationale.

Regarding Claim 23, this claimed limitation is the same as the limitation addressed to Claim 10 above. Therefore it is rejected under the same rationale.

Regarding Claim 24, this claimed limitation is the same as the limitation addressed to Claim 11 above. Therefore it is rejected under the same rationale.

Regarding Claim 26, this claimed limitation is the same as the limitation addressed to Claim 13 above. Therefore it is rejected under the same rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 12 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Wang in view of Ganesh Kirti et al (US 20180375886 A1), hereinafter “Kirti”.

Regarding Claim 12, Wang discloses the system of claim 1 above.

However, Wang fails to explicitly disclose wherein the server computing device uses k-means clustering to identify the one or more clusters.

Kirti, from the same or similar field of endeavor, discloses wherein the server computing device uses k-means clustering to identify the one or more clusters (Kirti, Paragraph 0194, using K-means in order to identify clusters in the activity data, wherein the clusters can group together different users).

Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Wang in view of Kirti in order to further modify the method of access control governance in a computerized information technology (IT) architecture from the teachings of Wang with the method of cloud security systems that can identify users that have privileged capabilities with respect to an application or service provided by a cloud service provider from the teachings of Kirti.
One of ordinary skill in the art would have been motivated because there would be a way to group together users that are performing similar activities in order to determine normal and/or abnormal behavior (Kirti– Paragraphs 0051, 0194, 0207).


Regarding Claim 25, this claimed limitation is the same as the limitation addressed to Claim 12 above. Therefore it is rejected under the same rationale.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. All the references listed on 892 are related to the subject matter of enterprise access control governance in a computerized information technology (IT) architecture.
Some of the prior art include:
US 20140053126 A1, US 20170063872 A1, US 20170091658 A1.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAVIER O GUZMAN whose telephone number is (571)270-0588. The examiner can normally be reached Monday - Friday 8 am to 4 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached on 571-272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAVIER O GUZMAN/Primary Examiner, Art Unit 2446