DETAILED ACTION
Status of Claims 
This Final Office Action is responsive to Applicant's reply filed July 1, 2022. 
Claims 1, 4-6, 13, and 20-21 have been amended, claims 2-3 and 18 have been cancelled, and claim 22 has been added new.
Claims 1, 4-17, and 19-22 are currently pending and have been examined. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application claims priority of Provisional Application 62/735,892 filed on 9/25/2018. Applicant's claim for the benefit of this prior-filed application is acknowledged. 

Response to Amendments
The previously pending 35 USC 103 rejections for claims 1, 4-12, 15-17, and 19-22 have been withdrawn based on Applicant’s claim amendments. See below for a discussion on related prior art.
Applicant’s amendments have been fully considered, but do not overcome the previously pending 35 USC 103 and 35 USC 101 rejections. 

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.
With regard to the limitations of claims 1, 4-17, and 19-22, Applicant argues that the claims are patent eligible under 35 USC 101 because the pending claims are not directed toward an abstract idea. The Examiner respectfully disagrees. The Examiner has already set forth a prima facie case under 35 USC 101. Applicant merely copy and pastes the entire independent claim and does not provide reasoning. The Examiner points to the rejection below. Applicant’s arguments are not persuasive.
The Applicant argues that the claims recite an improvement in the field of security or functionality of an enterprise system. The Examiner respectfully disagrees. The Examiner has clearly pointed out the limitations directed towards the abstract idea, what the additional elements are and why they do not integrate the abstract idea into a practical application, and why the additional elements and remaining limitations do not amount to significantly more than the abstract idea. The Examiner asserts that assigning users to specific roles is directed towards the abstract idea of Organizing Human Activity. The claims are analyzing security profiles of the users to determine which of the users can be assigned certain tasks based on the SoD ruleset, which is the abstract idea. The Examiner notes that the users are merely being assigned what tasks to do based on a certain set of rules, where the claims merely recite security profiles as one of the variables being analyzed. Applicant’s arguments are not persuasive.
The Examiner further notes that assigning roles to users based on rules is directed toward the abstract idea. There is no recitation or details as to what these roles entail or what access they are being granted / not granted. Applicant’s claims merely recite assigning roles based on the rules (See rejection below for more details).  Applicant’s arguments are not persuasive.
The Examiner further notes that automatically performing a previously manual task using a computer alone is not enough to overcome the 101 rejection (See MPEP 2106.05). Applicant’s arguments are not persuasive.
With regard to the limitations of claims 13-14, Applicant argues that the claims are allowable over 35 USC 103 because the claim amendments overcome the current art rejection. The Examiner respectfully disagrees. Please see the updated rejection below since amendments by Applicant require additional reference to the Examiner’s art rejection.
Applicant argues a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system is not taught by the cited prior art. The Examiner respectfully disagrees. The Examiner asserts Gutesman teach a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system (See Figure 4A, Figure 5, Figure 6, Paragraph 0130 – “assume that according to the SoD matrix action a1 is considered to be in conflict with action a2. At some point in time, permissions to execute a1 are assigned to user u1. The user executes a1 and then this permission is revoked from his profile”, Paragraphs 0144-0157, and Paragraph 0159 – “Once the system recovered the assigned profiles in the analyzed time period, the system queries the authorizations each of those profiles had by that time by querying tables USR10 and USH10 and then UST12 and USH12 to finally have the authorization objects active for those profiles in the analyzed time period”), where the Examiner interprets the transaction codes are queried from the tables USR10 and USH10 and given authorization objects allowing a certain profile to access certain pieces of data. Applicant’s arguments are not persuasive.
The Examiner recommends making claim 13 mirror claim 1 to overcome the prior art.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 4-17, and 19-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter; 
When considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter.  If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea), and if so, it must additionally be determined whether the claim is a patent-eligible application of the exception.  If an abstract idea is present in the claim, any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to significantly more than the abstract idea itself.    
            In the instant case (Step 1), claims 13-17 and 19 are directed toward a process, claim 20 and 22 is directed toward a product, and claims 1, 4-12 and 21 are directed toward a system; which are statutory categories of invention. Additionally (Step 2A Prong One), the independent claims are directed toward a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data including identification of historical user actions actually taken by a plurality of users within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets identifying sets of duties that should not be performable by a single user; automatically generating, based on the historical user actions and the SoD rulesets, a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to a plurality of test users, respective test users of the plurality of test users corresponding to respective users of the plurality of users of the enterprise system; and testing the plurality of generated roles assigned to the plurality of test users by: creating a simulated environment of the production environment of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment (Organizing Human Activity), which are considered to be abstract ideas (See PEG 2019 and MPEP 2106.05). The steps/functions disclosed above and in the independent claims are directed toward the abstract idea of Organizing Human Activity because the claimed limitations are analyzing user activity data to SoD rulesets to determine roles that the users should perform and assigning the roles to the users based on the analysis, which is managing relationships and interactions. The steps/functions disclosed above and in the independent claims are directed toward the abstract idea of Organizing Human Activity because the claimed limitations are analyzing user activity data to SoD rulesets to determine roles that the users should perform and assigning the roles to the users based on the analysis for helping ensure unrestricted access to the system, which is a business relation. The Applicant’s claimed limitations are analyzing user activity data to SoD rulesets to assign roles to users, which is directed towards the abstract idea of Organizing Human Activity.
Step 2A Prong Two: In this application, even if not directed toward the abstract idea, the above “a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment” steps/functions of the independent claims would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity and merely adds the words to apply it with the judicial exception. Also, the claimed “system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, an enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method” would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because the claimed structure merely adds the words to apply it with the judicial exception and mere instructions to implement an abstract idea on a computer (See PEG 2019 and MPEP 2106.05). 
In addition, dependent claims 4-12, 14-17, 19, and 21 further narrow the abstract idea and dependent claims 4-7, 9-11, 14-17, and 19 additionally recite “assigning the one or more of the plurality of generated roles to the plurality of users; placing the test users in the simulated environment; retrieving subsequent user actions actually taken by the plurality of users; placing the test users in the simulated environment; receive legacy role definitions and legacy role assignments of the plurality of users of the enterprise system; store the legacy role definitions and legacy role assignments; assign the identified one or more transaction codes for the one or more activities; and assigning one or more actions to each of the plurality of roles” which do not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity and the claimed “production environment, user devices, and machine learning algorithms” which do not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because the claimed structure merely adds the words to apply it with the judicial exception and mere instructions to implement an abstract idea on a computer (See PEG 2019 and MPEP 2106.05).
The claimed “system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, an enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method” are recited so generically (no details whatsoever are provided other than that they are general purpose computing components and regular office supplies) that they represent no more than mere instructions to apply the judicial exception on a computer. These limitations can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. Even when viewed in combination, the additional elements in the claims do no more than use the computer components as a tool. There is no change to the computers and other technology that is recited in the claim, and thus the claims do not improve computer functionality or other technology (See PEG 2019).
Step 2B: When analyzing the additional element(s) and/or combination of elements in the claim(s) other than the abstract idea per se the claim limitations amount(s) to no more than: a general link of the use of an abstract idea to a particular technological environment and merely amounts to the application or instructions to apply the abstract idea on a computer (See MPEP 2106.05 and PEG 2019). Further, method claims 13-17 and 19; System claims 1, 4-12 and 21; and Product claim 20 and 22 recite a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, an enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method; however, these elements merely facilitate the claimed functions at a high level of generality and they perform conventional functions and are considered to be general purpose computer components which is supported by Applicant’s specification in Paragraphs 0063-0067 and Figure 5. The Applicant’s claimed additional elements are mere instructions to implement the abstract idea on a general purpose computer and generally link of the use of an abstract idea to a particular technological environment. Also, the above “a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment” steps/functions of the independent claims would not account for significantly more than the abstract idea because receiving data and displaying/presenting data (See MPEP 2106.05) have been identified as well-known, routine, and conventional steps/functions to one of ordinary skill in the art. When viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself. 
In addition, claims 4-12, 14-17, 19 and 21 further narrow the abstract idea identified in the independent claims.  The Examiner notes that the dependent claims merely further define the data being analyzed and how the data is being analyzed. Similarly, claims 4-7, 9-11, 14-17, and 19 additionally recite “assigning the one or more of the plurality of generated roles to the plurality of users; placing the test users in the simulated environment; retrieving subsequent user actions actually taken by the plurality of users; placing the test users in the simulated environment; receive legacy role definitions and legacy role assignments of the plurality of users of the enterprise system; store the legacy role definitions and legacy role assignments; assign the identified one or more transaction codes for the one or more activities; and assigning one or more actions to each of the plurality of roles” which do not account for additional elements that amount to significantly more than the abstract idea because receiving data and displaying/presenting data (See MPEP 2106.05) have been identified as well-known, routine, and conventional steps/functions to one of ordinary skill in the art and the claimed “production environment, user devices, and machine learning algorithms” which do not account for additional elements that amount to significantly more than the abstract idea because the claimed structure merely amounts to the application or instructions to apply the abstract idea on a computer and does not move beyond a general link of the use of an abstract idea to a particular technological environment (See MPEP 2106.05). The additional limitations of the independent and dependent claim(s) when considered individually and as an ordered combination do not amount to significantly more than the abstract idea.  The examiner has considered the dependent claims in a full analysis including the additional limitations individually and in combination as analyzed in the independent claim(s). Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kazachkov et al. (US 2015/0088800 A1) in view of Thompson et al. (US 7,712,127 B1) and further in view of Gutesman et al. (US 2016/0119380 A1).

Regarding Claim 13: Kazachkov et al. teach a method for improving the security or functionality of an enterprise system, the method including (See Figure 1, Figure 2, Figure 5, Paragraph 0008, claim 1, claim 11, and claim 20): 
receiving user activity data including identification of historical user actions actually taken by a plurality of users over a predetermined period of time within a production environment of the enterprise system (See Figure 1, Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0070 – “collect current information about at least existing application control rules as well as information about every PC 150 and on each application installed on each PC 150 from the inventory database 230”, Paragraphs 0071-0074 – “information on the user accounts, information on the PCs where said user accounts are being used, information on the applications installed on these PCs, information on the categories of these applications”, claim 1, claim 3 – “collecting user accounts for each computing device”, and the Examiner interprets the information on every pc for each account to be the historical user actions taken by the users); 
receiving one or more rulesets identifying sets of duties that should not be performable (See Figure 4, Abstract, Paragraph 0008, Paragraph 0028, Paragraphs 0051-0053 – “generate a list of application control rules for each user account … the account record to which this role is assigned will be allowed to use only those applications on all PCs 150 in the network 110 that are governed for this role”, Paragraph 0057, Paragraph 0069 – “a new application control rule 210 is created and sent to the configuration system 200 for testing its operating accuracy”, claim 1 – “generating a new application control rule relating to a software application deployable on one or more computing devices in a network”, and the Examiner interprets that Paragraphs 0051-0053 at least disclose how the ruleset lists off duties each account that has been categorized (e.g. accountant) is allowed to perform, where all other duties not listed would be the duties not allowed); 
automatically generating, based on the historical user actions and the rulesets, a plurality of roles (See Figure 4, Paragraph 0010, Paragraph 0045, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059, Paragraph 0079, and claim 3 – “collecting user accounts for each computing device; categorizing identified computer users into a plurality of different user roles; and generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules”); 
and assign, based on the historical user actions and the rulesets, one or more of the plurality of generated roles to the plurality of users of the enterprise system (See Figure 4, Abstract, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0059 – “performs testing of the new application control rule 210 and then compares the results of the analysis with the working of the existing application control rules in order to identify conflicts in the working of the new application control rule 210 … During the testing, all possible verdicts may be identified that are delivered by the new application control rule 210 for the start of a particular application on any particular PC 150 by any particular user. For this, the module 250 makes a request to the inventory database 230 to collect current information on the applications contained in each PC 150 of the network 110, information about the categories assigned to each application, user accounts of the users on each PC 150, the roles assigned to each account record of the users, and existing application control rules”, Paragraph 0079, and claim 1). 

Kazachkov et al. do not specifically disclose “separation of duty (SoD) rulesets” identifying sets of duties that should not be “performable by a single user” or a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system, each authorized action being limited to historical user actions actually taken by one or more of the plurality of users over the predetermined period of time. However, Thompson et al. further teach “separation of duty (SoD) rulesets” identifying sets of duties that should not be “performable by a single user” (See Figure 5, Figure 6, column 6 lines 24-40 – “RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. to incorporate the SoD ruleset of Thompson et al. in order to share completion of single tasks as an internal control method to prevent fraud and error. 
Kazachkov et al. in view of Thompson et al. do not specifically disclose a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system, each authorized action being limited to historical user actions actually taken by one or more of the plurality of users over the predetermined period of time. However, Gutesman et al. further teach a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system, each authorized action being limited to historical user actions actually taken by one or more of the plurality of users over the predetermined period of time (See Figure 4A, Figure 5, Figure 6, Paragraph 0130 – “assume that according to the SoD matrix action a1 is considered to be in conflict with action a2. At some point in time, permissions to execute a1 are assigned to user u1. The user executes a1 and then this permission is revoked from his profile”, Paragraphs 0144-0157, and Paragraph 0159 – “Once the system recovered the assigned profiles in the analyzed time period, the system queries the authorizations each of those profiles had by that time by querying tables USR10 and USH10 and then UST12 and USH12 to finally have the authorization objects active for those profiles in the analyzed time period”).
The teachings of Kazachkov et al., Thompson et al., and Gutesman et al. are related because involve performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. in view of Thompson et al. to incorporate the security profiles and transaction codes related to authorized actions of Gutesman et al. in order to better control and regulate which users/profiles are allowed to access and perform certain tasks/duties, thereby improving security of the system.

Regarding Claim 14: Kazachkov et al. in view of Thompson et al. and further in view of Gutesman et al. teach the limitations of claim 13. Kazachkov et al. further teach wherein the computer program code, when executed by the at least one processor, further instructs the at least one processor to: assign, based on the user activity data and the rulesets, one or more of the plurality of generated roles to a plurality of test users, respective test users of the plurality of test users corresponding to respective users of the plurality of users of the enterprise system; and test the plurality of generated roles assigned to the plurality of test users (See Figure 3A, Figure 4, Abstract, Paragraph 0008, Paragraph 0052 – “Each role can be assigned a list of control rules that permits or forbids the use of particular applications on all the PCs 150”, Paragraph 0057, Paragraph 0059 – “performs testing of the new application control rule 210 and then compares the results of the analysis with the working of the existing application control rules in order to identify conflicts in the working of the new application control rule 210 … During the testing, all possible verdicts may be identified that are delivered by the new application control rule 210 for the start of a particular application on any particular PC 150 by any particular user. For this, the module 250 makes a request to the inventory database 230 to collect current information on the applications contained in each PC 150 of the network 110, information about the categories assigned to each application, user accounts of the users on each PC 150, the roles assigned to each account record of the users, and existing application control rules”, Paragraph 0070, Paragraph 0075, Paragraph 0079, claim 1, and claim 4). 
Kazachkov et al. do not specifically disclose separation of duty (SoD) rulesets. However, Thompson et al. further teach separation of duty (SoD) rulesets (See Figure 5, Figure 6, column 6 lines 24-40 – “RBAC can be used for enforcing a policy of separation of duty … Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set”, column 6 lines 39-59 – “With dynamic separation of duty, users may be authorized for two roles that are mutually exclusive (or conflicting with each other), but cannot have both roles active at the same time. In other words, static separation of duty enforces the mutual exclusion rule at the time an administrator sets up role authorizations, while dynamic separation of duty enforces the rule at the time a user selects roles for a session”, and claim 1).
The teachings of Kazachkov et al. and Thompson et al. are related because both involves performing an analysis on role based access control management. Therefore it would have been obvious to one of ordinary skill in the art at the effective filing date of the claimed invention to have modified the role based access analysis system of Kazachkov et al. to incorporate the SoD ruleset of Thompson et al. in order to share completion of single tasks as an internal control method to prevent fraud and error.


Allowable over 35 USC 103
Claims 1, 4-12, 15-17, and 19-22 are allowable over the prior art, but remain rejected under §101 for the reasons set forth above. Independent claims 1, 4-12, 15-17, and 19-22 disclose a system, product and method for improving the functionality of an enterprise system by identifying historical actions taken by users, identifying duties that should not be performed alone using SoD rulesets, generating roles for users based off security profiles of the roles having transaction codes for authorized actions and testing role assignments in a simulated environment of the production environment by allowing the user devices access and control in the simulated environment.
Regarding a possible 103 rejection: The closest prior art of record is:
Thompson et al. (US 7,712,127 B1) – which discloses access control based on constraints controlling roles assignment. 
Prasad et al. (US 7,568,217 B1) – which discloses using roles based access control system over a network.
Gutesman et al. (US 2016/0119380 A1) – which discloses real time detection and prevention of segregation duties violations in an enterprise system.
Kazachkov et al. (US 2015/0088800 A1) – which discloses testing and configuration control using rules for role assignment.
Chari et al. (US 2014/0196103 A1) – which discloses role based access control policies based on risk.

The prior art of record neither teaches nor suggests all particulars of the limitations as recited in claims 1, 4-12, 15-17, and 19-22, such as improving the functionality of an enterprise system by identifying historical actions taken by users, identifying duties that should not be performed alone using SoD rulesets, generating roles for users based off security profiles of the roles having transaction codes for authorized actions and testing role assignments in a simulated environment of the production environment by allowing the user devices access and control in the simulated environment.  While individual features may be known per se, there is no teaching or suggestion absent applicants’ own disclosure to combine these features other than with impermissible hindsight and the combination/arrangement of features are not found in analogous art. Specifically the claimed “a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data including identification of historical user actions actually taken by a plurality of users within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets identifying sets of duties that should not be performable by a single user; automatically generating, based on the historical user actions and the SoD rulesets, a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to a plurality of test users, respective test users of the plurality of test users corresponding to respective users of the plurality of users of the enterprise system; and testing the plurality of generated roles assigned to the plurality of test users by: creating a simulated environment of the production environment of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment (as required by claims 1, 4-12, 15-17, and 19-22)”, thus rendering claims 1, 4-12, 15-17, and 19-22 as allowable over the prior art.

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record, but not relied upon is considered pertinent to applicant's disclosure is listed on the attached PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW D HENRY whose telephone number is (571)270-0504.  The examiner can normally be reached on Monday-Thursday 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, BRIAN EPSTEIN can be reached on (571)-270-5389.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MATTHEW D HENRY/           Primary Examiner, Art Unit 3683