DETAILED ACTION
This communication is in respond to application filed on September 30, 2020.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 09/30/2020, 12/16/2020, 05/25/2021, 07/08/2021, 08/04/2021, 09/13/2021, 10/14/2021, 11/15/2021, 02/07/2021, 02/25/2022, 05/03/2022, 05/19/2022, 06/24/2022, 07/07/2022 and 08/01/2022 are being considered by the examiner.

Terminal Disclaimer
The terminal disclaimer filed on 08/01/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Pat. No. 10,862,928 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Drawings
	The drawings filed on 09/30/2020 are accepted by the Examiner.


Status of claims
Claims 1-21 are pending; of which claims 1-21 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant’s representative Ariyeh Akmal (Reg. # 51388) on 07/29/2022.

The application has been amended as follows: 
The claims have been amended as follows:
1. 	(Original) An identity management system, comprising:
	a data store;
	a processor;
	a non-transitory, computer-readable storage medium, including computer instructions for:
obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of roles, a set of entitlements, and a set of identities, the set of roles, set of entitlements and set of identities utilized in identity management in the distributed enterprise computing environment; 
	evaluating the identity management data to determine the set or roles, identities of the set of identities associated with the set of roles, and entitlements of the set of entitlements associated with the set of roles; 
	generating a role graph from the identity management data by: 
creating a node of the role graph for each of the determined set of roles, 
for each first identity and second identity that share at least one entitlement of the set of entitlements or at least one identity of the set of identities, creating an edge of the role graph between a first node representing a first role and a second node of the role graph representing a second role, and			
generating a weight for each edge of the role graph between each first node representing the first role and second node representing the second role based on the at least one entitlement or the at least one identity shared between the first role represented by the first node and the second role represented by the second node;  
	storing the role graph in the data store; 
	determining a health metric for one or more of the set of roles associated with the distributed enterprise computing environment based on the role graph; and
	presenting the health metric and the role graph to a user through an interface.
 
2.  	(Original) The system of claim 1, wherein a type of the role graph is selected by a user through the interface.

3.  	(Original) The system of claim 2, wherein the type comprises a first type where each edge is an access similarity relationship or a second type where each edge is a concurrency similarity relationship. 

4.  	(Original) The system of claim 1, wherein the instructions are further for receiving a selection of the health metric, where in the determination and presentation of the health metric is in response to the reception of the selection of the health metric. 

5.	(Original) The system of claim 1, wherein the presentation of the role graph includes a visual indicator comprising the presentation of the health metric. 

6.  	(Original) The system of claim 1, wherein the health metric for the set of roles associated with the distributed enterprise computing environment measures a deviation from a second role graph

7.  	(Original) The system of claim 1, wherein the health metric is based on a number of identities or entitlements associated with one or more roles represented in the role graph.

8.  	(Currently Amended) A method, comprising:
obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment over one or more computer network connections, the identity management data comprising data on a set of roles, a set of entitlements, and a set of identities, the set of roles, set of entitlements and set of identities utilized in identity management in the distributed enterprise computing environment; 
	evaluating the identity management data to determine the set or roles, identities of the set of identities associated with the set of roles, and entitlements of the set of entitlements associated with the set of roles; 
	generating a role graph from the identity management data by: 
creating a node of the role graph for each of the determined set of roles, 
for each first identity and second identity that share at least one entitlement of the set of entitlements or at least one identity of the set of identities, creating an edge of the role graph between a first node representing a first role and a second node of the role graph representing a second role, and			
generating a weight for each edge of the role graph between each first node representing the first role and second node representing the second role based on the at least one entitlement or the at least one identity shared between the first role represented by the first node and the second role represented by the second node;  
	storing the role graph in the data store; 
	determining a health metric for one or more of the set of roles associated with the distributed enterprise computing environment based on the role graph; and
	presenting the health metric and the role graph to a user through an interface.
 
9.  	(Original) The method of claim 8, wherein a type of the role graph is selected by a user through the interface.

10.  	(Original) The method of claim 9, wherein the type comprises a first type where each edge is an access similarity relationship or a second type where each edge is a concurrency similarity relationship. 

11.  	(Original) The method of claim 8,  further comprising receiving a selection of the health metric, where in the determination and presentation of the health metric is in response to the reception of the selection of the health metric. 

12.	(Original) The method of claim 8, wherein the presentation of the role graph includes a visual indicator comprising the presentation of the health metric. 

13.  	(Original) The method of claim 8, wherein the health metric for the set of roles associated with the distributed enterprise computing environment measures a deviation from a second role graph

14.  	(Original) The method of claim 8, wherein the health metric is based on a number of identities or entitlements associated with one or more roles represented in the role graph.

15.  	(Currently Amended) A non-transitory computer readable medium, comprising computer instructions that, when executed on a processor, cause the processor to perform the steps of [[for]]:
obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of roles, a set of entitlements, and a set of identities, the set of roles, set of entitlements and set of identities utilized in identity management in the distributed enterprise computing environment; 
	evaluating the identity management data to determine the set or roles, identities of the set of identities associated with the set of roles, and entitlements of the set of entitlements associated with the set of roles; 
	generating a role graph from the identity management data by: 
creating a node of the role graph for each of the determined set of roles, 
for each first identity and second identity that share at least one entitlement of the set of entitlements or at least one identity of the set of identities, creating an edge of the role graph between a first node representing a first role and a second node of the role graph representing a second role, and			
generating a weight for each edge of the role graph between each first node representing the first role and second node representing the second role based on the at least one entitlement or the at least one identity shared between the first role represented by the first node and the second role represented by the second node;  
	storing the role graph in the data store; 
	determining a health metric for one or more of the set of roles associated with the distributed enterprise computing environment based on the role graph; and
	presenting the health metric and the role graph to a user through an interface.
 
16.  	(Original) The non-transitory computer readable medium of claim 15, wherein a type of the role graph is selected by a user through the interface.

17.  	(Original) The non-transitory computer readable medium of claim 16, wherein the type comprises a first type where each edge is an access similarity relationship or a second type where each edge is a concurrency similarity relationship. 

18.  	(Original) The non-transitory computer readable medium of claim 15, wherein the instructions are further for receiving a selection of the health metric, where in the determination and presentation of the health metric is in response to the reception of the selection of the health metric. 

19.	(Original) The non-transitory computer readable medium of claim 15, wherein the presentation of the role graph includes a visual indicator comprising the presentation of the health metric. 

20.  	(Original) The non-transitory computer readable medium of claim 15, wherein the health metric for the set of roles associated with the distributed enterprise computing environment measures a deviation from a second role graph

21.  	(Original) The non-transitory computer readable medium of claim 15, wherein the health metric is based on a number of identities or entitlements associated with one or more roles represented in the role graph.

REASON FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims, in light of the specification, the examiner finds the claimed invention to be patentably distinct from the prior art of record. None of the prior arts of record individually or in combination explicitly teach or fairly suggest the each and every claimed limitation of the current invention as amended by the applicant, especially the limitation of “....generating a role graph from the identity management data by: creating a node of the role graph for each of the determined set of roles, for each first identity and second identity that share at least one entitlement of the set of entitlements or at least one identity of the set of identities, creating an edge of the role graph between a first node representing a first role and a second node of the role graph representing a second role, and generating a weight for each edge of the role graph between each first node representing the first role and second node representing the second role based on the at least one entitlement or the at least one identity shared between the first role represented by the first node and the second role represented by the second node; storing the role graph in the data store; determining a health metric for one or more of the set of roles associated with the distributed enterprise computing environment based on the role graph”. 
Vepa et al. (US PG-PUB No. 2017/0329957 A1) disclosed a method and system for authorizing access to a resource associated with a tenancy in an identity management system. The system evaluates received access token request by computing dynamic roles and corresponding dynamic scopes for the access token including a second intersection between the dynamic roles of the user and the dynamic roles of the application, and provides the access token that includes the computed static scopes based on the roles of the user and the roles of the application, and the computed dynamic roles and corresponding dynamic scopes. Vepa et al. does not disclose generating role graph and weights and determining of health metric for roles based on the role graph.
Taneja et al. (US Pat. No. 9,286,595 B2) disclosed a method and system for identity management that automates monitoring, reporting, certification and remediation of user entitlements and roles, and enables organizations to gain enterprise-wide visibility into all user entitlements and roles and, access associated with roles and identities. Taneja et al. does not disclose generating role graph and weights and determining of health metric for roles based on role graph.
Jagtap et al. (US Pat. No. 9,787,688 B2) disclosed a method and system for identifying roles with similar membership or entitlement information in an identity management system of an enterprise, which allows for identifying roles that are deemed to be similar due to similarity of their membership, similarity of their associated entitlement information, and/or similarity of some role-associated parameter, and prevent creating and maintaining redundant roles. Jagtap et al. does not disclose generating role graph and weights and determining of health metric for roles based on the role graph.
Therefore, the Examiner finds that the prior art of record does not provide sufficient teaching or motivation for anticipating or rendering obvious the claimed invention as a whole, without the usage of impermissible hindsight reasoning.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Linglan Edwards whose telephone number is (571)270-5440. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/LINGLAN EDWARDS/Primary Examiner, Art Unit 2491