Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Mr. Jason Lohr (Registration No. 48163) on 8/11/2022.
The claims have been amended as follows: 

16. A non-transitory computer-readable storage medium storing instructions, the instructions when executed by a processor causing the processor to: 
receive login credentials used to access an on-premise system, the login credentials associated with a particular user; 
permit single sign-on across the on-premise system and a cloud-based system, the cloud-based system having a synchronized directory integrated with an on-premise directory; 
determine one or more groups in the on-premise directory to which the user belongs; 
determine one or more groups in the cloud-based environment corresponding to the one or more groups in the on-premise directory, wherein the one or more groups in the cloud- based environment are mapped to the one or more groups in the on-premise directory on a one- to-one basis, the one or more groups in the cloud-based environment providing respective access to one or more resources in the cloud-based environment; 
generate a dynamic group in the cloud-based environment, the dynamic group having access to all of the resources associated with the one or more groups in the cloud-based environment; 
assign the user to the dynamic group; and 
allow the user to access all of the one or more resources.

17. The non-transitory computer-readable storage medium of claim 16, wherein the instructions when executed further cause the processor to: 
query a database using a user identifier, the database having records of previously generated dynamic groups; and 
determine, from the database, that a valid dynamic group does not already exist for the user identifier.

18. The non-transitory computer-readable storage medium of claim 16, wherein the instructions when executed further cause the processor to: 
determine, from the database, a record of an existing dynamic group for the user identifier, the record indicating that the existing dynamic group has expired; and 
determine that the existing dynamic group is no longer valid.

19. The non-transitory computer-readable storage medium of claim 16, wherein the instructions when executed further cause the processor to: 
determine, from the database, a record of an existing dynamic group for the user identifier, the record including one or more groups previously associated with the existing dynamic group, wherein the one or more groups in the record are not the same set of groups as the one or more groups currently associated with the user; and 
determine that the existing dynamic group is no longer valid.

20. The non-transitory computer-readable storage medium of claim 16, wherein the on- premise directory includes an active directory hosted in a client environment and wherein the one or more groups in the on-premise direction include one or more active directory groups.

Allowable Subject Matter 
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance:

Regarding independent claims 1, 10 and 16, the closest prior art are the following: 

Adams (US 2013/0254847) teaches A computer-implemented method, comprising: 
receiving login credentials used to access an on-premise system, the login credentials associated with a particular user (see [0006]: “the user provides a credential to access an on-premises domain controller via a virtual private network (VPN) endpoint that is running on premise”. And see [0034] and Fig. 2: “on premise directory service 212 may validate user credentials to access computers and software systems within corporate intranet 218”); 
permitting single sign-on across the on-premise system and a cloud-based system (see [0035] and Fig. 2: “Computer 216 of corporate intranet may communicate with cloud computing platform 204 to establish cloud-based SSO in conjunction with on-premises directory service 212”. And see [0001]: “There are techniques that permit a user to log in once, and gain access to multiple software systems. That is, the user gains access to each of those software systems without needing to log in to each of them. These technologies are sometimes referred to as "single sign-on," (SSO) or "single identity"”), the cloud-based system having a synchronized directory integrated with an on-premise directory (see [0036] and Fig. 2: “Synchronization service 210 may perform a function of replicating data between cloud directory service 206 and on-premises directory service 212”).

Jayaram (US 8,893,269) teaches determining one or more groups in the on-premise directory to which the user belongs (see col. 7, line 67-col. 8, line 3: “during export authorities, users and groups data may be retrieved from internal repositories and sent to the external directory repository”. And see col. 8, lines 23-32: “Directory Service Engine may also be used for exporting authorities. The same common platform for importing authorities may be used for exporting. Authority information, such as roles and users assigned to each role, already configured in a storage system may be retrieved by Directory Service Engine from various internal repositories. The internal authority information may then be sent to the external authority. Along with authority information, instructions may be sent to the external authority for adding data such as users and/or group to the external repository”. And see col. 3, lines 51-59 and Fig. 1: “Server 120 may further include Directory Service Engine 130. Through Directory Service Engine 130, authority information already configured and stored in Resource Databases 110 may be exported to External Directory Service 150. Conversely, through Directory Service Engine 130, external authority information already configured by Directory Server 160 and stored in External Repository 170 may be imported and distributed to appropriate Resource Databases 110 of Internal Authorities 105”. The Examiner interprets internal repositories 110 storing “users and groups data” taught by col. 7, line 67-col. 8, line 3 as the on-premise directory. The Examiner further interprets groups/roles with users assigned to each group/role retrieved from internal repositories during exporting authorities taught by col. 7, line 67-col. 8, line 3 and col. 8, lines 23-32 as one or more groups in the on-premise directory to which the user belongs ); 
determining one or more groups in the cloud-based environment corresponding to the one or more groups in the on-premise directory, wherein the one or more groups in the cloud- based environment are mapped to the one or more groups in the on-premise directory (see col. 7, lines 12-26: “FIG. 5B is a pictorial diagram of an exemplary interface for mapping an administrator role to an external authority group in accordance with some embodiments. Having imported users and groups from an external authority, groups may be further mapped to different roles in the internal authorities of a backup system. The exemplary user interface of FIG. 5B illustrates a mapping of a group, such as AlbertaTestGroup2 to a role in the backup system, such as Console Security Administrator”. And see col. 7, lines 39-45: “As illustrated in FIG. 6, in an external directory repository, such as a LDAP repository, a group organization unit may contain subgroup1, subgroup2 . . . subgroupN. In internal repositories, various roles such as Admin and Users may contain more specific roles for different privileges. During import and/or export authorities, the external subgroups may be mapped to one or more internal roles”. The Examiner interprets “a role in the backup system, such as Console Security Administrator” as one group in the on-premise directory. And see col. 5, line 63-col. 6, line 25 and Fig. 4: “FIG. 4 is an exemplary LDAP repository for storing authority information, in accordance with some embodiments. In the exemplary LDAP repository, members of organizations may be organized in a hierarchical structure…. Within organizational unit AlbertaGroups 450, one or more groups may be stored. Each group may be identified by common name (cn) such as AlbertaTestGroup2 460, ... Member users of each group may be listed under the group… alberta_user1 and alberta_user2 may be member users listed under AlbertaTestGroup2”. The Examiner interprets AlbertaTestGroup2 in an external directory repository, such as a LDAP repository of Fig. 2, as one group in the cloud- based environment. The Examiner further interprets “mapping an administrator role to an external authority group” taught in col. 7, lines 12-26 and Fig. 5B as determining one or more groups in the cloud-based environment corresponding to the one or more groups in the on-premise directory, wherein the one or more groups in the cloud- based environment are mapped to the one or more groups in the on-premise directory), 
the one or more groups in the cloud-based environment providing respective access to one or more resources in the cloud-based environment (see col. 7, lines 39-45: “As illustrated in FIG. 6, in an external directory repository, such as a LDAP repository, a group organization unit may contain subgroup1, subgroup2 . . . subgroup”. And see col. 1, lines 12-20: “Lightweight Directory Access Protocol (LDAP) is often used to provide authentication and access control in an enterprise…. Access control may involve what the user is allowed to see and do once the user has been identified. As part of the access control, a LDAP directory service may be configured to administer organizational information such as user assignment to groups during authentication”).

Masurkar (US 7,730,523) teaches generating a dynamic group in the cloud-based environment, the dynamic group having access to all of the resources associated with the one or more groups in the cloud-based environment (see col. 15, lines 33-36: “As shown in Table 2 above, for an employee of the enterprise, "SofwareEngineer.Engineer+SysAdmin.Engineer" represents the combined role, and so the privileges of the individual (basic) roles are merged with OR logic”. And see col. 13, lines 48-52: “Roles are also merged or combined as happens in the real world. This is explained in further detail in conjunction with the term "Combinatorial Inheritance"”. The Examiner interprets generating “the combined role” "SofwareEngineer.Engineer+SysAdmin.Engineer" with “R: read, W: write, E: execute” privileges as shown in the “Enterprise Employee” column of Table 2 as generating a dynamic group in the cloud-based environment, the dynamic group having access to all of the resources associated with the one or more groups in the cloud-based environment);
assigning the user to the dynamic group (see col. 10, lines 58-61 and Fig. 4: “Database 406 has the userID, Password and Business Unit ID or BUID information, along with the roles and associated privileges for all the companies sharing the resources inside the CAOC”. And see col. 15, lines 37-53: “Role setting at initial login and subsequent combinatorials is now described. During the initial login,... The user enters his or her userID and the temporary password …. If the user is successfully authenticated, the server loads the corresponding user profile with authorization rules (or privileges, as referred to earlier). If the user's role changes, the CAOC administrator updates the profile, and new authorization rules are downloaded for subsequent logins. Combinatorial inheritance determines the resultant rules when roles are combined or overlap, completely or partially; and, the administrator updates the roles data base accordingly”. The Examiner interprets creating a “combined role” (the dynamic group) such as "SofwareEngineer.Engineer+SysAdmin.Engineer" and updating the roles database 406 associating the userID with roles accordingly as assigning the user to the dynamic group); and 
allowing the user to access all of the one or more resources (see col. 15, lines 33-36: “As shown in Table 2 above, for an employee of the enterprise, "SofwareEngineer.Engineer+SysAdmin.Engineer" represents the combined role, and so the privileges of the individual (basic) roles are merged with OR logic”. And see col. 13, lines 48-52: “Roles are also merged or combined as happens in the real world. This is explained in further detail in conjunction with the term "Combinatorial Inheritance"”).

Eska (US 2016/0379001) teaches that the one or more groups in the first (emphasis added to show the difference between the reference and the claim) environment are mapped to the one or more groups in the second environment (emphasis added to show the difference between the reference and the claim) on a one- to-one basis (see [0031] and Fig. 3: “the customer may map the roles ZA, ZB, ZC, and ZN into the customer name space in a one to one relationship. That is, each role in vendor roles 108 is mapped into a corresponding role in the customer name space”).

Independent claims 1, 10 and 16 are allowable because before the effective filing date of the claimed invention, it would not have been obvious to a person of ordinary skill in the art:
first to add to the method of Adams the steps of determining one or more groups in the on-premise directory to which the user belongs; and determining one or more groups in the cloud-based environment corresponding to the one or more groups in the on-premise directory, wherein the one or more groups in the cloud- based environment are mapped to the one or more groups in the on-premise directory, the one or more groups in the cloud-based environment providing respective access to one or more resources in the cloud-based environment; which are taught by Jayaram,
second to add to the method of Adams modified in view of Jayaram the steps of generating a dynamic group in the cloud-based environment, the dynamic group having access to all of the resources associated with the one or more groups in the cloud-based environment; assigning the user to the dynamic group; and allowing the user to access all of the one or more resources; which are taught by Masurka, and 
finally to modify the step of mapping the one or more groups in the on-premise directory to the one or more groups in the cloud- based environment taught by Adams modified in view of Jayaram and Masurka so that the mapping is performed on a one-to-one basis, as taught by Eska.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495