Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 1 objected to because of the following informalities:  
Claim 1 recites “authorizing the one or more actions and/or provide the RPA robot with the requested information”. It is believed this would be better written as “authorizing the one or more actions and/or provid[ing] the RPA robot with the requested information”.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-2, 5-6, 10-14, 16-20 and 21-23 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 2020/0067923 to Dasari et al. (Dasari).

Claims 1 and 12-13: Dasari discloses performing runtime robot access control and governance for robotic process automation (RPA), comprising: 
checking one or more actions to be performed by an RPA robot, information requested by the RPA robot, or both, against access control and governance rules (par. [0045] “assessing access policies associated with the RPA bot 104 attempting the access and determining whether the access should be granted to the RPA bot 104 or not”); 
when the RPA robot, based on the access control and governance rules, is permitted to perform the one or more actions, receive the requested information, or both:
authorizing the one or more actions and/or provide the RPA robot with the requested information (par. [0046] “Subsequent to a successful audit, the RPA bot 104 can obtain the access key and access the target account 106”); and 
when the RPA robot, based on the access control and governance rules, is not permitted to perform the one or more actions, receive the requested information, or both:
preventing the RPA robot from taking the one or more actions and/or obtaining the requested information (par. [0045] “or not”).

Claims 2 and 14: Dasari discloses claims 1 and 12, but does not explicitly disclose wherein when the RPA robot is not permitted to perform the one or more actions, receive the requested information, or both, the method further comprises: 
sending a notification to the RPA robot or a client-side application indicating that the one or more actions and/or the access to the information are not permitted (par. [0047] “when RPA bot 104 experiences an invalid access key exception”).

Claim 5: Dasari discloses the computer-implemented method of claim 1, wherein the method is performed by a server-side validation application (par. [0029] “The director service 116 may be implemented by a server … and can authorize the RPA bots 104”).

Claims 6, 16 and 24: Dasari discloses claims 1, 12 and 22, further comprising: 
automatically sending the access control and governance rules to a computing system associated with the RPA robot when the computing system connects to a server-side conductor application (par. [0046] “the RPA bot 104 can obtain the access key”).

Claims 10, 20 and 28: Dasari discloses claims 1 and 12, 22, wherein the RPA robot comprises automatically inserted code that forces the RPA robot to obtain the access control and governance rules and/or to operate in compliance with the access control and governance rules (par. [0020] “the RPA bot can call the API of the PAPM to obtain the access”).

Claims 11 and 21, 29: Dasari discloses claims 1 and 12, 22, wherein the access control and governance rules comprise one or more application and/or universal resource locator (URL) restrictions, one or more package restrictions, one or more activity restrictions, one or more activity property requirements, or a combination thereof (par. [0026] “the RPA bot 104 may enter the URL of the accounting application”).

Claim 22: Dasari discloses a computer program for performing runtime robot access control and governance for robotic process automation (RPA) embodied on a non-transitory computer-readable medium, the computer program configured to cause at least one processor to: 
check one or more actions to be performed by an RPA robot, information requested by the RPA robot, or both, against access control and governance rules (par. [0045] “assessing access policies associated with the RPA bot 104 attempting the access and determining whether the access should be granted to the RPA bot 104 or not”); and 
when the RPA robot, based on the access control and governance rules, is not permitted to perform the one or more actions, receive the requested information, or both:
prevent the RPA robot from taking the one or more actions and/or obtaining the requested information (par. [0045] “or not”), and 
send a notification to the RPA robot or a client-side application indicating that the one or more actions and/or the access to the information are not permitted (par. [0047] “when RPA bot 104 experiences an invalid access key exception”), automatically end execution of the RPA robot, or both.

Claim 23: The computer program of claim 22, wherein when the RPA robot, based on the access control and governance rules, is permitted to perform the one or more actions, receive the requested information, or both, the computer program is further configured to cause the at least one processor to:
authorize the one or more actions and/or provide the RPA robot with the
requested information (par. [0046] “Subsequent to a successful audit, the RPA bot 104 can obtain the access key and access the target account 106”).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0067923 to Dasari et al. (Dasari) in view of US 2016/0119304 to Lelcuk et al. (Lelcuk).

Claims 3 and 15: Dasari discloses claims 1 and 12, but does not explicitly disclose wherein when the RPA robot is not permitted to perform the one or more actions, receive the requested information, or both, the method further comprises: 
automatically ending execution of the RPA robot.

Lelcuk teaches when an RPA robot is not permitted to perform one or more actions, receive the requested information, or both, automatically ending execution of the RPA robot (par. [0060] “when the client authentication fails … any connection between the security system 250 and the client may be terminated or suspended”).

It would have been obvious at the time of filing to end execution of the RPA robot (Lelcuk par. [0060] “terminated or suspended”) when the RPA robot is not permitted to perform the actions or receive the information (Dasari par. [0045] “determining whether the access should be granted to the RPA bot 104 or not”). Those of ordinary skill in the art would have been motivated to do so to ensure only secure access is granted (see e.g. Lelcuk par. [0053] “an attack tool executing a bot”). 

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0067923 to Dasari et al. (Dasari) in view of US 2009/0138937 to Erlingsson et al. (Erlingsson).

Claim 4: Dasari discloses the computer-implemented method of claim 1, but does not disclose wherein the method is performed by a client-side validation application.

Erlingsson teaches a method performed by a client-side validation application (par. [0054] “Client-side data validation”).

It would have been obvious to perform the method with a client-side validation application (par. [0054] “Client-side data validation”). Those of ordinary skill in the art would have been motivated to do so to “reduce the number of round trips to the server” (Erlingsson par. [0054]).

Claims 7-8, 17-18 and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0067923 to Dasari et al. (Dasari) in view of US 2014/0019488 to Wo et al. (Wo)

Claims 7 and 17, 25: Dasari discloses claims 1 and 12, 22, but does not explicitly disclose wherein at least one of the one or more actions is permitted for a human user but not by the RPA robot.

Wo teaches:
at least one action is permitted for a human user but not by the RPA robot (par. [0032] “in response to determining that the received response to the human verification test represents a correct or satisfactory response, the activity regulation process 200 allows the requested database activity”).

Both Dasari and Wo are directed to managing robot activity. Wo teaches a method of managing that activity which prevents bots from overwhelming the system while allowing humans unfettered access (see e.g. Wo par. [0003], [0011]). Accordingly, it would have been obvious at the time of filing to restrict the rate at which an RPA robot accesses a legacy system in order to protect from over use or attack by bots while continuing to service human users.

Claims 8 and 18, 26: Dasari discloses claims 1 and 12, 22, but does not disclose:
verifying that the RPA robot pauses for at least a period of time for one or more legacy systems to perform one or more operations; and 
when the RPA robot does not pause for at least the period of time:
delaying the obtaining of the information requested by the RPA robot or accepting of new information requests from the RPA robot until the period of time expires.

Wo teaches:
verifying that a RPA robot pauses for at least a period of time for one or more legacy systems to perform one or more operations (par. [0032] “detects or otherwise identifies that the attempted usage … exceeds the allowed usage limit”); and 
when the RPA robot does not pause for at least the period of time:
delaying the obtaining of the information requested by the RPA robot or accepting of new information requests from the RPA robot until the period of time expires (par. [0033] “When a source attempts to exceed an allowed usage limit … the indicating user and/or client device 106 being blocked … a resumption time value indicating when the user and/or client device 016 will be allowed to initiate database activities”).

Both Dasari and Wo are directed to managing robot activity. Wo teaches a method of managing that activity which prevents bots from overwhelming the system (see e.g. Wo par. [0003], [0011]). Accordingly, it would have been obvious at the time of filing to restrict the rate at which an RPA robot accesses a legacy system in order to protect from over use or attack. 

Claims 9, 19 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0067923 to Dasari et al. (Dasari) in view of US 2020/0184087 to Nos et al. (Nos).

Claims 9, 19 and 27: Dasari discloses claims 1, 12 and 22, but does not disclose wherein the runtime enforcement of the access control and governance rules is performed in addition to design time enforcement of the access control and governance rules.

Nos teaches design time enforcement of access control and governance rules (par. [0013] “access controls applied at design time … establish runtime access controls”).

It would have been obvious at the time of filing to perform the runtime enforcement (Dasari par. [0045] “determining whether the access should be granted to the RPA bot 104 or not”) in addition to design time enforcement (Nos par. [0013] “access controls applied at design time”). Those of ordinary skill in the art would have been motivated to do so to provide additional security (e.g. Nos par. [0013] “multi-factor security analysis”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D MITCHELL whose telephone number is (571)272-3728. The examiner can normally be reached Monday through Thursday 7:00am - 4:30pm and alternate Fridays 7:00am 3:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON D MITCHELL/Primary Examiner, Art Unit 2199