DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013 is being examined under the first inventor to file provisions of the AIA .
Status of the Application
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/12/2022 has been entered.
Status of Claims
Claims 1, 10, and 19 are currently amended. 
Claims 2 and 11 were previously canceled. 
Claims 3-9, 12-18 are originals. 
Claims 1, 3-10, and 12-19 are currently pending following this response. 
New matter
No new matter have been added to the amended claims.
Response to Arguments - 35 USC § 101
The arguments have been fully considered, but they are not persuasive.
Regarding applicant’s arguments on page 7 “Applicant notes that the independent claims have been amended for extra clarity to recite that an access permission is automatically provided to users who share the same role as a user who was given that access permission. As such, a practical application is claimed where permissions are automatically provided to multiple employees at once following permission provided to a single employee. 
Alternatively, the additional limitations are not part of well-known, routine or conventional permission access management. Therefore, the additional limitations provide significantly more than the judicial exception. 
As such, revised claim 1 is patentable under 35 USC 101 for at least being integrated into a practical solution (Step 2A, Prong 2) or providing significantly more than the judicial exception (Step 2B) of the Revised Guidance”
The examiner respectfully disagrees.
The argued limitations of generating and presenting a directed graph together with automatically permitting access to the access points do not integrate the claims into a practical application because generating a directed graph is simply generating a graph connecting user role to access points based on available data. This cannot be considered an additional element because it is part of the abstract idea of a mental process. As far as automatically permitting access to the access point, the limitation of automatically permitting access does not mean with the broadest reasonable interpretation that access is actually performed. The Examiner does not believe that there any kind of actual control in the “automatically permitting access” limitation. This limitation is also considered a part of the abstract idea. As a result, the claims lack technical features that would integrate them into a practical application. Under Step Two B, the additional elements are generic elements used to apply the abstract idea. “A system for approving access permissions, the system comprising at least one processor and memory storing instructions”, and “automatically” providing access are recited at a high level of generality
In conclusion, the Examiner maintains the rejection of the pending claims under  35 USC § 101.
Response to Arguments - 35 USC § 103
The arguments have been fully considered, but they are not persuasive.
Regarding applicant’s arguments on page 8 “Applicant notes that neither Chari, nor Dana nor Wilkinson teach generating and presenting a directed graph, receiving approval for access permission to an employee, together with automatically permitting access to the access points to all other employees associated with the assigned business role of the employee. As such, the cited combination does not teach all the elements of the revised independent claims 1, 10 or 19. Therefore, claims 1, 10 and 19 are patentable over the cited art for at least this reason.”
The examiner respectfully disagrees.
Following an update search by the Examiner, the limitation “generating and presenting a directed graph” connecting users’  roles and access points is anticipated by the newly introduces NPL Dana reference. Figures 1-2 of Dana clearly show the claimed directed graph. 
With the broadest reasonable interpretation, the limitation and responsive to receiving the approval, automatically permitting, by the at least one processor, access to the at least one access point associated with the assigned business role to the employee and to all other employees associated with the assigned business role [Chari, claim 21, Chari teaches “The apparatus of claim 20, wherein the at least one processor device when performing the determine step is further operative to: (a) for each user i, select a random number 0.ltoreq.r.ltoreq.K; (b) for each user i, assign user i top r roles; (c) for each role j, select a random number 0.ltoreq.p.ltoreq.m, where m is a total number of unique permissions and the role is assigned top p permissions;” wherein the above steps performed by the processor are steps to automatically permit access to a user based on role and wherein for each user i indicated permit access for all other employees associated with a business role. Further, Chari’ Abstract teaches “for role-to-permission assignments are used to produce a final set of roles, including user-to-role assignments and role-to-permission assignments” wherein the role to permission assignments is a received approval. See also para. 0014 “Given the attributes of a new user, the roles that are causally derived from these attributes and the corresponding permissions are assigned to the user”]
In conclusion, the Examiner maintains the rejection of the pending claims under  35 USC § 103 in view of the new reference Dana.

Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 
Claims 1, 3-10, and 12-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Specifically, claims 1, 3-10, and 12-19 are directed to an abstract idea without additional elements to integrate the claims into a practical application or to amount to significantly more than the abstract idea.
Claims 1, 3-10, and 12-19 are directed to a process, machine, or manufacture (Step 1), however the claims are directed to the abstract idea of assigning access approval to employees based on roles. 
With respect to Step 2A Prong One of the framework, claim 1 recites an abstract idea. Claim 1 includes limitations for “transform enterprise access data into data sets; identify business roles based on common patterns of the access data, the business roles comprising at least one access point associated with the access data; generate a directed graph representing the relationship between business roles and the at least one access point; Present the directed graph and at least one business role assignable to an employee to an access manager; receive an approval indication associated with the access manager assigning the business role to the employee; and permit access to the at least one access point associated with the assigned business role to the employee and to all other employees associated with the assigned business role”
The limitations above recite an abstract idea under Step 2A Prong One. More particularly, the limitations above recite Mental Process because an ordinary person can analyze access data and assign access to employees based on their roles. As a result, claim 1 recites an abstract idea under Step 2A Prong One.
Claims 10 and 19 recite substantially similar limitations to those presented with respect to claim 1. As a result, claims 10 and 19 recite an abstract idea under Step 2A Prong One for the same reasons as stated above with respect to claim 1. Similarly, claims 3-9 and 12-18 recite a Mental Process because the claimed elements describe a process for analyzing access data. As a result, claims 3-9 and 12-18 recite an abstract idea under Step 2A Prong One.
With respect to Step 2A Prong Two of the framework, claim 1 does not include additional elements that integrate the abstract idea into a practical application. Claim 1 includes additional elements that does not recite an abstract idea. The additional elements of claim 1 include “A system for approving access permissions, the system comprising at least one processor and memory storing instructions”, and “automatically”. When considered in view of the claim as a whole, the step of “receiving” does not integrate the abstract idea into a practical application because “receiving” is an insignificant extra solution activity to the judicial exception and training a machine learning model is used to apply the abstract idea. When considered inview of the claim as a whole, the recited computer elements do not integrate the abstract idea into a practical application because the computer elements are generic computer elements that are merely used as a tool to perform the recited abstract idea. As a result, claim 1 does not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
As noted above, claims 10 and 19 recite substantially similar limitations to those recited with respect to claim 1. Although claim 10 further recites “A computer-implemented method” and claim 19 further recites “A non-transitory computer-readable medium having instructions thereon which, when executed by a processor”, and “by the processor”, when considered in view of the claims as a whole, the recited computer elements do not integrate the abstract idea into a practical application because the computer elements are generic computer elements that are merely used as a tool to perform the recited abstract idea. As a result, claims 10 and 19 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
Claims 3-9 and 12-18 do not include any additional elements beyond those recited by independent claims 1, 10, and 19. As a result, claims 3-9 and 12-18 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
With respect to Step 2B of the framework, claim 1 does not include additional elements amounting to significantly more than the abstract idea. As noted above, claim 1 includes additional elements that does not recite an abstract idea. The additional elements of claim 1 include “A system for approving access permissions, the system comprising at least one processor and memory storing instructions” and “automatically”. The step of “receiving” does not amount to significantly more than the abstract idea because “receiving” is well-understood, routine, and conventional computer function in view of MPEP 2106.05(d)(ll). The recited computer elements do not amount to significantly more than the abstract idea because the computer elements are generic computer elements that are merely used as a tool to perform the recited abstract idea. As a result, claim 1 does not include additional elements that amount to significantly more than the abstract idea under Step 2B.
As noted above, claims 10 and 19 recite substantially similar limitations to those recited with respect to claim 1. Although claim 10 further recites “A computer-implemented method” and claim 19 further recites “A non-transitory computer-readable medium having instructions thereon which, when executed by a processor”, and “by the processor”, the recited computer elements do not amount to significantly more than the abstract idea because the computer elements are generic computer elements that are merely used as a tool to perform the recited abstract idea. Further, looking at the additional elements as an ordered combination adds nothing that is not already present when considering the additional elements individually. As a result, claims 10 and 19 do not include additional elements that amount to significantly more than the abstract idea under Step 2B.
Claims 3-9 and 12-18 do not include any additional elements beyond those recited by independent claims 1, 10, and 19. As a result, claims 3-9 and 12-18 do not include additional elements that amount to significantly more than the abstract idea under Step 2B.
Therefore, the claims are directed to an abstract idea without additional elements amounting to significantly more than the abstract idea. Accordingly, claims 1, 3-10, and 12-19 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness. 
Claims 1, 10, and 19 are rejected under 35 U.S.C. 103 as being un-patentable over Chari et al. (US 20120246098 A1) in view of Dana Zhang, Kotagiri Ramamohanarao, Tim Ebringer, (Role engineering using graph optimisation) SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies June 2007 Pages 139–144https://doi.org/10.1145/1266840.1266862, hereinafter Dana, and in further view of Wilkinson et al. (US 8978104 B1).
Regarding claim 1. Chari teaches A system for approving access permissions, the system comprising at least one processor and memory storing instructions which when executed by the at least one processor configure the at least one processor to: [Chari, claim 13, Chari teaches “An apparatus for performing role mining given a plurality of users and a plurality of permissions, the apparatus comprising: a memory; and at least one processor device, coupled to the memory” and Chari’ claim 16 teaches “An article of manufacture for performing role mining given a plurality of users and a plurality of permissions, comprising a machine-readable recordable medium containing one or more programs which when executed implement the steps of” wherein stored instructions] transform enterprise access data into data sets; [Chari, para. 0003, Chari teaches “An active area of research has been to identify efficient methodologies to take a corpus of users and the entitlements assigned to them and decompose this into a set of role assignments to users and permissions assigned to roles” wherein transform enterprise access data into data sets] identify business roles based on common patterns of the access data, [Chari, para. 0047, Chari teaches “the present techniques consider whether a user has performed an action before (i.e., in the past) and how frequently. This concept is also referred to as "past actions" of the user” wherein common patterns of the access data] the business roles comprising at least one access point associated with the access data; [Chari, para. 0072, Chari teaches “An evaluation of methodology 100 and role decomposition is now provided. The LDA based process is evaluated using a number of data sets... Three proprietary data sets are referred to herein: Customer{1,2,3} which represent administrative access to various resources” wherein an administrator {1,2,3} (business role) having access based on roles] 
Chari does not specifically teach, however, Dana teaches generate a directed graph representing the relationship between business roles and the at least one access point; [Dana, figures 1-2, Dana teaches a directed graph between user, role, and permission (access point)] 
It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in the field of role mining to incorporate the teaching of Dana in the field of Role Engineering using Graph Optimization by generating directed graph between users, roles, and permissions (access points).  The motivation to combine Chari with Dana has the advantage where the results of the Graph Optimization approach are hierarchical Role Based Access Control infrastructures that offer improved access control administration for the system [Dana, Abstract]
Chari in view of Dana does not specifically teach, however, Wilkinson teaches present at least one business role assignable to an employee to an access manager; and receive an approval indication associated with the access manager assigning the business role to the employee; [Wilkinson, column 5 lines 21-24, Wilkinson teaches “the ACC manager, upon seeing that a request to access a virtual desktop 124 has been submitted to the ACC server 118 from the technical support person, may send approval for the access request to the ACC server 118” wherein presenting an approval request to a manager and receive an approval. Further, column 5 lines 30-32 teach “The security of the ACC server 118 and the ACC database 120 is particularly important considering their roles in controlling the access given to the technical support personnel” wherein approval based on role]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana to incorporate the teaching of Wilkinson in the field of providing indirect and temporary access to a company's IT infrastructure and business applications by having a manager approve an access request based on role.  The motivation to combine Chari in view of Dana with Wilkinson has the advantage where the credentials manager 704 may thereafter provide the retrieved credentials directly to theproduction, development, and/or test systems 128 (through the virtual desktops 124), thereby accessing the production, development, and/or test systems 128 in an automated manner. Such an arrangement has an advantage in that the technical support personnel are not exposed to the credentials and therefore cannot misuse them [Wilkinson, column 11 lines 41-48]
Further, Chari teaches and responsive to receiving the approval, automatically permit access to the at least one access point associated with the assigned business role to the employee and to all other employees associated with the assigned business role [Chari, claim 21, Chari teaches “The apparatus of claim 20, wherein the at least one processor device when performing the determine step is further operative to: (a) for each user i, select a random number 0.ltoreq.r.ltoreq.K; (b) for each user i, assign user i top r roles; (c) for each role j, select a random number 0.ltoreq.p.ltoreq.m, where m is a total number of unique permissions and the role is assigned top p permissions;” wherein the above steps performed by the processor are steps to automatically permit access to a user based on role and wherein for each user i indicated permit access for all other employees associated with a business role. Further, Chari’ Abstract teaches “for role-to-permission assignments are used to produce a final set of roles, including user-to-role assignments and role-to-permission assignments” wherein the role to permission assignments is a received approval. See also para. 0014 “Given the attributes of a new user, the roles that are causally derived from these attributes and the corresponding permissions are assigned to the user”]
Regarding claim 10. Chari teaches A computer-implemented method of approving access permissions, the method comprising: [Chari, Abstract, Chari teaches “A Applications of machine learning techniques such as Latent Dirichlet Allocation (LDA) and author-topic models (ATM) to the problems of mining of user roles to specify access control policies from entitlement as well as logs which contain record of the usage of these entitlements are provided” wherein a computer-implemented method of approving access permissions] transforming, by at least one processor, enterprise access data into data sets; [Chari, para. 0003, Chari teaches “An active area of research has been to identify efficient methodologies to take a corpus of users and the entitlements assigned to them and decompose this into a set of role assignments to users and permissions assigned to roles” wherein transform enterprise access data into data sets] - 22 -identifying, by the at least one processor, business roles based on common patterns of the access data, [Chari, para. 0047, Chari teaches “the present techniques consider whether a user has performed an action before (i.e., in the past) and how frequently. This concept is also referred to as "past actions" of the user” wherein common patterns of the access data] the business roles comprising at least one access point associated with the access data; [Chari, para. 0072, Chari teaches “An evaluation of methodology 100 and role decomposition is now provided. The LDA based process is evaluated using a number of data sets... Three proprietary data sets are referred to herein: Customer{1,2,3} which represent administrative access to various resources” wherein an administrator {1,2,3} (business role) having access based on roles]
Chari does not specifically teach, however, Dana teaches generating, by the at least one processor, a directed graph representing the relationship between business roles and the at least one access point; [Dana, figures 1-2, Dana teaches a directed graph between user, role, and permission (access point)] 
It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in the field of role mining to incorporate the teaching of Dana in the field of Role Engineering using Graph Optimization by generating directed graph between users, roles, and permissions (access points).  The motivation to combine Chari with Dana has the advantage where the results of the Graph Optimization approach are hierarchical Role Based Access Control infrastructures that offer improved access control administration for the system [Dana, Abstract]
Chari in view of Dana does not specifically teach, however, Wilkinson teaches presenting, by the at least one processor, at least one business role assignable to an employee to an access manager; and receiving, by the at least one processor, an approval indication input associated with the access manager assigning the business role to the employee [Wilkinson, column 5 lines 21-24, Wilkinson teaches “the ACC manager, upon seeing that a request to access a virtual desktop 124 has been submitted to the ACC server 118 from the technical support person, may send approval for the access request to the ACC server 118” wherein presenting an approval request to a manager and receive an approval. Further, column 5 lines 30-32 teach “The security of the ACC server 118 and the ACC database 120 is particularly important considering their roles in controlling the access given to the technical support personnel” wherein approval based on role]
 It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana to incorporate the teaching of Wilkinson in the field of providing indirect and temporary access to a company's IT infrastructure and business applications by having a manager approve an access request based on role.  The motivation to combine Chari in view of Dana with Wilkinson has the advantage where the credentials manager 704 may thereafter provide the retrieved credentials directly to the production, development, and/or test systems 128 (through the virtual desktops 124), thereby accessing the production, development, and/or test systems 128 in an automated manner. Such an arrangement has an advantage in that the technical support personnel are not exposed to the credentials and therefore cannot misuse them [Wilkinson, column 11 lines 41-48]
Further, Chari teaches and responsive to receiving the approval, automatically permitting, by the at least one processor, access to the at least one access point associated with the assigned business role to the employee and to all other employees associated with the assigned business role [Chari, claim 21, Chari teaches “The apparatus of claim 20, wherein the at least one processor device when performing the determine step is further operative to: (a) for each user i, select a random number 0.ltoreq.r.ltoreq.K; (b) for each user i, assign user i top r roles; (c) for each role j, select a random number 0.ltoreq.p.ltoreq.m, where m is a total number of unique permissions and the role is assigned top p permissions;” wherein the above steps performed by the processor are steps to automatically permit access to a user based on role and wherein for each user i indicated permit access for all other employees associated with a business role. Further, Chari’ Abstract teaches “for role-to-permission assignments are used to produce a final set of roles, including user-to-role assignments and role-to-permission assignments” wherein the role to permission assignments is a received approval. See also para. 0014 “Given the attributes of a new user, the roles that are causally derived from these attributes and the corresponding permissions are assigned to the user”].

Regarding claim 19. Chari teaches A non-transitory computer-readable medium having instructions thereon which, when executed by a processor, perform a method of approving access permissions, said method comprising: [Chari, claim 13, Chari teaches “An apparatus for performing role mining given a plurality of users and a plurality of permissions, the apparatus comprising: a memory; and at least one processor device, coupled to the memory”] transforming enterprise access data into data sets; [Chari, para. 0003, Chari teaches “An active area of research has been to identify efficient methodologies to take a corpus of users and the entitlements assigned to them and decompose this into a set of role assignments to users and permissions assigned to roles” wherein transform enterprise access data into data sets] - 24 -identifying business roles based on common patterns of the access data, [Chari, para. 0047, Chari teaches “the present techniques consider whether a user has performed an action before (i.e., in the past) and how frequently. This concept is also referred to as "past actions" of the user” wherein common patterns of the access data] the business roles comprising at least one access point associated with the access data; [Chari, para. 0072, Chari teaches “An evaluation of methodology 100 and role decomposition is now provided. The LDA based process is evaluated using a number of data sets... Three proprietary data sets are referred to herein: Customer{1,2,3} which represent administrative access to various resources” wherein an administrator {1,2,3} (business role) having access based on roles] 
Chari does not specifically teach, however, Dana teaches generating a directed graph representing the relationship between business roles and the at least one access point; [Dana, figures 1-2, Dana teaches a directed graph between user, role, and permission (access point)] 
It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in the field of role mining to incorporate the teaching of Dana in the field of Role Engineering using Graph Optimization by generating directed graph between users, roles, and permissions (access points).  The motivation to combine Chari with Dana has the advantage where the results of the Graph Optimization approach are hierarchical Role Based Access Control infrastructures that offer improved access control administration for the system [Dana, Abstract]
Chari in view of Dana does not specifically teach, however, Wilkinson teaches presenting at least one business role assignable to an employee to an access manager; and receiving an approval indication input associated with the access manager assigning the business role to the employee [Wilkinson, column 5 lines 21-24, Wilkinson teaches “the ACC manager, upon seeing that a request to access a virtual desktop 124 has been submitted to the ACC server 118 from the
technical support person, may send approval for the access request to the ACC server 118” wherein presenting an approval request to a manager and receive an approval. Further, column 5 lines 30-32 teach “The security of the ACC server 118 and the ACC database 120 is particularly important considering their roles in controlling the access given to the technical support personnel” wherein approval based on role]
It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana to incorporate the teaching of Wilkinson in the field of providing indirect and temporary access to a company's IT infrastructure and business applications by having a manager approve an access request based on role.  The motivation to combine Chari in view of Dana with Wilkinson has the advantage where the credentials manager 704 may thereafter provide the retrieved credentials directly to the production, development, and/or test systems 128 (through the virtual desktops 124), thereby accessing the production, development, and/or test systems 128 in an automated manner. Such an arrangement has an advantage in that the technical support personnel are not exposed to the credentials and therefore cannot misuse them [Wilkinson, column 11 lines 41-48]
Further, Chari teaches and responsive to receiving the approval, automatically permitting access to the at least one access point associated with the assigned business role to the employee and to all other employees associated with the assigned business role [Chari, claim 21, Chari teaches “The apparatus of claim 20, wherein the at least one processor device when performing the determine step is further operative to: (a) for each user i, select a random number 0.ltoreq.r.ltoreq.K; (b) for each user i, assign user i top r roles; (c) for each role j, select a random number 0.ltoreq.p.ltoreq.m, where m is a total number of unique permissions and the role is assigned top p permissions;” wherein the above steps performed by the processor are steps to automatically permit access to a user based on role and wherein for each user i indicated permit access for all other employees associated with a business role. Further, Chari’ Abstract teaches “for role-to-permission assignments are used to produce a final set of roles, including user-to-role assignments and role-to-permission assignments” wherein the role to permission assignments is a received approval. See also para. 0014 “Given the attributes of a new user, the roles that are causally derived from these attributes and the corresponding permissions are assigned to the user”].

Claims 3 and 12 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Dana and Wilkinson, and in further view of Bhagwan et al. (US 8359652 B2).
Regarding claim 3. Chari in view of Dana and Wilkinson teaches all of the limitations of claim 1 (as above). Chari in view of Dana and Wilkinson does not specifically teach, however, Bhagwan teaches wherein to transform data into data sets, the at least one processor is configured to: obtain the enterprise access data; identify outliers of the enterprise access data; [Bhagwan, Abstract, Bhagwan teaches “First, policy statements are extracted from the access control lists. Next, object-level anomaly detection is performed using thresholds by categorizingoutliers in the policies discovered in the first phase as potential anomalies” wherein obtain the enterprise access data and identify outliers]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana and Wilkinson to incorporate the teaching of Bhagwan in the field of access control anomaly detection by obtaining the enterprise access data and identifying outliers.  The motivation to combine Chari in view of Dana and Wilkinson with Bhagwan has the advantage where this object-level anomaly detection can yield object-level security anomalies and object-level accessibility anomalies [Bhagwan, Abstract].
Further, Chari teaches perform a function role factorization on the enterprise access data; and cluster business roles from the enterprise access data [Chari, Abstract, Chari teaches “The method includes the following steps. At least one generative machine learning technique, e.g., LDA, is used to obtain a probability distribution .theta. for user-to-role assignments and a probability distribution .beta. for role-to-permission assignments” wherein role factorization and clustering for the access data]. 
Regarding claim 12, the claim recites analogous limitations to claim 3 above, and is therefore rejected on the same premise. Claim 3 is a system claim while claim 12 is directed to a method which is anticipated by Chari claim 13. 
Claims 4-6 and 13-15 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Dana, Wilkinson, and Bhagwan, and in further view of Jaideep Vaidya (The Role Mining Problem: Finding a Minimal Descriptive Set of Roles (2007)) hereinafter Vaidya.
Regarding claim 4. Chari in view of Dana, Wilkinson, and Bhagwan teaches all of the limitations of claim 3 (as above). Chari in view of Dana, Wilkinson, and Bhagwan does not specifically teach, however, Vaidya teaches wherein to perform the function role factorization, the at least one processor is configured to: transform access into a binary matrix representation; and factor the resulting access matrix into: a first factored matrix representing a mapping from users to function roles; and  a second factored matrix representing a mapping from function roles to access permissions.  [Vaidya, see table 1-3, Vaidya teaches binary tables. Table 2- (a) user to role and table 3 (b) role to permission]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana, Wilkinson, and Bhagwan to incorporate the teaching of Vaidya in the field of role mining by transforming access data to binary tables and factorizing user to role and role to permission.  The motivation to combine Chari in view of Dana, Wilkinson, and Bhagwan with Vaidya has the advantage where role mining can be used as a tool, in conjunction with a top-down approach, to identify potential or candidate roles which can then be examined to determine if they are appropriate given existing functions and business processes [Vaidya, end of page 175- start of page 176].
Regarding claim 5. Chari in view of Dana, Wilkinson, and Bhagwan teaches all of the limitations of claim 3 (as above). Chari in view of Dana, Wilkinson, and Bhagwan does not specifically teach, however, Vaidya teaches wherein to cluster business roles based on common patterns of access privileges, the at least one processor is configured to: factor out function roles associated with the access privileges common to at least two employees; and generate business roles based on the function roles [Vaidya, see table 2- (a) user 2 and user 4 have the same role r1 and table 2-(b) shows role r1 to permissions p1, p2, p3…]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana, Wilkinson, and Bhagwan to incorporate the teaching of Vaidya by factoring out function roles associated with the access privileges common to at least two employees and generating business roles based on the function roles.  The motivation to combine Chari in view of Dana, Wilkinson, and Bhagwan with Vaidya has the advantage where role mining can be used as a tool, in conjunction with a top-down approach, to identify potential or candidate roles which can then be examined to determine if they are appropriate given existing functions and business processes [Vaidya, end of page 175- start of page 176]. 
Regarding claim 6. Chari in view of Dana, Wilkinson, Bhagwan, and  Vaidya teaches all of the limitations of claim 5 (as above). Chari in view of Dana, Wilkinson, and Bhagwan does not specifically teach, however, Vaidya teaches wherein the at least one processor is configured to: compute a difference in access by multiplying the factors together and taking the difference between the multiplied factors and an original access matrix [Vaidya, see page 177, second column, lines 9-15. Vaidya teaches “Definition 4 (δ-Consistency). A given user-to-role assignment UA, role-to-permission assignment P A and user to-permission assignment UPA are δ-consistent if and only
If  M(UA) ⊗ M(P A) − M(UPA) ≤ δ where M(UA), M(P A), and M(UPA) denote the matrix representation of UA, P A and UPA respectively. Essentially, the notion of δ-consistency allows us to bound the degree of difference between the user-to-role assignment UA, role-to-permission assignment P A and user-to-permission assignment UPA. For UA, P A, and UPA to be δ-consistent, the user-permission matrix generated from UA and P A should be within δ of UPA” emphasis added, wherein finding a difference by multiplying the user-to-role assignment UA with role-to-permission assignment P A as above (M(UA) ⊗ M(P A)) and finding thedifference (M(UA) ⊗ M(P A) − M(UPA))]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana, Wilkinson, and Bhagwan to incorporate the teaching of Vaidya by computing a difference in access by multiplying the factors together and taking the difference between the multiplied factors and an original access matrix.  The motivation to combine Chari in view of Dana, Wilkinson, and Bhagwan with Vaidya has the advantage where role mining can be used as a tool, in conjunction with a top-down approach, to identify potential or candidate roles which can then be examined to determine if they are appropriate given existing functions and business processes [Vaidya, end of page 175- start of page 176]. 
Regarding claims 13-15, claims 13-15 recite substantially similar limitations as claim 4-6, respectively; therefore, claims 13-15 are rejected with the same rationale, reasoning, and motivation provided above for claims 4-6, respectively. Claims 4-6 are system claims while claims 13-15 are directed to a computer implemented method which is anticipated by Chari claim 13.
Claims 7 and 16 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Dana, Wilkinson, and Bhagwan, and in further view of Thompson et al. (US 20100312726 A1).
Regarding claim 7. Chari in view of Dana, Wilkinson, and Bhagwan teaches all of the limitations of claim 3 (as above). Chari in view of Dana, Wilkinson, and Bhagwan does not specifically teach, however, Thompson teaches wherein to cluster business roles, the at least one processor is configured to: compose a feature vector for each employee; define a similarity metric; apply the similarity metric to the data to generate a feature vector for the employees; and cluster the feature vector into groupings based on a threshold value. [Thompson, para. 0027, Thompson teaches “The unsupervised clustering technique may group one or more feature vectors into the mathematical cluster based upon characteristics of the one or more feature vectors (e.g., dimensions) being similar to the similarity metric. That is, the unsupervised clustering technique may group feature vectors that are plotted close to one another within the multidimensional matrix in view of the similarity metric because feature vectors located in close spatial relation to one another may exhibit similar characteristics due to being plotted within the multidimensional matrix based upon their characteristics” wherein applying similarity metric to feature vectors and  clustering feature vectors ]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana, Wilkinson, and Bhagwan to incorporate the teaching of Thompson in the field of plotting users in matrix by applying similarity metric to feature vectors and  clustering feature vectors.  The motivation to combine Chari in view of Dana, Wilkinson, and Bhagwan with Thompson is advantageous because this classification technique (feature vectors) allows additional information and more advanced interactions to be presented to users [ Thompson para. 0018]. 
Regarding claim 16, the claim recites analogous limitations to claim 7 above, and is therefore rejected on the same premise. Claim 7 is a system claim while claim 16 is directed to a method which is anticipated by Chari claim 13. 
Claims 8-9 and 17-18 are rejected under 35 U.S.C. 103 as being un-patentable over Chari in view of Dana, Wilkinson,  and Bhagwan, in further view of Thompson, and in further view of Verramachaneni et al. (US 20180165475 A1).
Regarding claim 8. Chari in view of Dana, Wilkinson, Bhagwan, and Thompson teaches all of the limitations of claim 7 (as above). Chari in view of Dana, Wilkinson, Bhagwan, and Thompson does not specifically teach, however, Verramachaneni teaches wherein to compose a feature vector for each employee the at least one processor is configured to: convert categorical variables into numerical representations [Verramachaneni, para. 0144, Verramachaneni teaches “FIG. 10 is an illustration of the method that converts categorical variables to numerical data” wherein converting categorical variables into numerical representations ]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana, Wilkinson, Bhagwan, and Thompson to incorporate the teaching of Verramachaneni in the field of database structuring by converting categorical variables into numerical representations.  The motivation to combine Chari in view of Dana, Wilkinson, Bhagwan, and Thompson with Verramachaneni is advantageous because the generation of such synthetic data allows publication of bulk data freely and on-demand (e.g., for data analysis purposes), without the risk of security/privacy breaches [ Verramachaneni, Abstract]. 
Regarding claim 9. Chari in view of Dana, Wilkinson, Bhagwan, and Thompson teaches all of the limitations of claim 7 (as above). Chari in view of Dana, Wilkinson, Bhagwan, and Thompson does not specifically teach, however, Verramachaneni teaches wherein the feature vector comprises: information on which function roles an employee has been assigned; and categorical human resource data associated with the employee [Verramachaneni, para. 0233, Verramachaneni teaches “The dataset related to human resources information, and described the career goals and reviews for 1818 employees. It also contained some information about the employees' quarterly reviews. There were 10 interconnected tables describing this information” wherein the career goal is equivalent is equivalent to function role and human resources information is equivalent to human resource data associated with the employee]
  It would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to have modified Chari in view of Dana, Wilkinson, Bhagwan, and Thompson to incorporate the teaching of Verramachaneni by converting categorical variables into numerical representations which is associated with human resources information and employee role.  The motivation to combine Chari in view of Dana, Wilkinson, Bhagwan, and Thompson with Verramachaneni is advantageous because the generation of such synthetic data allows publication of bulk data freely and on-demand (e.g., for data analysis purposes), without the risk of security/privacy breaches [ Verramachaneni, Abstract]. 
Regarding claims 17-18, claims 17-18 recite substantially similar limitations as claim 8-9, respectively; therefore, claims 17-18 are rejected with the same rationale, reasoning, and motivation provided above for claims 8-9, respectively. Claims 8-9 are system claims while claims 17-18 are directed to a computer implemented method which is anticipated by Chari claim 13. 
Conclusion
Any inquiry concerning this communication from the examiner should be directed to Abdallah El-Hagehassan whose telephone number is (571) 272-0819.  The examiner can normally be reached on Monday- Friday 8 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on (571) 272-6045. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-3734.
Information regarding the status of an application may be obtained from the patent application information retrieval (PAIR) system. Status information of published applications may be obtained from either private PAIR or public PAIR. Status information of unpublished applications is available through private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have any questions on access to the private PAIR system, contact the electronic business center (EBC) at (866) 271-9197 (toll-free). If you would like assistance from a USPTO customer service representative or access to the automated information system, call (800) 786-9199 (in US or Canada) or (571) 272-1000.

/ABDALLAH A EL-HAGE HASSAN/
Examiner, Art Unit 3623