Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the amendment filed on 08/29/2022.  
In the instant amendment, claims 1-11 and 16-20 were amended; claims 1, 9 and 16 are independent claims. Claims 1-20 are pending in this application.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/29/2022 has been entered.
 
Response to Arguments
Applicant’s arguments in the instant Amendment, filed on 08/29/2022 with respect to the limitations below, have been fully considered but they are not persuasive. 
Applicant argues on (pages 14-21): the cited prior art fails to explicitly disclose “simulate the enforcement of access control policies with regard to actual sign-in processes that are configured to sign-in users to a system instead of enforcing the access control policies with regard to the actual sign-in processes by performing operations and “provide a recommendation which recommends performance of an action, based at least in part on simulation of the enforcement of the access control policies with regard to the actual sign-in processes” as disclosed in independent claims 1, 9 and 16. 
The Examiner respectfully disagrees with the applicant’s arguments because Kruse discloses simulating the enforcement of access control policies with regard to actual sign-in processes that are configured to sign-in users to a system instead of enforcing the access control policies with regard to the actual sign-in processes by performing operations and provide a recommendation that recommends performance of an action based at least in part on simulation of the enforcement of access control policies with regard to the actual sign-in processes (See Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57)
Applicant’s arguments (pages 21-23): Additionally, as to the dependent claims 2-8, 10-15 and 17-20, the Applicant argues that the claims are dependent directly or indirectly from a respective one of claims of independent claims 1, 9 and 16 and are therefore distinguished from the cited art at least by virtue or allowable at least on their additionally recited patentable subject matter. 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that dependent claims 2-8, 10-15 and 17-20 and  are rejected at least based on the rationale and response presented to the argument for their respective base claims, and the reference applied to the dependent claims 2-8, 10-15 and 17-20.
Therefore, in view of the above reasons, the Examiner maintains the rejection with the cited prior art references. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-2, 4-5, 7-14, 16-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kruse et al (“Kruse,” US 10122757) and further in view of Roth et al (“Roth,” US 8973108).  

Regarding claim 1, Kruse discloses a processor-based system comprising:
memory; (Kruse, Col. 22, Line 55-57, memory and processor) and
one or more processors coupled to the memory, the one or more processors configured to: (Kruse, Col. 22, Line 55-57, memory and processor)
simulate enforcement of access control policies with regard to actual sign-in processes that are configured to actual sign-in users to a system instead of enforcing the access control policies with regard to the actual sign-in processes by performing operations, the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12 describes simulate enforcement of access control policies with regard to actual sign-in processes that are configured to actual sign-in users to a system instead of enforcing the access control policies with regard to the actual sign-in processes by performing operations)
monitor access requests that are received during the actual sign-in processes (Kruse, Col. 16, Lines 10-32; Col. 9, Lines 1-12; Col. 15, Lines 9-13;  describes monitoring access requests that are received during the actual sign-in processes; also see Col. 2, Lines 46-67; Col. 3, Lines 1-61)
compare attributes of each access request against at least a subset of the access control policies that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61; Col. 9, Lines 37-67; Col. 14, Lines 27-49 describes compare attributes of each access request against at least a subset of the access control policies that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request) and
provide a recommendation, which recommends performance of an action, based at least in part on simulation of the enforcement of the access control policies with regard to the actual sign-in processes, (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 2, Lines 46-63; Col. 3, Lines 24-29; Col. 20, Lines 36-67; Col. 9, Lines 1-12 describes provide a recommendation, which recommends performance of an action, based at least in part on simulation of the enforcement of the access control policies with regard to the actual sign-in processes)
each access request requesting access to a resource in the system (Kruse, Col. 2, Lines 46-63; Col. 3, Lines 1-12; Col. 4, Lines 58-67; Col. 5, Lines 1-3 describes each access request requesting access to a resource in the system; also see Col. 2, Lines 46-67; Col. 3, Lines 1-61)
Kruse fails to explicitly disclose generate metadata associated with the actual sign-in processes, which indicate whether the attributes of each access request in at least a subset of the access requests satisfy the criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request, instead of enforcing the access control policies with regard to the actual sign-in processes. 
However, in an analogous art, Roth discloses generate metadata associated with the actual sign-in processes, which indicate whether the attributes of each access request in at least a subset of the access requests satisfy the criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request, instead of enforcing the access control policies with regard to the actual sign-in processes, (Roth, Col. 5, Lines 31-67; Col. 6, Lines 1-15; Col. 21, Lines 42-55 describes generate metadata associated with the actual sign-in processes, which indicate whether the attributes of each access request in at least a subset of the access requests satisfy the criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request, instead of enforcing the access control policies with regard to the actual sign-in processes)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Roth with the system/method of Kruse to include generate metadata associated with the actual sign-in processes, which indicate whether the attributes of each access request in at least a subset of the access requests satisfy the criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request, instead of enforcing the access control policies with regard to the actual sign-in processes. One would have been motivated to provide delegate privileges related to access of one or more computing resources to other users (Roth, Col. 3, Lines 21-22). 

Regarding claim 2, Kruse and Roth disclose the processor-based system of claim 1. 
wherein the one or more processors are configured to simulate the enforcement of access control by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57, wherein the one or more processors are configured to simulate the enforcement of access control by performing the operations)
select a designated state from a plurality of states that are available to be applied to a specified access control policy in response to instructions that are received via a user interface, (Kruse, Col. 4, Lines 39-57, describe select a designated state from a plurality of states that are available to be applied to a specified access control policy in response to instructions that are received via a user interface)
the plurality of states including a first state in which the access requests are not to be compared against the specified access control policy and the specified access control policy is not to be enforced with regard to the actual sign-in processes, (Kruse, Col. 4, Lines 39-57, Col. 9, Lines 1-12 describes the plurality of state includes a first state in which the access requests are not to be compared against the specified access control policy and the specified access control policy is not be to be enforced with regard to the actual sign-in processes)
a second state in which at least a subset of the access requests is to be compared against the specified access control policy and the specified access control policy is to be enforced with regard to the actual sign-in processes, (Kruse, Col. 4, Lines 39-57, Col. 9, Lines 1-12 describes a second state in which at least a subset of access requests is to be compared against the specified access control policy and the specified access control policy is to be enforced with regard to the actual sign-in processes)
and a third state in which at least a subset of the access requests is to be compared against the specified access control policy and metadata associated with the actual sign-in processes are to be generated instead of enforcing the specified access control policy with regard to the actual sign-in processes; (Kruse, Col. 4, Lines 39-57, Col. 9, Lines 1-12 describe and a third state in which at least a subset of the access requests is to be compared against the specified access control policy and metadata associated with the actual sign-in processes are to be generated instead of enforcing the specified access control policy with regard to the actual sign-in processes) and
Roth further discloses generate the metadata instead of enforcing the specified access control policy with regard to the actual sign-in processes based at least in part on the third state being selected as the designated state from the plurality of states to be applied to the specified access control policy, (Roth, Col. 5, Lines 31-67; Col. 6, Lines 1-15; Col. 21, Lines 42-55 describes generate the metadata instead of enforcing the specified access control policy with regard to the actual sign-in processes based at least in part on the third state being selected as the designated state from the plurality of states to be applied to the specified access control policy)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Roth with the system/method of Kruse to include generate the metadata instead of enforcing the specified access control policy with regard to the actual sign-in processes based at least in part on the third state being selected as the designated state from the plurality of states to be applied to the specified access control policy. One would have been motivated to provide delegate privileges related to access of one or more computing resources to other users (Roth, Col. 3, Lines 21-22). 

Regarding claim 4, Kruse and Roth disclose the processor-based system of claim 1. 
wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describe wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations)
compare first attributes of one or more first access requests against a first access control policy that does not affect a result of enforcement of a second access control policy and that specifies one or more first criteria that are to be satisfied as a prerequisite to granting access to one or more first resources; (Kruse, Col. 9, Lines 39-67; Col. 14, Lines 27-49 describe compare first attributes of one or more first access requests against a first access control policy that does not affect a result of enforcement of a second access control policy and that specifies one or more first criteria that are to be satisfied as a prerequisite to granting access to one or more first resources)
compare second attributes of one or more second access requests against the second access control policy that does not affect a result of enforcement of the first access control policy and that specifies one or more second criteria that are to be satisfied as a prerequisite to granting access to one or more second resources; (Kruse, Col. 9, Lines 39-67; Col. 14, Lines 27-49 describe compare second attributes of one or more second access requests against the second access control policy that does not affect a result of enforcement of the first access control policy and that specifies one or more second criteria that are to be satisfied as a prerequisite to granting access to one or more second resources) and
Roth further discloses generate the metadata by aggregating first metadata, which indicate whether the first attributes of the one or more first access requests satisfy the one or more first criteria, and second metadata, which indicate whether the second attributes of the one or more second access requests satisfy the one or more second criteria, (Roth, Col. 5, Lines 31-67; Col. 6, Lines 1-15; Col. 21, Lines 42-55; Col. 9, Lines 1-12 describes generate the metadata instead of enforcing the specified access control policy with regard to the actual sign-in processes based at least in part on the third state being selected as the designated state from the plurality of states to be applied to the specified access control policy)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Roth with the system/method of Kruse to include generate the metadata by aggregating first metadata, which indicate whether the first attributes of the one or more first access requests satisfy the one or more first criteria, and second metadata, which indicate whether the second attributes of the one or more second access requests satisfy the one or more second criteria. One would have been motivated to provide delegate privileges related to access of one or more computing resources to other users (Roth, Col. 3, Lines 21-22). 

Regarding claim 5, Kruse and Roth disclose the processor-based system of claim 1. 
wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describe wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations)
compare first attributes of one or more first access requests against a first access control policy that specifies one or more first criteria that are to be satisfied as a prerequisite to granting access to one or more first resources; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61; Col. 9, Lines 39-67; Col. 14, Lines 27-49; describe compare first attributes of one or more first access requests against a first access control policy that specifies one or more first criteria that are to be satisfied as a prerequisite to granting access to one or more first resources)
compare second attributes of one or more second access requests against a second access control policy that specifies one or more second criteria that are to be satisfied as a prerequisite to granting access to one or more second resources; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61; Col. 9, Lines 39-67; Col. 14, Lines 27-49; describe compare second attributes of one or more second access requests against a second access control policy that specifies one or more second criteria that are to be satisfied as a prerequisite to granting access to one or more second resources); and
cause a comparison of a first representation of a first result of enforcement of the first access control policy and a second representation of a second result of enforcement of the second access control policy to be displayed via a user interface, (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61; Col. 9, Lines 39-67; Col. 14, Lines 27-49; describe cause a comparison of a first representation of a first result of enforcement of the first access control policy and a second representation of a second result of enforcement of the second access control policy to be displayed via a user interface)
the first representation of the first result of enforcement of the first access control policy indicating an extent to which the first attributes of the one or more first access requests satisfy at least one of the one or more first criteria based at least in part on the first metadata, (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe the first representation of the first result of enforcement of the first access control policy indicating an extent to which the first attributes of the one or more first access requests satisfy at least one of the one or more first criteria based at least in part on the first metadata)
the second representation of the second result of enforcement of the second access control policy indicating an extent to which the second attributes of the one or more second access requests satisfy at least one of the one or more second criteria based at least in part on the second metadata, (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe the second representation of the second result of enforcement of the second access control policy indicating an extent to which the second attributes of the one or more second access requests satisfy at least one of the one or more second criteria based at least in part on the second metadata)
Roth further discloses generate the metadata, including first metadata, which indicate whether the first attributes of the one or more first access requests satisfy the one or more first criteria, and second metadata, which indicate whether the second attributes of the one or more second access requests satisfy the one or more second criteria; (Roth, Col. 5, Lines 31-67; Col. 6, Lines 1-15; Col. 21, Lines 42-55 describes generate the metadata, including first metadata, which indicate whether the first attributes of the one or more first access requests satisfy the one or more first criteria, and second metadata, which indicate whether the second attributes of the one or more second access requests satisfy the one or more second criteria)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Roth with the system/method of Kruse to include generate the metadata, including first metadata, which indicate whether the first attributes of the one or more first access requests satisfy the one or more first criteria, and second metadata, which indicate whether the second attributes of the one or more second access requests satisfy the one or more second criteria. One would have been motivated to provide delegate privileges related to access of one or more computing resources to other users (Roth, Col. 3, Lines 21-22). 

Regarding claim 7, Kruse and Roth disclose the processor-based system of claim 1. 
Kruse further discloses wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describes wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations)
detect that a first access control policy is created and set to an enforcement state in which the first access control policy is to be enforced; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61, describes detect that a first access control policy is created and set to an enforcement state in which the first access control policy is to be enforced)
detect that a state of the first access control policy is changed from the enforcement state to a simulation state in which the enforcement of the first access control policy with regard to the one or more actual sign-in processes is to be simulated; (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57; Col. 4, Lines 39-67; Col. 5, Lines 1-67; Col. 9, Lines 1-12 describe detect that a state of the first access control policy is changed from the enforcement state to a simulation state in which the enforcement of the first access control policy with regard to the one or more actual sign-in processes is to be simulated) and
simulate the enforcement of the access control policies, including the first access control policy, with regard to the actual sign-in processes instead of enforcing the access control policies with regard to the actual sign-in processes, (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57; Col. 4, Lines 39-67; Col. 5, Lines 1-67; Col. 9, Lines 1-12; Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe simulate the enforcement of the access control policies, including the first access control policy, with regard to the actual sign-in processes instead of enforcing the access control policies with regard to the actual sign-in processes)
a warning that recommends simulating enforcement of the first access control policy with regard to one or more actual sign-in processes instead of enforcing the first access control policy with regard to the one or more actual sign-in processes; (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describes suggesting simulating [warning that recommends simulating] enforcement of the first access control policy with regard to one or more actual sign-in processes instead of enforcing the first access control policy with regard to the one or more actual sign-in processes)


Regarding claim 8, Kruse and Roth disclose the processor-based system of claim 1. 
wherein the one or more processors are configured to simulate the enforcement of the access control polices by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describe wherein the one or more processors are configured to simulate the enforcement of the access control polices by performing the operations)
determine which applications from a plurality of applications are accessed by a specified access control policy based at least in part on the metadata; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61; Col. 11, Lines 48-56; Col. 16, Lines 33-36, describe determine which applications from a plurality of applications are accessed by a specified access control policy based at least in part on the metadata) and
provide an indicator that specifies at least one of (a) a number of the applications that are accessed by the specified access control policy (Kruse, Col. 23, Lines 8-27 describe provide an indicator that specifies at least one of (a) a number of the applications that are accessed by the specified access control policy)
or (b) an identity of each of the applications that are accessed by the specified access control policy.

Regarding claim 9, claim 9 is directed to a system. Claim 9 is similar is scope to claim 1 and is therefore rejected under similar rationale. 

Regarding claim 10, Kruse and Roth disclose the processor-based system of claim 9. 
Kruse further discloses wherein the one or more processors are configured to enforce the first access control policy with regard to the actual sign-in processes and evaluate the result of simulate the second access control policy with regard to the actual sign-in processes instead of enforcing the second access control policy with regard to the actual sign-in processes by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describe; Col. 2, Lines 46-67; Col. 3, Lines 1-61;   describe wherein the one or more processors are configured to enforce the first access control policy with regard to the actual sign-in processes and evaluate the result of simulate the second access control policy with regard to the actual sign-in processes instead of enforcing the second access control policy with regard to the actual sign-in processes by performing the operations)
wherein a first portion of the metadata indicates an actual result that occurs as a result of the first access policy being enforced with regard to the actual sign-in processes; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61; Col. 9, Lines 1-12  describe wherein a first portion of the metadata indicates an actual result that occurs as a result of the first access policy being enforced with regard to the actual sign-in processes) and
wherein a second portion of the metadata indicates the result of enforcement of the second access control policy that would have occurred with regard to the actual sign-in processes had the second access control policy been enforced with regard to the actual sign-in processes, (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61; Col. 9, Lines 1-12 describe wherein a second portion of the metadata indicates the result of enforcement of the second access control policy that would have occurred with regard to the actual sign-in processes had the second access control policy been enforced with regard to the actual sign-in processes)
Roth further discloses generate the metadata, which further indicates whether the attributes of each access request in at least a subset of the access requests satisfy the first criteria; (Roth, Col. 5, Lines 31-67; Col. 6, Lines 1-15; Col. 21, Lines 42-55 describes generate the metadata, which further indicates whether the attributes of each access request in at least a subset of the access requests satisfy the first criteria)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Roth with the system/method of Kruse to include generate the metadata, which further indicates whether the attributes of each access request in at least a subset of the access requests satisfy the first criteria. One would have been motivated to provide delegate privileges related to access of one or more computing resources to other users (Roth, Col. 3, Lines 21-22). 

Regarding claim 11, claim 11 is directed to the system of claim 9. Claim 11 is similar is scope to claim 2 and is therefore rejected under similar rationale. 

Regarding claim 12, claim 12 is directed to the system of claim 9. Claim 12 is similar is scope to claim 5 and is therefore rejected under similar rationale. 

Regarding claim 13, Kruse and Roth disclose the processor-based system of claim 9. 
wherein the one or more processors are further configured to: (Kruse, Col. 22, Line 55-57, memory and processor)
enable selection of any one or more of a plurality of access control policies via a first user interface to define a control policy selection regardless whether each access control policy in the control policy selection is enforced, the plurality of access control policies including the first access control policy and the second access control policy; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe enable selection of any one or more of a plurality of access control policies via a first user interface to define a control policy selection regardless whether each access control policy in the control policy selection is enforced, the plurality of access control policies including the first access control policy and the second access control policy) and
cause a representation of a result of enforcement of the control policy selection to be displayed via a second user interface based at least in part on the control policy selection being defined by selection via the first user interface, (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe cause a representation of a result of enforcement of the control policy selection to be displayed via a second user interface based at least in part on the control policy selection being defined by selection via the first user interface)

Regarding claim 14, Kruse and Roth disclose the processor-based system of claim 9. 
wherein the one or more processors are configured to: (Kruse, Col. 22, Line 55-57, memory and processor)
cause a policy satisfaction indicator for each access request in at least the subset of the access requests to be displayed via a user interface, (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe cause a policy satisfaction indicator for each access request in at least the subset of the access requests to be displayed via a user interface)
each policy satisfaction indicator indicating one of the following indications that are available for the respective access request: (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe each policy satisfaction indicator indicating one of the following indications that are available for the respective access request)
a) that the attributes of the respective access request satisfy the second criteria and that grant controls, which are to be satisfied as a prerequisite to granting access to the resource and which are not specified by the second access control policy, are satisfied; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe a) that the attributes of the respective access request satisfy the second criteria and that grant controls, which are to be satisfied as a prerequisite to granting access to the resource and which are not specified by the second access control policy, are satisfied)
b) that the attributes of the respective access request satisfy the second criteria and that at least one of the grant controls is not satisfied; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe b) that the attributes of the respective access request satisfy the second criteria and that at least one of the grant controls is not satisfied)
c) that the attributes of the respective access request satisfy the second criteria and that satisfaction of at least one of the grant controls is dependent on performance of a future action by a user who initiated the respective access request; (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe c) that the attributes of the respective access request satisfy the second criteria and that satisfaction of at least one of the grant controls is dependent on performance of a future action by a user who initiated the respective access request)  or
b) that the attributes of the respective access request do not satisfy at least one of the second criteria, (Kruse, Col. 2, Lines 46-67; Col. 3, Lines 1-61 describe b) that the attributes of the respective access request do not satisfy at least one of the second criteria).
Regarding claim 16, claim 16 is directed to a method. Claim 16 is similar in
scope to claim 1 and is therefore rejected under similar rationale.
Regarding claim 17, claim 16 is directed to a method of claim 16. Claim 17 is similar in scope to claim 2 and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is directed to the method of claim 16. Claim 18 is similar in scope to claim 5 and is therefore rejected under similar rationale.
Regarding claim 20, claim 20 is directed to the method of claim 16. Claim 20 is similar in scope to claim 8 and is therefore rejected under similar rationale.

5.	Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Kruse et al (“Kruse,” US 10122757) in view of Roth et al (“Roth,” US 8973108) and further in view of Thakrar et al (“Thakrar,” US 20180123904). 

Regarding claim 3, Kruse and Roth disclose the processor-based system of claim 1. 
Kruse further discloses wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describe wherein the one or more processors are configured to simulate the enforcement of the access control policies by performing the operations)
Kruse and Roth fail to explicitly disclose generate the metadata to be platform-agnostic such that the metadata is extensible to arbitrary platforms through an API.
However, in an analogous art, Thakrar discloses generate the metadata to be platform-agnostic such that the metadata is extensible to arbitrary platforms through an API, (Thakrar, [0088], the generated interface can present the metadata and resources in a platform agnostic or cloud agnostic manner so that metadata and resources from disparate sources (e.g. different cloud providers, APIs, or environments) may be presented in a single interface)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Thakrar with the system/method of Kruse and Roth to include generate the metadata to be platform-agnostic such that the metadata is extensible to arbitrary platforms through an API. One would have been motivated to modifying metadata associated with database objects obtained from distributed computing environments including cloud providers (Thakrar, [0002]).  





6.	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kruse et al (“Kruse,” US 10122757), Roth et al (“Roth,” US 8973108) in view of Chougle et al (“Chougle,” US 20130333010) and further in view of Grajek et al (“Grajek,” US 20200099677). 

Regarding claim 6, Kruse and Roth disclose the processor-based system of claim 1. 
Kruse further discloses wherein the one or more processors are configured to simulate the enforcement of access control policies by performing the operations comprising: (Kruse, Col. 14, Lines 36-40; Col. 18, Lines 65-67; Col. 19, Lines 1-23; Col. 2, Lines 46-67; Col. 15, Lines 9-13; Col. 3, Lines 1-12; Col. 9, Lines 1-12; Col. 22, Line 55-57 describes wherein the one or more processors are configured to simulate the enforcement of access control policies by performing the operations)
Kruse and Roth fail to explicitly disclose determine which users from a plurality of users who initiate the access requests use a legacy authentication technique to request access to at least one resource in the system based at least in part on the metadata. 
However, in an analogous art, Chougle discloses determine which users from a plurality of users who initiate the access requests use a legacy authentication technique to request access to at least one resource in the system based at least in part on the metadata; (Chougle, [0029] describes determining that the stored metric for at least one of the types where the type corresponds to a static password fails to meet a risk level  which is a predefined benchmark and an enhanced password is then suggested. One or more dynamic suggestions include guidance to change the static password to a combination password based on a risk benchmark; Item 518, FIG 5A, send the dynamic suggestion to the user)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Chougle with the system/method of Kruse and Roth to include determine which users from a plurality of users who initiate the access requests use a legacy authentication technique to request access to at least one resource in the system based at least in part on the metadata. One would have been motivated to enhance password protection (Chougle, [0002]). 
Kruse, Roth and Chougle fail to explicitly disclose and provide an indicator that specifies at least one of (a) a number of the users who use the legacy authentication technique or (b) an identity of each of the users who use the legacy authentication technique.
However, in an analogous art, Grajek discloses and provide an indicator that specifies at least one of 
(a) a number of the users who use the legacy authentication technique or 
(b) an identity of each of the users who use the legacy authentication technique (Grajek, [0102] describes an a user ID or any indicator of a user associated with a resource attempted to be accessed by a password)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Grajek with the system/method of Kruse, Roth and Chougle to include and provide an indicator that specifies at least one of (a) a number of the users who use the legacy authentication technique or (b) an identity of each of the users who use the legacy authentication technique. One would have been motivated to provide multifactor authentication and single sign-on for users and their devices based on device security object creation and validation (Grajek, [0002]). 

7.	Claims 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kruse et al (“Kruse,” US 10122757), Kruse et al (“Kruse,” US 20160072814) and further in view of Roth et al (“Roth,” US 8973108) and further in view of Chougle et al (“Chougle,” US 20130333010).  

Regarding claim 15, Kruse and Roth disclose the processor-based system of claim 14. 
Kruse and Roth fail to explicitly disclose wherein the one or more processors are configured to: provide a recommendation to a user who initiated a designated access request, recommending performance of a specified future action by the user, based at least in part on the policy satisfaction indicator for the designated access request indicating that satisfaction of at least one grant control is dependent on the performance of the specified future action by the user.
However, in an analogous art, Chougle discloses wherein the one or more processors are configured to: provide a recommendation to a user who initiated a designated access request, recommending performance of a specified future action by the user, based at least in part on the policy satisfaction indicator for the designated access request indicating that satisfaction of at least one grant control is dependent on the performance of the specified future action by the user, (Chougle, [0029] describes determining that the stored metric for at least one of the types where the type corresponds to a static password fails to meet a risk level  which is a predefined benchmark and an enhanced password is then suggested. One or more dynamic suggestions include guidance to change the static password to a combination password based on a risk benchmark; Item 518, FIG 5A, send the dynamic suggestion to the user [this dynamic suggestion is used for any user such that the user is denied access if the user doesn’t supply an enhanced password)
Therefore, it would have been obvious to a person of ordinary skill in the art,
before, the effective filing date of the claimed invention to combine the teachings of Chougle with the system/method of Kruse and Roth to include provide a warning that recommends evaluating a result of enforcement of the first access control policy with regard to one or more actual sign-in processes instead of enforcing the first access control policy with regard to the one or more actual sign-in processes. One would have been motivated to enhance password protection (Chougle, [0002]). 

Regarding claim 19, claim 19 is directed to the method of claim 16. Claim 19 is similar in scope to claim 7 and is therefore rejected under similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/           Examiner, Art Unit 2439     



/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439