Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 17/741,547 filed on 5/11/2022.
Claims 1-20  have been examined and are pending.  Claims 1 and 11 are independent claims.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/11/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement has been considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-14 of U.S. Patent No. 11,363,028.  Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 1-20 of the instant application are encompassed by limitations recited in claims 1-14 of U.S. Patent No. 11,363,028 (see table below).  

Instant Application 17/741,547
U.S. Patent No. 11,363,028
Claim 11:  
A method for managing access privileges for a protected resource, the method comprising: 

obtaining employee hierarchy data associated with an organization; 










identifying a change in access privileges associated with at least one employee for a protected resource, the identifying including: 

determining first permissions data indicating current access privileges associated with one or more employees for the protected resource based on the employee hierarchy data; 

comparing the first permissions data with stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource; and 

identifying a difference in access privileges associated with at least one employee based on the comparing, 

determining that the change in access privileges associated with the at least one employee requires approval from an authorized permissions management entity; and 

configuring an account at the protected resource that is associated with the authorized permissions management entity to present options for approving the change in access privileges associated with the at least one employee.  

.
Claim 8:  
A method for managing access privileges, comprising: 
obtaining, based on employee data received from a first client server having access to a human resources database of an organization, a first indication identifying a change in a first employee hierarchical structure of the organization, the first employee hierarchical structure indicating an employee hierarchical rank associated with each of one or more of the employees; 

identifying a change in access privileges for at least one employee of the organization based on: 
determining a first permissions list including an updated a-mapping of employee identifiers to access privileges for accessing the protected resource associated with the change in the first employee hierarchical structure; 
comparing the first permissions list with a second permissions list that indicates previously approved access privileges for the one or more employees; and 

identifying a difference in access privileges for at least one employee based on the comparing; 
determining that the change in access privileges for the at least one employee requires approval from at least one authorized permissions management entity; 

configuring account data of an account at the protected resource that is associated with the at least one authorized permissions management entity to present options for approving the change in access privileges upon access of the account by the at least one authorized permissions management entity; 
receiving, from the at least one authorized permissions management entity, an indication of approval for the change in access privileges; and 
in response to receiving the indication of approval, updating a user permissions database associated with the protected resource to indicate the change in access privileges for the at least one employee, the user permissions database indicating access privileges for employees of the organization that are authorized to access the protected resource.




Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more.
Regarding claim 1, Claim 1 is directed to the abstract idea of organizing human activity by setting up steps to get approval based on a form without significantly more by reciting the limitations “comparing the first permissions data with stored second permissions data…”.  The aforementioned steps are “mental processes” as broadly interpreted said steps could be performed in the human mind and/or with pen and paper. Therefore, the claim recites an abstract idea. 
The claim does not recite any additional steps that could be considered as ‘applying the abstract idea into a practical application.’ It’s noted that the claim recites the steps of “obtain employee hierarchy data…, identify a change in access privileges…, determining first permissions data…, comparing the first permissions data with stored second permissions data…, identifying a difference in access privileges…, determine that the change in access privileges…, and configure an account.”  However, the aforementioned steps also could be considered as ‘mental processes.’ Therefore, the claim fails to integrate the abstract idea into a practical application. 
Also, the claim does not recite any additional elements that could be considered as significantly more. It’s noted that the claims recite additional elements (e.g., stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource, processor and memory).  However, said additional elements are recited at a high-level of generality (i.e., stored second permissions data) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Therefore, the claims are not integrated into a practical application nor significantly more. 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer access privilege obtaining and identifying changes routinely used in information technology field as evidenced by Yoshida (US20120102559).  Yoshida (US20120102559) discloses, in paragraph 0002, “conventionally, there has been an application distribution system that performs access control by setting the access right based on user information…”, and in paragraph 0534, “the manner in which computer system 340 operates is well known”.   Generic computer components (“automatically”) recited as performing generic computer functions that are well understood, routine and conventional activities amount to no more than implementing the abstract idea with a generic computerized system.  Therefore, the claim is directed to non-statutory subject matter.
Therefore, claim 1 is directed to non-statutory subject matter.
Regarding claims 2-10, these claims inherit the deficiencies from the parent claim 1.
Regarding claims 11-20, these claims  are similar in scope to claims 1-10 and therefore are rejected for the same reasons.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 
Claim 1, 2, 4, 9-12, 14, 19, and 20 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Prokupets (US20030023874), filed July 16, 2001, in view of Szor (US7665139), filed December 16, 2005.
Regarding claim 1, Prokupets discloses a computing system, comprising: a processor; and a memory coupled to the processor, the memory storing instructions that, when executed by the processor, configure the processor to: (Prokupets, paragraph 0034, “The security server 12 receives each of the event data packets at an event transaction processor 13 for determination of actions, if any, the system 10 will take, and, depending on the event received, sending action data packets automatically and in real-time to systems 18 and 22 to take appropriate action.”);
obtain employee hierarchy data associated with an organization (Prokupets, paragraph 0003, hierarchical rank encompasses administrator and user; paragraph 0060, any changes in the status of the users and access privileges in the information system 18; the access control system may have expired [i.e., change in a first employee structure], causing an event transaction [i.e., indication identifying a change] which sends action data packets to information systems 18 to block the user's Login ID.  ;  Business rules represent when the action taken requires that data stored in the HR system's database [i.e., human resources database of an organization] be changed.; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees));
identify a change in access privileges associated with at least one employee for a protected resource, the identifying including (Prokupets, paragraph 0060, aware of any changes in the status of the users and access privileges in the information system 18, or if needed, take appropriate corrective action.  For example, a badge used by a user to access areas controlled by the access control system may have expired [i.e., permissions data], causing an event transaction [i.e., indication identifying a change];
determining first permissions data indicating current access privileges associated with one or more employees for the protected resource based on the employee hierarchy data (Prokupets, paragraph 0039, “an administration system 30 in FIG. 1, representing a computer system, is provided in system 10 which can access the central database 14 in security server 12 to review and update information stored therein, such as update user data, security access privileges” .; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees));
determine that the change in access privileges associated with the at least one employee requires approval from an authorized permissions management entity (Prokupets, paragraph 0039, “an administration system 30 in FIG. 1, representing a computer system, is provided in system 10 which can access the central database 14 in security server 12 to review and update information stored therein, such as update user data, security access privileges” .; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees));
configure an account at the protected resource that is associated with the authorized permissions management entity to present options for approving the change in access privileges associated with the at least one employee (Prokupets, paragraph 0056, “The security server 12 first reads a transaction from the list queued in the transaction table specifying the update (add, modify, or delete) in the user data maintained in the HR database (step 32), and maps the updated user data into records of one or more of the tables of the central database 14 (step 34).” .; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees)).
Prokupets does not explicitly disclose comparing the first permissions data with stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource; and identifying a difference in access privileges associated with at least one employee based on the comparing.
However, in an analogous art, Szor discloses comparing the first permissions data with stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource (Szor, col. 9, line 59, through col. 10, line 3, “In COMPARE CURRENT PRIVILEGE LIST TO INITIAL PRIVILEGE LIST operation 238, the current privilege list identified in the call to the set token function is compared to the initial privilege list of the reference copy to determine any changes.  In particular, in one embodiment, each privilege setting identified in the current privilege list is compared to a corresponding privilege setting identified in the initial privilege list to determine if there are any changes, e.g., different settings.  From COMPARE CURRENT PRIVILEGE LIST TO INITIAL PRIVILEGE LIST operation 238, processing transitions to a MALICIOUS CHANGE(S) check operation 240.”);
identifying a difference in access privileges associated with at least one employee based on the comparing (Szor, col. 3, lines 45-59, “In particular, in one embodiment, each privilege setting identified in the current privilege list is compared to a corresponding privilege setting identified in the initial privilege list to determine if there are any changes, e.g., different settings.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Szor with the system/method of Prokupets to include comparing the first permissions data with stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource; and identifying a difference in access privileges associated with at least one employee based on the comparing.
One would have been motivated to provide users with the benefits of detecting and preventing malicious changes to tokens (Szor: col. 1, lines 9-12).
Regarding claim 2, Prokupets and Szor disclose the computing system of claim 1.  Prokupets discloses wherein the instructions, when executed, further configure the processor to: receive, from the authorized permissions management entity, an indication of approval for the change in access privileges associated with the at least one employee (Prokupets, paragraph 0039, “an administration system 30 in FIG. 1, representing a computer system, is provided in system 10 which can access the central database 14 in security server 12 to review and update information stored therein, such as update user data, security access privileges”);  in response to receiving the indication of approval, update a user permissions database associated with the protected resource to indicate the change in access privileges associated with the at least one employee (Prokupets, paragraph 0056, “The security server 12 first reads a transaction from the list queued in the transaction table specifying the update (add, modify, or delete) in the user data maintained in the HR database (step 32), and maps the updated user data into records of one or more of the tables of the central database 14 (step 34).”).
Regarding claim 4, Prokupets and Szor disclose the computing system of claim 1.  Szor discloses wherein at least one of the first or second permissions data comprises a mapping of employee identifiers to access privileges for the protected resource (Szor, col. 3, lines 60-65 and col. 9, lines 47-58, determining a first permissions list including a mapping of employee identifiers to access privileges for accessing the protected resource).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 9, Prokupets and Szor disclose the computing system of claim 1.  Szor discloses wherein the first permissions data comprises a mapping of employee identifiers to access privileges for the protected resource (Szor, col. 3, lines 60-65 and col. 9, lines 47-58, determining a first permissions list including a mapping of employee identifiers to access privileges for accessing the protected resource).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 10, Prokupets and Szor disclose the computing system of claim 1.  Prokupets discloses wherein the access privileges for the protected resource comprise at least one of permissions for accessing or authorizing one or more actions in connection with the protected resource (Prokupets, paragraph 0045, access privileges in terms of which resources a user may access).
Regarding claim 11, Prokupets discloses a method for managing access privileges for a protected resource, the method comprising (Prokupets, paragraph 0034, “The security server 12 receives each of the event data packets at an event transaction processor 13 for determination of actions, if any, the system 10 will take, and, depending on the event received, sending action data packets automatically and in real-time to systems 18 and 22 to take appropriate action.”);
obtaining employee hierarchy data associated with an organization (Prokupets, paragraph 0003, hierarchical rank encompasses administrator and user; paragraph 0060, any changes in the status of the users and access privileges in the information system 18; the access control system may have expired [i.e., change in a first employee structure], causing an event transaction [i.e., indication identifying a change] which sends action data packets to information systems 18 to block the user's Login ID.  ;  Business rules represent when the action taken requires that data stored in the HR system's database [i.e., human resources database of an organization] be changed.; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees));
identifying a change in access privileges associated with at least one employee for a protected resource, the identifying including (Prokupets, paragraph 0060, aware of any changes in the status of the users and access privileges in the information system 18, or if needed, take appropriate corrective action.  For example, a badge used by a user to access areas controlled by the access control system may have expired [i.e., permissions data], causing an event transaction [i.e., indication identifying a change].; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees));
determining first permissions data indicating current access privileges associated with one or more employees for the protected resource based on the employee hierarchy data (Prokupets, paragraph 0039, “an administration system 30 in FIG. 1, representing a computer system, is provided in system 10 which can access the central database 14 in security server 12 to review and update information stored therein, such as update user data, security access privileges”; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees));
determining that the change in access privileges associated with the at least one employee requires approval from an authorized permissions management entity (Prokupets, paragraph 0039, “an administration system 30 in FIG. 1, representing a computer system, is provided in system 10 which can access the central database 14 in security server 12 to review and update information stored therein, such as update user data, security access privileges”);
configuring an account at the protected resource that is associated with the authorized permissions management entity to present options for approving the change in access privileges associated with the at least one employee (Prokupets, paragraph 0056, “The security server 12 first reads a transaction from the list queued in the transaction table specifying the update (add, modify, or delete) in the user data maintained in the HR database (step 32), and maps the updated user data into records of one or more of the tables of the central database 14 (step 34).”).
Prokupets does not explicitly disclose comparing the first permissions data with stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource; and identifying a difference in access privileges associated with at least one employee based on the comparing.
However, in an analogous art, Szor discloses comparing the first permissions data with stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource (Szor, col. 9, line 59, through col. 10, line 3, “In COMPARE CURRENT PRIVILEGE LIST TO INITIAL PRIVILEGE LIST operation 238, the current privilege list identified in the call to the set token function is compared to the initial privilege list of the reference copy to determine any changes.  In particular, in one embodiment, each privilege setting identified in the current privilege list is compared to a corresponding privilege setting identified in the initial privilege list to determine if there are any changes, e.g., different settings.  From COMPARE CURRENT PRIVILEGE LIST TO INITIAL PRIVILEGE LIST operation 238, processing transitions to a MALICIOUS CHANGE(S) check operation 240.”);
identifying a difference in access privileges associated with at least one employee based on the comparing (Szor, col. 3, lines 45-59, “In particular, in one embodiment, each privilege setting identified in the current privilege list is compared to a corresponding privilege setting identified in the initial privilege list to determine if there are any changes, e.g., different settings.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Szor with the system/method of Prokupets to include comparing the first permissions data with stored second permissions data that indicates previously granted access privileges associated with the one or more employees for the protected resource; and identifying a difference in access privileges associated with at least one employee based on the comparing.
One would have been motivated to provide users with the benefits of detecting and preventing malicious changes to tokens (Szor: col. 1, lines 9-12).
Regarding claim 12, Prokupets and Szor disclose the method of claim 11.    Prokupets discloses further comprising: receiving, from the authorized permissions management entity, an indication of approval for the change in access privileges associated with the at least one employee (Prokupets, paragraph 0039, “an administration system 30 in FIG. 1, representing a computer system, is provided in system 10 which can access the central database 14 in security server 12 to review and update information stored therein, such as update user data, security access privileges”);  in response to receiving the indication of approval, updating a user permissions database associated with the protected resource to indicate the change in access privileges associated with the at least one employee (Prokupets, paragraph 0056, “The security server 12 first reads a transaction from the list queued in the transaction table specifying the update (add, modify, or delete) in the user data maintained in the HR database (step 32), and maps the updated user data into records of one or more of the tables of the central database 14 (step 34).”).
Regarding claim 14, Prokupets and Szor disclose the method of claim 11.  Szor discloses wherein at least one of the first or second permissions data comprises a mapping of employee identifiers to access privileges for the protected resource (Szor, col. 3, lines 60-65 and col. 9, lines 47-58, determining a first permissions list including a mapping of employee identifiers to access privileges for accessing the protected resource).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 19, Prokupets and Szor disclose the method of claim 11.  Szor discloses wherein the first permissions data comprises a mapping of employee identifiers to access privileges for the protected resource (Szor, col. 3, lines 60-65 and col. 9, lines 47-58, determining a first permissions list including a mapping of employee identifiers to access privileges for accessing the protected resource).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 20, Prokupets and Szor disclose the method of claim 11.  Prokupets discloses wherein the access privileges for the protected resource comprise at least one of permissions for accessing or authorizing one or more actions in connection with the protected resource  (Prokupets, paragraph 0045, access privileges in terms of which resources a user may access).
Claim 3, 5, 6, 13, 15, and 16 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Prokupets (US20030023874), filed July 16, 2001, in view of Szor (US7665139), filed December 16, 2005, and further in view of Dasgupta (US20190312881), filed on April 10, 2018.
Regarding claim 3, Prokupets and Szor disclose the computing system of claim 1.
Prokupets discloses wherein the instructions, when executed, further configure the processor to transmit, to a client server having access to a human resources database of the organization (Prokupets, FIG. 1, server 12, computer system 28, HR database 26; paragraph 0037, transaction read by server 12 to map changed user data from HR database 26).
Prokupets and Szor do not explicitly disclose a request for the employee hierarchy data.  
However, in an analogous art, Dasgupta discloses a request for the employee hierarchy data (Dasgupta, paragraph 0029, “each organization has a specific hierarchical employee structure, roles and task assignments.  An "employee" is a person (such as, but not limited to, a worker, contractor, officer, agent, independent subcontractor, or other individual) in or connected to the organization who has a role and performs different tasks/activities based on his/her job description.  The "role" is a basis for establishing access control policies or a specific task competency for a user, including, but not limited to, a manager, supervisor, developer, or analyst.  Roles define which individuals are allowed to access specific resources for a specific purpose.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dasgupta with the system/method of Prokupets and Szor to include a request for the employee hierarchy data.
One would have been motivated to provide users with the benefits of greater security and control over access to classified files and documents (Dasgupta: paragraph 0008).
Regarding claim 5, Prokupets and Szor disclose the computing system of claim 1.
Prokupets and Szor do not explicitly disclose wherein the instructions, when executed, further configure the processor to: receive, from a first user device, a request to access the protected resource; and determine that a user associated with the first user device has access privileges for the protected resource.  
However, in an analogous art, Dasgupta discloses wherein the instructions, when executed, further configure the processor to: receive, from a first user device, a request to access the protected resource; and determine that a user associated with the first user device has access privileges for the protected resource (Dasgupta, paragraph 0028, user requests access; organization’s access control 20 checks the user’s access rights according to the organization’s access right policy).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dasgupta with the system/method of Prokupets and Szor to include wherein the instructions, when executed, further configure the processor to: receive, from a first user device, a request to access the protected resource; and determine that a user associated with the first user device has access privileges for the protected resource.
One would have been motivated to provide users with the benefits of greater security and control over access to classified files and documents (Dasgupta: paragraph 0008).
Regarding claim 6, Prokupets, Szor, and Dasgupta disclose the computing system of claim 5.  Prokupets discloses wherein determining that the user associated with the first user device has the access privileges comprises querying a user permissions database using a first employee identifier associated with the user (Prokupets, paragraph 0002, access decisions responsive to user identifying means are based on information stored in a central computer database; paragraph 0043, server by a querying command to eh information system may obtain the login ID and/or password).
Regarding claim 13, Prokupets and Szor disclose the method of claim 11.  Prokupets discloses further comprising transmitting, to a client server having access to a human resources database of the organization (Prokupets, FIG. 1, server 12, computer system 28, HR database 26; paragraph 0037, transaction read by server 12 to map changed user data from HR database 26).
Prokupets and Szor do not explicitly disclose a request for the employee hierarchy data.  
However, in an analogous art, Dasgupta discloses a request for the employee hierarchy data (Dasgupta, paragraph 0029, “each organization has a specific hierarchical employee structure, roles and task assignments.  An "employee" is a person (such as, but not limited to, a worker, contractor, officer, agent, independent subcontractor, or other individual) in or connected to the organization who has a role and performs different tasks/activities based on his/her job description.  The "role" is a basis for establishing access control policies or a specific task competency for a user, including, but not limited to, a manager, supervisor, developer, or analyst.  Roles define which individuals are allowed to access specific resources for a specific purpose.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dasgupta with the system/method of Prokupets and Szor to include a request for the employee hierarchy data.

One would have been motivated to provide users with the benefits of greater security and control over access to classified files and documents (Dasgupta: paragraph 0008).
Regarding claim 15, Prokupets and Szor disclose the method of claim 11.
Prokupets and Szor do not explicitly disclose further comprising: receiving, from a first user device, a request to access the protected resource; and determining that a user associated with the first user device has access privileges for the protected resource.  
However, in an analogous art, Dasgupta discloses further comprising: receiving, from a first user device, a request to access the protected resource; and determining that a user associated with the first user device has access privileges for the protected resource (Dasgupta, paragraph 0028, user requests access; organization’s access control 20 checks the user’s access rights according to the organization’s access right policy).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dasgupta with the system/method of Prokupets and Szor to include further comprising: receiving, from a first user device, a request to access the protected resource; and determining that a user associated with the first user device has access privileges for the protected resource.
One would have been motivated to provide users with the benefits of greater security and control over access to classified files and documents (Dasgupta: paragraph 0008).
Regarding claim 16, Prokupets, Szor, and Dasgupta disclose the method of claim 15.  Prokupets discloses wherein determining that the user associated with the first user device has the access privileges comprises querying a user permissions database using a first employee identifier associated with the user (Prokupets, paragraph 0002, access decisions responsive to user identifying means are based on information stored in a central computer database; paragraph 0043, server by a querying command to eh information system may obtain the login ID and/or password).
Claim 7, 8, 17, and 18 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Prokupets (US20030023874), filed July 16, 2001, in view of Szor (US7665139), filed December 16, 2005, and further in view of Tian (US20090177741), filed March 13, 2009.
Regarding claim 7, Prokupets and Szor disclose the computing system of claim 1. 
Prokupets and Szor do not explicitly disclose wherein the instructions, when executed, further configure the processor to transmit, to the authorized permissions management entity, a request to approve the change in access privileges associated with the at least one employee.  
However, in an analogous art, Tian discloses wherein the instructions, when executed, further configure the processor to transmit, to the authorized permissions management entity, a request to approve the change in access privileges associated with the at least one employee (Tian, paragraph 0052, transmits a registration request message to the authorization management server so as to modify the authorization permission of the user B with respect to user A; paragraph 0059, the user B requests the authorization management server to modify its service subscription management permission over the user A, such as, which services the user A may subscribe to freely, which services the user A may not subscribe to, and which services the user A may subscribe to only with the permission of the user B).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Tian with the system/method of Prokupets and Szor to include wherein the instructions, when executed, further configure the processor to transmit, to the authorized permissions management entity, a request to approve the change in access privileges associated with the at least one employee.

One would have been motivated to provide users with the benefits of subscribing to a service (Tian: paragraph 0001).
Regarding claim 8, Prokupets, Szor, and Tian disclose the computing system of claim 7. Prokupets discloses wherein the request comprises a message indicating the change in access privileges associated with the at least one employee for the protected resource (Prokupets, paragraph 0057, changes in user’s security information stored in a central database are transmitted to an access control system; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees) ).
Regarding claim 17, Prokupets and Szor disclose the method of claim 11.
Prokupets and Szor do not explicitly disclose further comprising transmitting, to the authorized permissions management entity, a request to approve the change in access privileges associated with the at least one employee.  
However, in an analogous art, Tian discloses further comprising transmitting, to the authorized permissions management entity, a request to approve the change in access privileges associated with the at least one employee (Tian, paragraph 0052, transmits a registration request message to the authorization management server so as to modify the authorization permission of the user B with respect to user A; paragraph 0059, the user B requests the authorization management server to modify its service subscription management permission over the user A, such as, which services the user A may subscribe to freely, which services the user A may not subscribe to, and which services the user A may subscribe to only with the permission of the user B).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Tian with the system/method of Prokupets and Szor to include further comprising transmitting, to the authorized permissions management entity, a request to approve the change in access privileges associated with the at least one employee.

One would have been motivated to provide users with the benefits of subscribing to a service (Tian: paragraph 0001).
Regarding claim 18, Prokupets, Szor, and Tian disclose the method of claim 17.  Prokupets discloses wherein the request comprises a message indicating the change in access privileges associated with the at least one employee for the protected resource  (Prokupets, paragraph 0057, changes in user’s security information stored in a central database are transmitted to an access control system; paragraph 0029, employee has a role, role establishes access for a user, such as a manager, supervisor, developer, analysists; paragraph 0063, users (e.g., employees) ).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368. The examiner can normally be reached 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.J.M/Examiner, Art Unit 2439                                                                                                                                                                                                        
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439