DETAILED ACTION
This Office Action is in response to the application 17/140,941 filed on 01/04/2021.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
As per the Preliminary Amendment, claims 19-39 have been examined and are pending in this application. Claims 19, 26, and 33 are independent.
	Priority
This application is a continuation of Application No. 16/552,230 filed on 08/27/2019, currently US Patent No. 10,951,652.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 01/13/2021 and 05/25/2021, are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claim 22, 26, 29, 36 are objected to because of the following informalities:  
As to claim 26, the preamble stats reciting, “An non-transitory computer-readable storage medium,” with an improper grammatical use of the article. It is suggested that the claim be amended to recite, “A non-transitory computer-readable storage medium,” (emphasis added).
	As to claim 22, 29, and 36, the claims ends with a “,” (comma) instead of a period punctuation mark (emphasis added).
Appropriate correction(s) is required. 
Double Patenting
Claims 19-39 are rejected on the ground of non-statutory double patenting as being unpatentable over claim 1-4, 7-10, and 13-16 of U.S. Patent No. 10,951,652. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the reference claims.
The independent claims 19, 26, and 33 of the instant application are anticipated by the claims 1, 7, and 13 of the reference patent, respectively. 
The following claims are presented side by side for comparison. Claims 19, 26, and 33 of the instant application recite a broader scope of the claims 1, 7, and 13 of the reference patent, and therefore anticipated by them.  While the claims of the reference patent recites the term “identity cube,” the claims of the instant application recites an equivalent term “identity management data structure.”
The dependent claims 20-25, 28-32, and 34-39 of the instant application are also anticipated by the dependent claims 2-4, 8-10, and 14-16 of the reference patent in a combination, respectively.

Instant Application 17/140,941
Reference Patent US 10,951,652
19. An identity management system, comprising: a processor; a non-transitory computer-readable storage medium, including computer instructions for: 

obtaining a separation of duties policy; and 








evaluating the separation of duties policy against a user using an identity management data structure at the identity management system, the identity management data structure representing the user, a first entitlement for a first digital asset within a distributed enterprise computing environment, and a second digital asset within the distributed enterprise computing environment, wherein the first entitlement is directly assigned to the user and the second entitlement is indirectly assigned to the user through a first management structure maintained by a source system whereby the user is granted the second entitlement by virtue of the user’s assignment to the first management structure by the source system, 

wherein the identity management data structure represents the user, the first entitlement, and the second entitlement such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity management data structure representing the user, 









the first entitlement for the first digital asset is directly linked to the identity management data structure representing the user, 

the second entitlement for the second digital asset is directly linked to the identity management data structure representing the user, and 

the second entitlement includes a first inheritance attribute, wherein the value of the first inheritance attribute is an identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset.
1. An identity management system, comprising: a processor; a non-transitory computer-readable storage medium, including computer instructions for: an indexing service for: 

obtaining identity management data from one or more source systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identity management artifacts utilized in identity management in the distributed enterprise computing environment; 

evaluating the identity management data to determine a first entitlement for a first digital asset of the source system and a second entitlement for a second digital asset of the source system, wherein the first entitlement is directly assigned to a user and the second entitlement is indirectly assigned to a user through a first management structure maintained by the source system whereby the user is granted the second entitlement by virtue of the user's assignment to the first management structure by the source system; and 

representing the user, the first entitlement for the first digital asset, and the second entitlement for the second digital asset in a data model at the identity management system, wherein the data model includes:

an identity cube representing the user, the first entitlement for the first digital asset, and 
the second entitlement for the second digital asset such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity cube representing the user wherein, 

the first entitlement for the first digital asset is directly linked to the identity cube representing the user, 

the second entitlement for the second digital asset is directly linked to the identity cube representing the user, and 

the second entitlement includes a first inheritance attribute, wherein the value of the first inheritance attribute is an identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset.

26. An non-transitory computer-readable storage medium, including computer instructions for: 

obtaining a separation of duties policy; and 







evaluating the separation of duties policy against a user using an identity management data structure at the identity management system, the identity management data structure representing the user, a first entitlement for a first digital asset within a distributed enterprise computing environment, and a second digital asset within the distributed enterprise computing environment, wherein the first entitlement is directly assigned to the user and the second entitlement is indirectly assigned to the user through a first management structure maintained by a source system whereby the user is granted the second entitlement by virtue of the user’s assignment to the first management structure by the source system, 

wherein the identity management data structure represents the user, the first entitlement, and the second entitlement such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity management data structure representing the user, 






the first entitlement for the first digital asset is directly linked to the identity management data structure representing the user, 

the second entitlement for the second digital asset is directly linked to the identity management data structure representing the user, and 

the second entitlement includes a first inheritance attribute, wherein the value of the first inheritance attribute is an identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset. 

7. A non-transitory computer readable medium, comprising instructions for: 

obtaining identity management data from one or more source systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identity management artifacts utilized in identity management in the distributed enterprise computing environment; 

evaluating the identity management data to determine a first entitlement for a first digital asset of the source system and a second entitlement for a second digital asset of the source system, wherein the first entitlement is directly assigned to a user and the second entitlement is indirectly assigned to a user through a first management structure maintained by the source system whereby the user is granted the second entitlement by virtue of the user's assignment to the first management structure by the source system; and 


representing the user, the first entitlement for the first digital asset, and the second entitlement for the second digital asset in a data model, wherein the data model includes: an identity cube representing the user, the first entitlement for the first digital asset, and the second entitlement for the second digital asset such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity cube representing the user, wherein 

the first entitlement for the first digital asset is directly linked to the identity cube representing the user, 

the second entitlement for the second digital asset is directly linked to the identity cube representing the user, and 

the second entitlement includes a first inheritance attribute, wherein the value of the first inheritance attribute is an identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset.

33. A method, comprising:

obtaining a separation of duties policy; and








evaluating the separation of duties policy against a user using an identity management data structure at the identity management system, the identity management data structure representing the user, a first entitlement for a first digital asset within a distributed enterprise computing environment, and a second digital asset within the distributed enterprise computing environment, wherein the first entitlement is directly assigned to the user and the second entitlement is indirectly assigned to the user through a first management structure maintained by a source system whereby the user is granted the second entitlement by virtue of the user’s assignment to the first management structure by the source system,

wherein the identity management data structure represents the user, the first entitlement, and the second entitlement such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity management data structure representing the user,







the first entitlement for the first digital asset is directly linked to the identity management data structure representing the user, 

the second entitlement for the second digital asset is directly linked to the identity management data structure representing the user, and

the second entitlement includes a first inheritance attribute, wherein the value of the first inheritance attribute is an identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset.

13. A method for representing identity management data, comprising: 

obtaining identity management data from one or more source systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identity management artifacts utilized in identity management in the distributed enterprise computing environment; 

evaluating the identity management data to determine a first entitlement for a first digital asset of the source system and a second entitlement for a second digital asset of the source system, wherein the first entitlement is directly assigned to a user and the second entitlement is indirectly assigned to a user through a first management structure maintained by the source system whereby the user is granted the second entitlement by virtue of the user's assignment to the first management structure by the source system; and 


representing the user, the first entitlement for the first digital asset, and the second entitlement for the second digital asset in a data model, wherein the data model includes: 

an identity cube representing the user, the first entitlement for the first digital asset, and the second entitlement for the second digital asset such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity cube representing the user, 

wherein, the first entitlement for the first digital asset is directly linked to the identity cube representing the user, 

the second entitlement for the second digital asset is directly linked to the identity cube representing the user, and 

the second entitlement includes a first inheritance attribute, wherein the value of the first inheritance attribute is an identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 19-39 are rejected under 35 U.S.C. 103 as being unpatentable over Tandon (“Tandon,” US 8,429,708, patented on 04/23/2013), in view of Vainstein (“Vainstein,” US 76,889,210, patented on 05/03/2005).
As to claim 1, Tandon teaches an identity management system, comprising: a processor; a non-transitory computer-readable storage medium, including computer instructions (Tandon: col 12, lines 27-34, col. 42, lines 6-7; configuring a processor via program instructions, reading, comparing, and storing data appropriate) for: 
obtaining a separation of duties policy (Tandon: col. 12, lines 27-34; assessing the cumulative set of entitlements to which an entity, such as a user of an information system may be implicitly or explicitly authorized, by virtue of the universe of all authorization intent specifications that exist across that information system [i.e. access to resource based on various duties and permission level]. Col. 18, lines 4-7; obtains the information that may be essential to making the required determination; obtained from a variety of sources); and 
evaluating the separation of duties policy against a user using an identity management data structure at the identity management system, the identity management data structure representing the user, a first entitlement for a first digital asset within a distributed enterprise computing environment, and a second digital asset within the distributed enterprise computing environment, (Tandon: col. 41, lines 41-54, determines the cumulative set of authorization intent specifications that specify access for the entity; if the entity were a user; and the resources specified within the scope of the assessment were protected. Col. 11, lines 25-30, extends to include access that may be provisioned for thousands of users to access thousands of hosts that are a part of the IT infrastructure and to further include access that may be provisioned to thousands of information assets that reside on these hosts [e.g., access to resource based on various duties and permission level]), wherein the first entitlement is directly assigned to the user and the second entitlement is indirectly assigned to the user through a first management structure maintained by a source system whereby the user is granted the second entitlement by virtue of the user’s assignment to the first management structure by the source system (Tandon: col. 46, lines 16-17, obtain a list of every security collective that the user is directly affiliated with; col. 46, lines 33-35; proceeds to determine the transitive set of security groups to which this user may belong, either directly or indirectly; col. 47, lines 55-57; authorization intent specifications are access control lists (ACLs) and access control entries (ACEs); col. 30, lines 25-28; if an ACE is marked as inheritable, the system automatically ensures that a copy of the ACE is added to the ACL of every object in the sub-tree rooted at the object at which the ACE was applied; col. 27, lines 38-50, John Doe's user account 500 is a direct member of seven groups; John is a member of a group which in turn is a member of yet another group, which in turn is a member of still yet another group [e.g., indirect]), 
wherein the identity management data structure represents the user, the first entitlement includes (Tandon: col. 13, lines 57, col. 42, lines 53-54, implementation of the authorization model.  Identity 58 of a specific entity in the information system, whose access entitlements are to be assessed),
the first entitlement for the first digital asset is directly linked to the identity management data structure representing the user (Tandon: col. 29, lines 31-32; ACE thus grants the user represented by this SID the ability to read the value of the User Name attribute on this user object),
the second entitlement for the second digital asset is directly linked to the identity management data structure representing the user (Tandon: col. 29, lines 53-55; this ACE [second entitlement] thus grants the user represented by this SID the ability to create new objects [second digital asset] under this object), and 
the second entitlement includes a first inheritance attribute, wherein the value of the first inheritance attribute is an identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset (Tandon: col. 30, lines 25-28; if an ACE is marked as inheritable, the system automatically ensures that a copy of the ACE is added to the ACL of every object in the sub-tree rooted at the object at which the ACE was applied).
Tandon does not explicitly teach the second entitlement such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity management data structure representing the user.
However, in an analogous art, Vainstein, an invention directed to managing security level/tiers teaches  the limitation, the second entitlement such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity management data structure representing the user (Vainstein: col lines 11-20, lines 33-40, reorganized or restructure the security level by: a security level to be deleted are either folded up or down to an immediate next security level, depending on implementation. As a result, the security parameters for the immediate next security level are augmented to include those for the security level to be deleted).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vainstein with the method/system of Tandon to include the second entitlement such that the first entitlement for the first digital asset and the second entitlement for the second digital asset are a single level removed from the identity management data structure representing the user, where one would have been motivated for the benefit of providing a user with a means for flexibility in reorganizing security levels for file or resource accessing based on updated condition/policy (Vainstein: col lines 11-20, lines 33-40). 
As to claim 20, the combination of Tandon and Vainstein teaches the identity management system of claim 19, 
Tandon further teaches wherein the instructions are further for allowing or denying the user a third digital asset identified in the separation of duties policy based on the evaluation of the separation of duties policy (Tandon: col. 30, lines 17-19, each object has at least one parent in the hierarchy and each object may have zero or more child objects [e.g., third, fourth]; col. 30, lines 25-28, if an ACE is marked as inheritable, the system automatically ensures that a copy of the ACE is added to the ACL of every object in the sub-tree rooted at the object at which the ACE was applied).
As to claim 21, the combination of Tandon and Vainstein teaches the identity management system of claim 20, 
Tandon further teaches wherein the third digital asset is the first digital asset or the second digital asset (Tandon: col. 42, lines 40-45, a set of entities 53, commonly referred to as users, and a set of authorization intent specifications 55 that exist to protect securable resources which represent information/IT assets and may take various forms such as but not limited to hosts, folders; col. 27, lines 61-63; single permission will allow John to create files and folders in that existing file folder).
As to claim 22, the combination of Tandon and Vainstein teaches the identity management system of claim 20, 
Tandon further teaches wherein the third digital asset is a third entitlement (Tandon: col. 30, lines 17-19, each object has at least one parent in the hierarchy and each object may have zero or more child objects [e.g., third, fourth], each level have different entitlement).
As to claim 23, the combination of Tandon and Vainstein teaches the identity management system of claim 19, 
Tandon further teaches wherein the evaluation of the separation of duties policy comprises applying the separation of duties policy to the representation of the first entitlement in the identity management data structure and the representation of the second entitlement in the identity management data structure (Tandon: col. 11, lines 24-25, in a direct or indirect manner be related to some permission granted on objects that exist in the Active Directory).
As to claim 24, the combination of Tandon and Vainstein teaches the identity management system of claim 19, 
Tandon further teaches wherein the identity management data structure includes a hierarchical link linking a third entitlement for a third digital asset to the second entitlement and indicating the third digital asset is a child of the second digital asset (Tandon: col. 30, lines 17-19, each object has at least one parent in the hierarchy and each object may have zero or more child objects. Col. 27, lines 61-63, single permission will allow John to create files and [sub] folders in that existing file folder).
As to claim 25, the combination of Tandon and Vainstein teaches the identity management system of claim 24, 
Tandon further teaches wherein the third entitlement includes a second inheritance attribute, wherein the value of the second inheritance attribute is the identifier of the first management structure maintained by the source system to which the user is assigned by the source system and through which the user is granted the second entitlement to the second digital asset (Tandon: col. 29, lines 53-55; this ACE [second entitlement] thus grants the user represented by this SID the ability to create new objects [second digital asset] under this object).
As to claim 26, the claim is directed to a storage medium, and the claim limitations are similar to the limitation of system claim 19, and therefore, rejected for the same reason set forth for claim 19.
As to the claims 27-32, the claims are similar to the claims 20-25, and therefore, rejected for the same reason set forth for claims 20-25.
As to claim 33, the claim is directed to a method, and the claim limitations are similar to the limitation of system claim 19, and therefore, rejected for the same reason set forth for claim 19.
As to the claims 34-39, the claims are similar to the claims 20-25, and therefore, rejected for the same reason set forth for claims 20-25.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355.  The examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAHANGIR KABIR/             Primary Examiner, Art Unit 2439