Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This non-final action is in response to application filed on 11/09/2020. Claim 1 is pending. 

Priority
This application is a continuation of U.S. Patent Application no. 15/906,573 filed February 27, 2018, which claims the benefit of U.S. Provisional Patent Application No. 62/464,222, filed February 27, 2017.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Ashley et al. (US 2014/0109168, published 2014) and Connor et el. (US 2012/0311672, published 2012).
As per claim 1, Ashley discloses an apparatus, comprising:
a processor (Ashley Fig. 2, processor unit 204); and 
a memory operatively coupled to the processor (Ashley Fig. 2, memory 206), the processor configured to: 
detect at least one of: 
a software application installed on a client computing device (Ashley [0043], the user and application matching sub-system 304 takes the summary information for each connection (as identified and provided by the traffic collection sub-system 302), and it analyzes that information to identify the user and application involved; Ashley [0042], data packets for a thick client application), or 
usage data associated with a current user of the client computing device and associated with the software application; 
identify, based on the at least one of the software application installed on the client computing device or the usage data, a user role for the current user of the client computing device (Ashley [0046], analytics grouping sub-system 306 comprises an analytics engine that receives that data (namely, the user and application for a particular connection) … The output of the analytics grouping sub-system 306 is a role list that identifies one or more candidate roles); 
apply, based on the user role for the current user of the client computing device, a security configuration to the client computing device to limit access by the current user of the client computing device to at least a portion of the software application (Ashley [0052], policy decision point (PDP) 704 (in this scenario the identity manager) receives similar information and responds to an XACML policy query received from the policy enforcement point (PEP) 706 to enforce the policy); and
send an identifier of the user role to an administrative server (Ashley [0049], it is assumed that the system has just the role identified in the XML snippet shown in FIG. 4. Taking the example of the TAMeb application, one or more directory servers are then probed to extract the actual groups for users). 
Ashley does not explicitly disclose:
send an identifier of the user role for storage in an Active Directory (AD) database.  
Conner teaches creating and storing user role in database of authorization system [administrative server] (Conner [0026], allow an administrator to create a particular role, which is stored in role database 111). 
It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to modify the method of Ashley with the teaching of Conner for sending the user role (including role ID) for storage in database because it offers the advantage of providing role-based access control using the new identified role.
Ashley as modified teaches storing in the database but does not explicitly discloses storing in Active Directory (AD) database. Examiner takes the official notice that Active Directory (AD) database was well-known and widely used at the time of effective filing date of the claimed invention. Therefore, it would have been obvious to substitute Active Directory (AD) database for database would yield the predictable results of using the Active Directory (AD) database for storing use role for providing role-based access control.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,834,091. Although the claims at issue are not identical, they are not patentably distinct from each other because the patent essentially discloses each feature claimed within the present application. For example, claim 1 of the patent discloses each feature of claim 1 of the present application as shown in table below.
present application
US 10,834,091
1. An apparatus, comprising: 
a processor; and 
a memory operatively coupled to the processor, the processor configured to: 
detect at least one of: 
a software application installed on a client computing device, or 
usage data associated with a current user of the client computing device and associated with the software application; 
identify, based on the at least one of the software application installed on the client computing device or the usage data, a user role for the current user of the client computing device; 
apply, based on the user role for the current user of the client computing device, a security configuration to the client computing device to limit access by the current user of the client computing device to at least a portion of the software application; and 
send an identifier of the user role to an administrative server for storage in an Active Directory (AD) database.

1. An apparatus, comprising: 
a processor; and 
a memory operatively coupled to the processor, the processor configured to: 
identify at least one of: 
a software application installed on a client computing device, or 
usage data, associated with a current user of the client computing device and associated with the software application; 
identify, based on the at least one of the software application installed on the client computing device or the usage data, a user role for the current user of the client computing device; 
predict, based on the user role for the current user of the client computing device, an expected behavior of the current user of the client computing device;
modify, at the client computing device and based on the expected behavior of the current user of the client computing device, a privilege level of an application control policy for the current user of the client computing device, the privilege level of the application control policy being associated with the software application;
applying, based on the expected behavior, the application control policy with the modified privilege level at the client computing device, wherein the application of the application control policy permits the user to run the software application based on the modified privilege level and the user role; and
send an identifier of the user role to an administrative server for storage in an Active Directory (AD) database.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 8,600,995 B1; User Role Determination Based On Content And Application Classification
The role of a user within an organization is automatically determined based on the classification of applications and content on the user's computer. 
US 20110277017 A1; Data Driven Role Based Security
The subject disclosure relates to role based access control based on data context and evaluation of control expressions relative to the data context.
US 20170251013 A1; Techniques For Discovering And Managing Security Of Applications
Techniques for discovery and management of applications in a computing environment of an organization are disclosed. A security management system discovers use of applications within a computing environment to manage access to applications for minimizing security threats and risks in a computing environment of the organization.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492