Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1-3, 5-14 and 14-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-6 of US Patent 11,206,262 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because claim 1-10 and 13-14 of the Patent recites a corresponding method performing steps that are similarly performed by the units in host device of claims 1-2 of the instant application. For example, see the table below for a claim comparison between the instant application and US Patent (bolded text indicates significant similarities of major features in each invention).
Instant Application (17/202442)
US Patent 11,206,262 B2
Claim 1: A method for facilitating a maintenance of an access control system for controlling access to one or more resources of an information technology system by one or more subjects according to corresponding access control information, wherein the method comprises: retrieving, by the control computing system, one or more trigger policies each based on one or more policy parameters, the one or more policy parameters of the one or more trigger policies comprising one or more state parameters relating to a current state of the access control system and one or more security parameters relating to one or more risks of the access control system and/or to one or more countermeasures for mitigating the risks; retrieving, by the control computing system, the one or more policy parameters; evaluating, by the control computing system, the one or more trigger policies according to the corresponding retrieved one or more policy parameters; determining, by the control computing system, a trigger indicator according to a result of the evaluated one or more trigger policies; and outputting, by the control computing system, an indication of the trigger indicator to trigger a revision of the access control system in response thereto, the revision comprising a mining activity for mapping the subjects to the resources and a possible update of the access control information based on a result of the mining activity.















Claim 2:
The method according to claim 1, further comprising: performing the mining activity in response to the trigger indicator having a positive value indicative of a need of the revision.

Claim 3:
The method according to claim 2, further comprising: updating the access control information according to the result of the mining activity.

Claim 5:
The method according to claim 1, wherein the access control information comprises an indication of one or more roles, each having one or more permissions each for performing one or more activities on one or more of the resources, and an indication of one or more of the roles assigned to each of the subjects, the mining activity being a role mining. 

Claim 6 
The method according to claim 1, wherein the access control information comprises one or more rules each based on one or more attributes and indicating at least one permission for performing at least one activity on at least one of the resources when the rule is satisfied, the mining activity being a rule mining.

Claim 7
The method according to claim 1, further comprising: determining, by the control computing system, the trigger indicator according to corresponding weights assigned to the trigger policies.

Claim 8
The method according to claim 7, further comprising: storing, by the control computing system, historical information indicative of at least one occurrence of the revision and of relevant one or more of the trigger policies contributing to trigger the revision; and updating, by the control computing system, the corresponding weights of the relevant trigger policies according to the historical information and to the access control system at a ranking time following the revision.


Claim 9
The method according to claim 8, further comprising: storing, by the control computing system, the historical information comprising an indication of one or more affected control items contributing to define the access control information being affected by the revision; and updating, by the control computing system, the weights of the relevant trigger

Claim 14
The method according to claim 9, further comprising: determining, by the control computing system, corresponding scope indicators of the affected control items at the ranking time, the scope indicator of each of the affected control items being based on the subjects corresponding to the affected control item and on one or more permissions given by the affected control item each for performing one or more activities on one or more of the resources; and updating, by the control computing system, the weights of the relevant trigger policies according to the scope indicators of the affected control items.
Claim 15
The method according to claim 9, further comprising: determining, by the control computing system, corresponding lifetime indicators of the affected control items at the ranking time; and updating, by the control computing system, the weights of the relevant trigger policies according to the lifetime indicators of the affected control items.

Claim 16
The method according to claim 1, wherein conditioning one or more of the trigger policies comprises an indication of one or more evaluation conditions, the method further comprising: conditioning, by the control computing system, the evaluated one or more trigger policies on the corresponding evaluation conditions.
Claim 17
The method according to claim 16, wherein at least one of the evaluation conditions is a completion of a corresponding conditioning task.






Claim 1: A method for facilitating a maintenance of access control information for controlling access to one or more resources of an information technology system by one or more subjects, wherein the method comprises:
retrieving, by a control computing system, one or more trigger policies each based on one or more policy parameters relating to the resources, the subjects and the access to the resources by the subjects, wherein each of the one or more trigger policies identifies a condition for a revision of the access control information relating to the one or more resources of the information technology system, to the one or more subjects and the access to the one or more resources of the information technology, wherein each of the one or more trigger policies is evaluated by determining whether it is true and is based on one or more policy parameters; retrieving, by the control computing system, the policy parameters, wherein the policy parameters comprise a change of greater than a threshold number of new users, a change of greater than a second threshold number of new users in a department …evaluating, by the control computing system, the trigger policies according to the corresponding policy parameters; determining, by the control computing system, a trigger indicator according to a result of said evaluating the trigger policies,
wherein the trigger indicator is a trigger index calculated by weighing the trigger policies that are true according to their corresponding scores associated with their effectiveness in triggering the revision of the access control information;
outputting, by the control computing system, an indication of the trigger indicator to trigger a revision of the access control information in response to the trigger indictor, the revision comprising a mining activity for mapping the subjects to the resources and an update of the access control information caused by a result of the mining activity; and revising the access control information, by an access control manager, based on the outputting. 

Claim 2:
The method according to claim 1, further comprising: performing the mining activity in response to the trigger indicator having a positive value indicative of a need of the revision

Claim 3:
The method according to claim 2, further comprising: updating the access control information according to the result of the mining activity.

Claim 4:
The method according to claim 2, wherein the access control information comprises an indication of one or more roles each having one or more permissions to perform one or more activities in the information technology system and an indication of one or more of the roles assigned to each of the subjects, the mining activity being a role mining.

Claim 5
The method according to claim 2, wherein the access control information comprises one or more rules each based on one or more attributes and indicating at least one permission relating to an activity in the information technology system when the rule is satisfied, the mining activity being a rule mining.


Claim 6
The method according to claim 1, further comprising: determining, by the control computing system, the trigger indicator according to corresponding scores assigned to the trigger policies.

Claim 7
The method according to claim 6, further comprising: storing, by the control computing system, historical information indicative of the revision in association with relevant one or more of the trigger policies contributing to trigger the revision; and updating, by the control computing system, the scores of the relevant trigger policies according to the historical information and the access control information at a ranking time following the revision.

Claim 8
The method according to claim 7, further comprising: storing, by the control computing system, the historical information comprising an indication of one or more affected control items at the ranking time; and updating, by the control computing system, the scores of the relevant trigger policies according to the affected control items at the ranking time.

Claim 10
The method according to claim 8, further comprising: retrieving, by the control computing system, corresponding scope indicators of the affected control items at the ranking time; and updating, by the control computing system, the scores of the relevant trigger policies according to the scope indicators of the affected control items.






Claim 9
The method according to claim 8, further comprising: retrieving, by the control computing system, corresponding lifetime indicators of the affected control items at the ranking time; and
updating, by the control computing system, the scores of the relevant trigger policies according to the lifetime indicators of the affected control items.
Claim 13
The method according to claim 1,
wherein conditioned one or more of the trigger policies comprise an indication of one or more evaluation conditions, and the method further comprising conditioning, by the control computing system, said evaluating each of the conditioned trigger policies on the corresponding evaluation conditions.
Claim 14
The method according to claim 13,
wherein at least one of the evaluation conditions is a completion of a corresponding conditioning task.



Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on
sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an
application for patent published or deemed published under section 122(b), in which the patent or
application, as the case may be, names another inventor and was effectively filed before the
effective filing date of the claimed invention.

Claims 1-9 and 14-20 are rejected under 35 U.S. C. 102(a)(2) as being anticipated by Soni et al. (U.S. Patent 10,139,789).
Per claim 1, Soni teaches A method for facilitating a maintenance of an access control system for controlling access to one or more resources of an information technology system by one or more subjects according to corresponding access control information, wherein the method comprises: retrieving, by the control computing system, one or more trigger policies each based on one or more policy parameters, the one or more policy parameters of the one or more trigger policies comprising one or more state parameters relating to a current state of the access control system and one or more security parameters relating to one or more risks of the access control system and/or to one or more countermeasures for mitigating the risks (Soni: Figure 5 & Col. 3 Line 53 – 55 and Col. 4 Line 11 – 15: (a) retrieving and deriving from one or more access control policies to furnish a device specific access policy, wherein (b) the policy context attributes are qualified as policy parameters for accessing resource permissions);
retrieving, by the control computing system, the one or more policy parameters; evaluating, by the control computing system, the one or more trigger policies according to the corresponding retrieved one or more policy parameters (Soni: Col. 3 Line 53 – 55, Col. 4 Line 11 – 15 and Col. 10 Line 49 – 52: (a) evaluating from the corresponding policy context attributes (i.e. policy parameters) as variables to derive / update a device specific access policy); 
determining, by the control computing system, a trigger indicator according to a result of the evaluated one or more trigger policies (Soni: see above & Col. 10 Line 49 – 52 / Line 6 – 28, Col. 4 Line 30 – 33 and Col. 8 Line 49 – 50: (for example) the determination to update an access control policy attribute can be construed as a trigger indicator upon deriving and determining a new (updated) control policy (rule) based on associated attributes to be added (updated) (as a part of mining activities) to activate a revision of the access control attribute information) including (for example) (i) updating (adding) a time-to-live (lifetime attribute) indicator or cache priority attribute as one type of trigger indicators during the evaluation and derivation time and (ii) a mapping of the subjects to the resources – (e.g.) a new (updated) policy based on the authorization policy rules applicable to a personnel (subject) to access a resource (permissions) as a role mining activity)); 
and outputting, by the control computing system, an indication of the trigger indicator to trigger a revision of the access control system in response thereto, the revision comprising a mining activity for mapping the subjects to the resources and a possible update of the access control information based on a result of the mining activity (Soni: see above & Col. 8 Line 49 – 50: (for example) a mapping of the subjects to the resources – (e.g.) a new (updated) policy based on the authorization policy rules applicable to a personnel (subject) to access a resource (permissions) as a role mining activity).  

Per claim 2 and 19, Soni teaches “The method according to claim 1, further comprising: performing the mining activity in response to the trigger indicator having a positive value indicative of a need of the revision (Soni: see above & Col. 10 Line 2 – 4 / Line 26 – 28 and Col. 4 Line 30 – 33: (e.g.) monitoring, during a period of time, the longest time or the least frequently used control policies along with its associated control attributes that indicates a necessity of revising (updating) an access control policy to activate (trigger) an update action)”.

As per claim 3 Soni teaches “The method according to claim 2, further comprising: updating the access control information according to the result of the mining activity Soni: see above & Col. 8 Line 49 – 50: (for example) a mapping of the subjects to the resources – (e.g.) a new (updated) policy based on the authorization policy rules applicable to a personnel (subject) to access a resource (permissions) as a role mining activity.”

As per claim 4: The method according to claim 1, wherein the state parameters relate to the resources, the subjects and one or more permissions being granted by the access control system, each for performing one or more activities on one or more of the resources by one or more of the subjects (Soni: Col. 3 Line 53 – 55, Col. 4 Line 11 – 15 and Col. 10 Line 49 – 52: (a) evaluating from the corresponding policy context attributes (i.e. policy parameters) as variables to derive / update a device specific access policy;  Soni: Figure 5 & Col. 3 Line 53 – 55 and Col. 4 Line 11 – 15: (a) retrieving and deriving from one or more access control policies to furnish a device specific access policy, wherein (b) the policy context attributes are qualified as policy parameters for accessing resource permissions).

Per claim 5 Soni The method according to claim 1, wherein the access control information comprises an indication of one or more roles, each having one or more permissions each for performing one or more activities on one or more of the resources, and an indication of one or more of the roles assigned to each of the subjects, the mining activity being a role mining (Soni: see above & Col. 8 Line 49 – 50: (for example) a mapping of the subjects to the resources – (e.g.) a new (updated) policy based on the authorization rules applicable to a personnel (subject) to access a resource (permissions) as a role mining activity).  

Per claim 6 Soni discloses wherein the access control information comprises one or more rules each based on one or more attributes and indicating at least one permission for performing at least one activity on at least one of the resources when the rule is satisfied, the mining activity being a rule mining (Col. 8 Line 49 – 50: (for example) the determination to update an access control policy attribute can be construed as a trigger indicator upon deriving and determining a new (updated) control policy (rule) based on associated attributes to be added (updated) (as a part of mining activities) to activate a revision of the access control attribute information) including (for example) (i) updating (adding) a time-to-live (lifetime attribute) indicator or cache priority attribute as one type of trigger indicators during the evaluation and derivation time and (ii) a mapping of the subjects to the resources – (e.g.) a new (updated) policy based on the authorization policy rules applicable to a personnel (subject) to access a resource (permissions) as a role mining activity).  

Per claim 7 Soni discloses the method according to claim 1, further comprising: determining, by the control computing system, the trigger indicator according to corresponding weights assigned to the trigger policies (Soni: see above & Col. 10 Line 2 – 4 / Line 26 – 28 and Col. 4 Line 30 – 33: a level of different priorities is corresponding to a different score).  

Per claim 8 Soni discloses The method according to claim 7, further comprising: storing, by the control computing system, historical information indicative of at least one occurrence of the revision and of relevant one or more of the trigger policies contributing to trigger the revision (Soni: see above & Col. 10 Line 2 – 4 / Line 26 – 28 and Col. 4 Line 30 – 33: (a) storing historical information such as monitoring and storing, during a period of time, the longest time or the least frequently used control policies along with its associated control attributes (as affected control items) that indicates (b) a necessity of revising (updating) an access control policy to activate (trigger) an update action according to a priority level of control policies that have been evaluated); and updating, by the control computing system, the corresponding weights of the relevant trigger policies according to the historical information and to the access control system at a ranking time following the revision (Soni: see above & Col. 10 Line 2 – 4 / Line 26 – 28 and Col. 4 Line 30 – 33: during the evaluation (ranking) time, updating a level of relevant priority as needed which is corresponding to a respective score to activate an associated mining activity w.r.t. a control policy). 

Per claim 9 Soni discloses the method according to claim 8, further comprising: storing, by the control computing system, the historical information comprising an indication of one or more affected control items contributing to define the access control information being affected by the revision; and updating, by the control computing system, the weights of the relevant trigger policies according to the affected control items at the ranking time (refer to claim 8 rejection).

As per claim 14 Soni discloses “The method according to claim 9, further comprising: determining, by the control computing system, corresponding scope indicators of the affected control items at the ranking time, the scope indicator of each of the affected control items being based on the subjects corresponding to the affected control item and on one or more permissions given by the affected control item each for performing one or more activities on one or more of the resources (Soni: see
above & Col. 8 Line 49 - 50: based on the subject as a personnel and the associated
permissions according to the authorization rules applicable to the personnel);
and updating, by the control computing system, the weights of the relevant trigger policies according to the scope indicators of the affected control items (Soni: see above & Col. 10 Line 49 - 52 I Line 6-28, Col. 4 Line 30 - 33 and Col. 8 Line 49 - 50: updating (adding) a time-to-live (lifetime
attribute) indicator or cache priority attribute as one type of trigger indicators as well as a
respective score (priority) of a relevant trigger policies during the evaluation and derivation
time).

As per claim 15 Soni discloses The method according to claim 9, further comprising: determining, by the control computing system, corresponding lifetime indicators of the affected control items at the ranking time; and updating, by the control computing system, the weights of the relevant trigger policies according to the lifetime indicators of the affected control items (Soni: see above & Col. 10 Line 49 - 52 I Line 6-28, Col. 4 Line 30 - 33 and Col. 8 Line 49 - 50: updating (adding) a time-to-live (lifetime attribute) indicator or cache priority attribute as one type of trigger indicators as well as a respective score (priority) of a relevant trigger policies during the evaluation and derivation
time).

As per claim 16 Soni discloses. The method according to claim 1, wherein conditioning one or more of the trigger policies comprises an indication of one or more evaluation conditions, the method further comprising: conditioning, by the control computing system, the evaluated one or more trigger policies on the corresponding evaluation conditions task (Soni: see above & Claim 9 - 12 and Col. 10 Line 9 - 11 / Line 21 - 23 / Line 2 - 4: (e.g.) based on (i) (for example) whether the evaluation condition is a mobile device accessing policy or a fixed device accessing policy or (ii) whether any conflict imposed that may over-rule between groups of priority policy rules as well as any (iii) emergency related policy rules).

As per claim 17 Soni discloses The method according to claim 16, wherein at least one of the evaluation conditions is a completion of a corresponding conditioning task (Soni: see above & Claim 9 - 12 and Col. 10 Line 9 - 11 / Line 21 - 23 / Line 2 - 4: (e.g.) based on (i) (for example) whether the evaluation condition is a mobile device accessing policy or a fixed device accessing policy or (ii) whether any conflict imposed that may over-rule between groups of priority policy rules as well as any (iii) emergency related policy rules).

Per claim 18 and 20 Soni teaches a computer system for facilitating a maintenance of an access control system for controlling access to one or more resources of an information technology system by one or more subjects according to corresponding access control information, the computer system comprising: one or more computer processors, one or more computer-readable storage media, and program instructions stored on the one or more of the computer-readable storage media for execution by at least one of the one or more processors, wherein the computer system is capable of performing a method comprising: retrieving one or more trigger policies each based on one or more policy parameters, the one or more policy parameters of the one or more trigger policies comprising one or more state parameters relating to a current state of the access control system and one or more security parameters relating to one or more risks of the access control system and/or to one or more countermeasures for mitigating the risks; retrieving the one or more policy parameters; evaluating the one or more trigger policies according to the corresponding retrieved one or more policy parameters; determining a trigger indicator according to a result of the evaluated one or more trigger policies; and outputting an indication of the trigger indicator to trigger a revision of the access control system in response thereto, the revision comprising a mining activity for mapping the subjects to the resources and a possible update of the access control information based on a result of the mining activity (Refer to claim 1 rejection).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 10-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Soni (U.S. Patent 10,139,789) and in further view of Chari (US 9,137,263 B2). 
Regarding Claim 10
Soni doesn’t disclose the following limitation “determining, by the control computing system, corresponding cost indicators of the affected control items, the cost indicator of each of the affected control items being based on the countermeasures for mitigating the risks caused by the affected control item at the ranking time; and updating, by the control computing system, the weights of the relevant trigger policies according to the cost indicators of the affected control items”
Chari discloses: 
The method according to claim 9, further comprising: determining, by the control computing system, corresponding cost indicators of the affected control items, the cost indicator of each of the affected control items being based on the countermeasures for mitigating the risks caused by the affected control item at the ranking time (Column 10, Line 18: The administrative cost is a measure of the system administrator's time required to maintain the role-based access control policy. For example, larger, more complex role-based access control policies are more difficult for the system administrator to maintain and errors are more likely to occur.); 
and updating, by the control computing system, the weights of the relevant trigger policies according to the cost indicators of the affected control items (Column 12, Line 27: Then, illustrative embodiments may use a set of optimization criteria and apply, for example, a simulated annealing, gradient descent, or other approximation process to minimize the cost function by decreasing risk, complexity, and assignments in the role-based access control policy).
Given the teaching of Chari, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Soni in order to integrate a feature in which a cost indicator of a control items is based on the countermeasures for mitigating the risks caused by the affected control item at the ranking time. One of ordinary skill in the art would have been motivated to do so because Chari recognizes that by implementing this feature, an optimization criteria can be applied in order to mitigate the cost, complexity, and risk of the control item (Column 12, Line 27).
Regarding Claim 11
Soni doesn’t disclose the following limitation “calculating, by the control computing system, the cost indicator of each of the affected control items according to the subjects corresponding to the affected control item and to corresponding costs of the countermeasures for mitigating the risks caused by the affected control item pertaining thereto”
Chari discloses:
The method according to claim 10, further comprising: calculating, by the control computing system, the cost indicator of each of the affected control items according to the subjects corresponding to the affected control item and to corresponding costs of the countermeasures for mitigating the risks caused by the affected control item pertaining thereto (Column 12, Line 27: Then, illustrative embodiments may use a set of optimization criteria and apply, for example, a simulated annealing, gradient descent, or other approximation process to minimize the cost function by decreasing risk, complexity, and assignments in the role-based access control policy).
Given the teaching of Chari, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Soni in order to integrate a feature in which a cost indicator of a control items is based on the countermeasures for mitigating the risks caused by the affected control item at the ranking time. One of ordinary skill in the art would have been motivated to do so because Chari recognizes that by implementing this feature, an optimization criteria can be applied in order to mitigate the cost, complexity, and risk of the control item (Column 12, Line 27).
Regarding Claim 12
Soni doesn’t disclose the following limitation “determining, by the control computing system, corresponding impact indicators of the affected control items the impact indicator of each of the affected control items being based on the risks caused by the affected control item at the ranking time; and updating, by the control computing system, the weights of the relevant trigger policies according to the impact indicators of the affected control items”
Chari discloses:
The method according to claim 9, further comprising: determining, by the control computing system, corresponding impact indicators of the affected control items (To mitigate the impact of these risks, a common approach is to analyze the access control policy and assess the risk that is posed to the enterprise or organization. To accomplish this, one must consider the set of all permission assignments given to the user and then assess the potential impact of the misuse or abuse of these assigned permissions.), the impact indicator of each of the affected control items being based on the risks caused by the affected control item at the ranking time; and updating, by the control computing system, the weights of the relevant trigger policies according to the impact indicators of the affected control items (Column 12, Line 27).
Given the teaching of Chari, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Soni in order to integrate a feature in which an an impact indicator of each of the affected control items can cause a trigger policy to take into effect. One of ordinary skill in the art would have been motivated to do so because Chari recognizes that by implementing this feature, an optimization criteria can be applied in order to mitigate the cost, complexity, and risk of the control item if a user misuses their assigned roles (Abstract and Column 12, Line 27).
Regarding Claim 13: 
Soni doesn’t disclose the following limitation “calculating, by the control computing system, the impact indicator of each of the affected control items according to corresponding exposure factors of the risks caused by the affected control item and to corresponding values of one or more assets of the information technology system being affected by the risks caused by the affected control item”
Chari discloses:
The method according to claim 12, further comprising: calculating, by the control computing system, the impact indicator of each of the affected control items according to corresponding exposure factors of the risks caused by the affected control item and to corresponding values of one or more assets of the information technology system being affected by the risks caused by the affected control item (Abstract: The set of risk-averse roles, assignment of the set of risk-averse roles to the users, and assignment of the permissions to the set of risk-averse roles are determined based on applying a risk-optimization function to the generated user-permission relation, the generated user-attribute relation, and the generated permission-attribute relation. A role-based access control policy that minimizes a risk profile (through calculations) of the set of risk-averse roles, the assignment of the set of risk-averse roles to the users, and the assignment of the permissions to the set of risk-averse roles is generated).
Given the teaching of Chari, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Soni in order to integrate a feature in which a calculation is given for the impact indicator of each of the affected control items. One of ordinary skill in the art would have been motivated to do so because Chari recognizes that by implementing this feature, an optimization criteria can be applied in order to mitigate the cost, complexity, and risk of the control item (Abstract and Column 12, Line 27).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/             Examiner, Art Unit 2431                                                                                                                                                                                           	
/LYNN D FEILD/             Supervisory Patent Examiner, Art Unit 2431