DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/25/2022 has been entered.
Status of Claims 
This is in reply to the claim amendments and remarks of the RCE filed 10/25/2022. 
Claims 1, 8, 13, 16-17, and 20 have been amended and claims 7 and 14-15 have been cancelled.
Claims 1, 4-6, 8-13, 16-17, and 19-22 are currently pending and have been examined. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application claims priority of Provisional Application 62/735,892 filed on 9/25/2018. Applicant's claim for the benefit of this prior-filed application is acknowledged. 

Response to Amendments
The previously pending 35 USC 103 rejections have been withdrawn based on Applicant’s claim amendments. See below for a discussion on related prior art.
Applicant’s amendments have been fully considered, but do not overcome the previously pending 35 USC 101 rejections. 

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.
With regard to the limitations of claims 1, 4-6, 8-13, 16-17, and 19-22, Applicant argues that the claims are patent eligible under 35 USC 101 because the pending claims recite applying a machine learning algorithm. The Examiner respectfully disagrees. The Examiner has clearly pointed out the limitations directed towards the abstract idea, what the additional elements are and why they do not integrate the abstract idea into a practical application, and why the additional elements and remaining limitations do not amount to significantly more than the abstract idea. The Examiner further asserts that the claimed “applying one or more machine-learning algorithms configured to” merely adds the words apply it with the judicial exception (See PEG 2019 and MPEP 2106.05). The Applicant’s claims generically recite a machine learning algorithm and provide no details as to what the machine learning is, but rather are using any generic machine learning algorithm and just applying it with the abstract idea. Applicant’s arguments are not persuasive.
The Applicant argues that the claims recite a technical solution for a known technical problem. The Examiner respectfully disagrees. The Applicant does not point out what technical problem is being solved. The Applicant does not point out what limitations amount to the technical problems solution. The Applicant just generically alleges there is a technical problem being solved, but does not disclose what or how the problem is solved by the claims. Applicant’s arguments are not persuasive.
The Examiner further asserts that applying a machine learning algorithm is so generically recited that it merely adds the words apply it with the judicial exception (See PEG 2019 and MPEP 2106.05). Applicant’s arguments are not persuasive.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 4-6, 8-13, 16-17, and 19-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter; 
When considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter.  If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea), and if so, it must additionally be determined whether the claim is a patent-eligible application of the exception.  If an abstract idea is present in the claim, any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to significantly more than the abstract idea itself.    
            In the instant case (Step 1), claims 13, 16-17 and 19 are directed toward a process, claim 20 and 22 is directed toward a product, and claims 1, 4-6, 8-12 and 21 are directed toward a system; which are statutory categories of invention. Additionally (Step 2A Prong One), the independent claims are directed toward a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data including identification of historical user actions actually taken by a plurality of users within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets identifying sets of duties that should not be performable by a single user; applying one or more machine-learning algorithms configured to analyze the historical user actions and the SoD rulesets to automatically generate a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to a plurality of test users, respective test users of the plurality of test users corresponding to respective users of the plurality of users of the enterprise system; and testing the plurality of generated roles assigned to the plurality of test users by: creating a simulated environment of the production environment of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment (Organizing Human Activity), which are considered to be abstract ideas (See PEG 2019 and MPEP 2106.05). The steps/functions disclosed above and in the independent claims are directed toward the abstract idea of Organizing Human Activity because the claimed limitations are analyzing user activity data to SoD rulesets to determine roles that the users should perform and assigning the roles to the users based on the analysis, which is managing relationships and interactions. The steps/functions disclosed above and in the independent claims are directed toward the abstract idea of Organizing Human Activity because the claimed limitations are analyzing user activity data to SoD rulesets to determine roles that the users should perform and assigning the roles to the users based on the analysis for helping ensure unrestricted access to the system, which is a business relation. The Applicant’s claimed limitations are analyzing user activity data to SoD rulesets to assign roles to users, which is directed towards the abstract idea of Organizing Human Activity.
Step 2A Prong Two: In this application, even if not directed toward the abstract idea, the above “a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets; applying one or more machine-learning algorithms configured to; within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment” steps/functions of the independent claims would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity and merely adds the words to apply it with the judicial exception. Also, the claimed “system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, an enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method” would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because the claimed structure merely adds the words to apply it with the judicial exception and mere instructions to implement an abstract idea on a computer (See PEG 2019 and MPEP 2106.05). 
The Examiner further asserts that the claimed “applying one or more machine-learning algorithms configured to” merely adds the words apply it with the judicial exception (See PEG 2019 and MPEP 2106.05). 
In addition, dependent claims 4-6, 8-12, 14-17, 19, and 21 further narrow the abstract idea and dependent claims 4-6, 9-11, 16-17, and 19 additionally recite “assigning the one or more of the plurality of generated roles to the plurality of users; placing the test users in the simulated environment; retrieving subsequent user actions actually taken by the plurality of users; receive legacy role definitions and legacy role assignments of the plurality of users of the enterprise system; store the legacy role definitions and legacy role assignments; assign the identified one or more transaction codes for the one or more activities; and assigning one or more actions to each of the plurality of roles” which do not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity and the claimed “production environment, user devices, and machine learning algorithms” which do not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because the claimed structure merely adds the words to apply it with the judicial exception and mere instructions to implement an abstract idea on a computer (See PEG 2019 and MPEP 2106.05).
The claimed “system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, an enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method” are recited so generically (no details whatsoever are provided other than that they are general purpose computing components and regular office supplies) that they represent no more than mere instructions to apply the judicial exception on a computer. These limitations can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. Even when viewed in combination, the additional elements in the claims do no more than use the computer components as a tool. There is no change to the computers and other technology that is recited in the claim, and thus the claims do not improve computer functionality or other technology (See PEG 2019).
Step 2B: When analyzing the additional element(s) and/or combination of elements in the claim(s) other than the abstract idea per se the claim limitations amount(s) to no more than: a general link of the use of an abstract idea to a particular technological environment and merely amounts to the application or instructions to apply the abstract idea on a computer (See MPEP 2106.05 and PEG 2019). Further, method claims 13, 16-17 and 19; System claims 1, 4-6, 8-12 and 21; and Product claim 20 and 22 recite a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to, an enterprise system, production environment, user devices, machine learning algorithms, and non-transitory computer readable medium having stored thereon computer program code for executing a method; however, these elements merely facilitate the claimed functions at a high level of generality and they perform conventional functions and are considered to be general purpose computer components which is supported by Applicant’s specification in Paragraphs 0063-0067 and Figure 5. The Applicant’s claimed additional elements are mere instructions to implement the abstract idea on a general purpose computer and generally link of the use of an abstract idea to a particular technological environment. Also, the above “a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to plurality of users of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment” steps/functions of the independent claims would not account for significantly more than the abstract idea because receiving data and displaying/presenting data (See MPEP 2106.05) have been identified as well-known, routine, and conventional steps/functions to one of ordinary skill in the art. When viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself. 
In addition, claims 4-6, 8-12, 16-17, 19 and 21 further narrow the abstract idea identified in the independent claims.  The Examiner notes that the dependent claims merely further define the data being analyzed and how the data is being analyzed. Similarly, claims 4-6, 9-11, 16-17, and 19 additionally recite “assigning the one or more of the plurality of generated roles to the plurality of users; retrieving subsequent user actions actually taken by the plurality of users; placing the test users in the simulated environment; receive legacy role definitions and legacy role assignments of the plurality of users of the enterprise system; store the legacy role definitions and legacy role assignments; assign the identified one or more transaction codes for the one or more activities; and assigning one or more actions to each of the plurality of roles” which do not account for additional elements that amount to significantly more than the abstract idea because receiving data and displaying/presenting data (See MPEP 2106.05) have been identified as well-known, routine, and conventional steps/functions to one of ordinary skill in the art and the claimed “production environment, user devices, and machine learning algorithms” which do not account for additional elements that amount to significantly more than the abstract idea because the claimed structure merely amounts to the application or instructions to apply the abstract idea on a computer and does not move beyond a general link of the use of an abstract idea to a particular technological environment (See MPEP 2106.05). The additional limitations of the independent and dependent claim(s) when considered individually and as an ordered combination do not amount to significantly more than the abstract idea.  The examiner has considered the dependent claims in a full analysis including the additional limitations individually and in combination as analyzed in the independent claim(s). Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

Allowable over 35 USC 103
Claims 1, 4-6, 8-13, 16-17, and 19-22 are allowable over the prior art, but remain rejected under §101 for the reasons set forth above. Independent claims 1, 4-6, 8-13, 16-17, and 19-22 disclose a system, product and method for improving the functionality of an enterprise system by identifying historical actions taken by users, identifying duties that should not be performed alone using SoD rulesets, generating roles for users based off security profiles of the roles having transaction codes for authorized actions and testing role assignments in a simulated environment of the production environment by allowing the user devices access and control in the simulated environment.
Regarding a possible 103 rejection: The closest prior art of record is:
Thompson et al. (US 7,712,127 B1) – which discloses access control based on constraints controlling roles assignment. 
Prasad et al. (US 7,568,217 B1) – which discloses using roles based access control system over a network.
Gutesman et al. (US 2016/0119380 A1) – which discloses real time detection and prevention of segregation duties violations in an enterprise system.
Kazachkov et al. (US 2015/0088800 A1) – which discloses testing and configuration control using rules for role assignment.
Chari et al. (US 2014/0196103 A1) – which discloses role based access control policies based on risk.

The prior art of record neither teaches nor suggests all particulars of the limitations as recited in claims 1, 4-6, 8-13, 16-17, and 19-22, such as improving the functionality of an enterprise system by identifying historical actions taken by users, identifying duties that should not be performed alone using SoD rulesets, generating roles for users based off security profiles of the roles having transaction codes for authorized actions and testing role assignments in a simulated environment of the production environment by allowing the user devices access and control in the simulated environment.  While individual features may be known per se, there is no teaching or suggestion absent applicants’ own disclosure to combine these features other than with impermissible hindsight and the combination/arrangement of features are not found in analogous art. Specifically the claimed “a system comprising: at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, instructs the at least one processor to improve the security or functionality of an enterprise system by: receiving user activity data including identification of historical user actions actually taken by a plurality of users within a production environment of the enterprise system; receiving one or more separation of duty (SoD) rulesets identifying sets of duties that should not be performable by a single user; applying one or more machine learning algorithms configured to analyze the historical user actions and the SoD rulesets to automatically generate a plurality of roles corresponding to security profiles for the enterprise system, the roles having corresponding transaction codes related to authorized actions within the enterprise system; and assigning, based on the historical user actions and the SoD rulesets, one or more of the plurality of generated roles to a plurality of test users, respective test users of the plurality of test users corresponding to respective users of the plurality of users of the enterprise system; and testing the plurality of generated roles assigned to the plurality of test users by: creating a simulated environment of the production environment of the enterprise system; placing the test users in the simulated environment; and providing access to one or more user devices to control the test users in the simulated environment (as required by claims 1, 4-6, 8-13, 16-17, and 19-22)”, thus rendering claims 1, 4-6, 8-13, 16-17, and 19-22 as allowable over the prior art.

Conclusion
The prior art made of record, but not relied upon is considered pertinent to Applicant's disclosure is listed on the attached PTO-892 and should be taken into account / considered by the Applicant upon reviewing this office action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW D HENRY whose telephone number is (571)270-0504.  The examiner can normally be reached on Monday-Thursday 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, BRIAN EPSTEIN can be reached on (571)-270-5389.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MATTHEW D HENRY/Primary Examiner, Art Unit 3683