DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the communication filed on September 30, 2022 in response to the first office action on merit.

Remarks
Pending claims for reconsideration are claims 1-21. Applicant has
Amended claims 1-2, 6-9, 13-16, and 20-21 

Response to Arguments
Applicant’s arguments filed on September 30, 2022 with respect to amended claims have been considered but they are deemed moot in view of the new grounds of rejection (see 103 rejection below).


Allowable Subject Matter 
Claims 6, 13, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
 The following is an examiner’s statement of reasons for allowance: 
Regarding dependent claims 6, 13, and 20:
The closest prior art Hecht discloses:
“…automatically developing, based on the analysis of the information, a least-privilege profile for the first identity, the least-privilege profile including permissions corresponding to the particular actions with respect to the particular network resources and excluding permissions that do not correspond to the particular actions with respect to the particular network resources…” (Abstract). 

The second closest prior art Denton discloses profile sharing between users (Para 0015).

The third closest prior art Shukla discloses: 
“…detecting and obtaining location and type of an application programming interface (API) call, system call, and privileged instruction that is executed by the executable binary code. The method includes the step of detecting and obtaining return address from an Al call and system call…” (Abstract).

However, the prior arts alone or in combination fails to teach or suggest the claimed limitation of dependent claims 6, 13, and 20 “...wherein recording the interactions includes recording code that is executed while interacting with the user interface during the workflow, wherein the recorded code includes the API calls, 
and wherein the method further comprises: excluding, from the recorded code, API calls that are irrelevant to the workflow;
 converting the recorded code into a script; and translating the script into a language usable by a processor to identify the API calls and the privileges” along with other limitations dependent claims 6, 13, and 20.
For this reason, the specific claim limitations recited in the dependent claims 6, 13, and 20 taken as whole are allowed.
	 Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2, 5, 8-9, 12, 15-16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht et al. (U.S. Patent No.: US 10,148,701 B1 / or “Hecht” hereinafter) in view of Abhishek Chauhan (U.S. Patent Application Publication No.: US 2020/0151617 A1 / or “Chauhan” hereinafter).

Regarding claim 1, Hecht discloses “A method to determine a minimal set of privileges to execute a workflow in a virtualized computing environment, the method comprising” (Col 1:46-48, disclosed embodiments describe non-transitory computer readable media and methods for developing and enforcing least-privilege policies in a network environment; and Col 18: 21-27, the invention can take place in virtualized environment):
“recording interactions with a user interface in the virtualized computing environment while executing the workflow” (Col 9: 42-48, recording of entities action in a network); 
“capturing, from at least the recorded interactions, application program interface (API) calls that are made while executing the workflow on a user interface in the virtualized computing environment” (Fig. 2: Step 201; and Col 9:4-15, querying via an API types of actions taken by an identity); 
[obfuscating confidential data that is present in the recorded interactions];
“identifying privileges that correspond to the captured API calls” (Fig. 2: Step 202; and Col 9:16-41, identifies particular actions); 
“and combining the identified privileges to form the minimal set of privileges” (Fig. 2: Step 203; and Col 9:60-66, forms least-privilege profile).
But Hecht fails to specially discloses removing confidential data from recorded interactions.
However, Chauhan discloses “obfuscating confidential data that is present in the recorded interactions” (Chauhan, Para 0206, removes sensitive user information).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of removing confidential data from recorded interactions of Chauhan to the System of to generate a training content package devoid of confidential information (Chauhan, Para 0206) and the ordinary person skilled in the art would have been motivated to combine to training model for users performing similar tasks (Chauhan, Abstract).

Regarding claim 2, in view of claim 1, Hecht discloses “wherein capturing the API calls includes identifying the API calls from a common format that is generated by recording the interactions with the user interface while executing the workflow” (Col 14:60-67, populate a permission matrix for one or more identities i.e., a “common format”), 
“and wherein identifying the privileges includes identifying the privileges from API metadata that corresponds to the captured API calls” (Col 10:6-10: “…least privilege score may be developed based on a proportion of the particular actions taken with respect to the particular network resources to the permission policy corresponding to the first identity”).

Regarding claim 5, in view of claim 1, Hecht discloses “wherein the workflow pertains to management of elements in the virtualized computing environment” (Col 6:24-48, virtual environment is disclosed).

Regarding claim 8, Hecht in view of Chauhan disclose “A non-transitory computer-readable medium having instructions stored thereon, which in response to execution by one or more processors, cause the one or more processors to perform or control performance of operations to determine a minimal set of privileges to execute a workflow in a virtualized computing environment, the operations comprising” (Hecht, Col 1:46-48, disclosed embodiments describe non-transitory computer readable media and methods for developing and enforcing least-privilege policies in a network environment):
“recording interactions with a user interface in the virtualized computing environment while executing the workflow; capturing, from at least the recorded interactions;
 capturing, from at least the recorded interactions, application program interface (API) calls that are made while executing a workflow on a user interface in the virtualized computing environment; 
obfuscating confidential data that is present in the recorded interactions;
identifying privileges that correspond to the captured API calls; 
and combining the identified privileges to form the minimal set of privileges” (See rejection of claim 1).

Regarding claim 9, in view of claim 8, Hecht discloses “wherein capturing the API calls includes identifying the API calls from a common format that is generated by recording the interactions with the user interface while executing the workflow, and wherein identifying the privileges includes identifying the privileges from API metadata that corresponds to the captured API calls” (See rejection of claim 2).

Regarding claim 12, in view of claim 8, Hecht discloses “wherein the workflow pertains to management of elements in the virtualized computing environment” (See rejection of claim 5).

Regarding claim 15, Hecht in view of Chauhan disclose “An apparatus to determine a minimal set of privileges to execute a workflow in a virtualized computing environment, the apparatus comprising” (Hecht, Col 1:46-48, disclosed embodiments describe non-transitory computer readable media and methods for developing and enforcing least-privilege policies in a network environment): 
“a display screen configured to present a user interface in the virtualized computing environment” (Hecht, Col 6:24-48, virtual environment is disclosed); 
a recorder service configured to record interactions with the user interface while executing the workflow;
“an application program interface (API) converter configured to capture, from at least the recorded interactions, API calls that are made while executing the workflow on the user interface;
wherein the API converter is further configured to obfuscate confidential data that is present in the recorded interactions; 
and a processor coupled to the API converter and configured to: 
identify privileges that correspond to the captured API calls; 
and combine the identified privileges to form the minimal set of privileges” (See rejection of claim 1).

Regarding claim 16, in view of claim 15, Hecht discloses “wherein: to capture the API calls, the API converter is configured to identify the API calls from a common format that is generated from the recorded interactions with the user interface while executing the workflow, and to identify the privileges, the processor is configured to identify the privileges from API metadata that corresponds to the captured API calls” (See rejection of claim 2).

Regarding claim 19, in view of claim 15, Hecht discloses “wherein the workflow pertains to management of elements in the virtualized computing environment” (See rejection of claim 5).


Claims 3-4, 10-11, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht and Chauhan in view of Denton et al. (U.S. Patent Application Publication No.: US 2020/0004829 A1 / or “Denton” hereinafter).
	
Regarding claim 3, in view of claim 1, Hecht discloses “further comprising: generating a model that associates the minimal set of privileges to the workflow” (Col 9:60-66, forms least-privilege profile; Col 1:35-42, a model is created); 
But Hecht and Chauhan fail to specially discloses applying the model to a subsequent user.
However, Denton discloses “and applying the model to a user to determine privileges to assign to the user to perform a same workflow” (Denton, Para 0015).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of applying the model to a subsequent user of Denton to the System of Hecht and Chauhan to create a system allowing “…common activity data related to both the first user and the second user in the content sharing platform…” and the ordinary person skilled in the art would have been motivated to combine to content sharing among users (Denton, Para 0015).

Regarding claim 4, in view of claim 3, Hecht and Chauhan in view of Denton disclose “further comprising updating the model” (Denton, Para 0048, updates profile).

Regarding claim 10, in view of claim 8, Hecht and Chauhan in view of Denton disclose “wherein the operations further comprise: generating a model that associates the minimal set of privileges to the workflow; and applying the model to a user to determine privileges to assign to the user to perform a same workflow” (See rejection of claim 3).

Regarding claim 11, in view of claim 10, Hecht and Chauhan in view of Denton disclose “wherein the operations further comprise: updating the model” (See rejection of claim 4).

Regarding claim 17, in view of claim 15, Hecht and Chauhan in view of Denton disclose “wherein the processor is further configured to: generate a model that associates the minimal set of privileges to the workflow; and apply the model to a user to determine privileges to assign to the user to perform a same workflow” (See rejection of claim 3).

Regarding claim 18, in view of claim 17, Hecht and Chauhan in view of Denton disclose “wherein processor is further configured to update the model” (See rejection of claim 4).


Claims 7, 14, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht and Chauhan in view of Jayant Shukla (U.S. Patent Application Publication No.: US 2019/0138715 A1 / or “Denton” hereinafter).

Regarding claim 7, in view of claim 1, Hecht discloses forming of least-privilege profile (Col 9:60-66), and creation of a profile model (Col 1:35-42).
But Hecht and Chauhan fail to specially discloses intercepting API calls during run-time.
However, Shukla discloses “wherein capturing the API calls further includes intercepting at least some of the API calls during run-time, separately from the recorded interactions” (Shukla, Para 0081: monitor API calls during run-time).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of intercepting API calls during run-time of Shukla to the System of Hecht and Chauhan to create a system where “…API calls can also be used in monitoring mode to generate a rule list dynamically…” and the ordinary person skilled in the art would have been motivated to combine in order for  “…validation can also be enforced by inserting the validation code after the API call and validating the return to address” (Shukla, Para 0082).

Regarding claim 14, in view of claim 8, Hecht and Chauhan in view of Shukla disclose “wherein capturing the API calls further includes intercepting least some of the API calls during run-time, separately from the recorded of interactions” (See rejection of claim 7).

Regarding claim 21, in view of claim 15, Hecht and Chauhan in view of Shukla disclose “wherein to capture the API calls, the API converter is further configured to intercept least some of the API calls during run-time, separately from the recorded of interactions” (See rejection of claim 7).

Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Dowlatkhah et al. (US 2015/0379101 A1) discloses:
[0036] In one or more embodiments, the application server 130 can generate a report of current user profile settings and/or modifications. The report can be aggregated to conceal personal information. The report can be made available to third parties for data mining. Alternatively third parties can access user profile data at the secondary data repository using an API. A user/subscriber can opt in or opt out from data mining activities involving user profile information stored at the secondary data repository 160 and/or monitored by the adaptation server 130.

Choe et al. (U.S. Patent No.: US 2016/0335454 A1) discloses:
[0204] Further, in additional aspects, the executed test data manager may access and exchange data with one or more supporting applications (e.g., though a corresponding API) that, when executed by a computing device, perform processes that support the generation of the test data from the one or more selected data assets. For example, the executed test data manager may, through a corresponding API, provide portions of the obtained data assets and corresponding metadata to a data obfuscation application (e.g., as described below in reference to data service layer 1606). Upon execution, the data obfuscation application may be configured to parse the corresponding metadata to identify sensitive portions of the obtained data assets, modify the obtained data assets by deleting and/or obfuscating the sensitive data portions, and return the modified data assets to the executed test data manager through the corresponding API. The executed test data manager may, in some instances, provide the desired number of data records of the modified data assets to the destination system as test data in accordance with the specified frequency or recurring schedule, as described above.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431