10741634 (P.T.A.B. Dec. 26, 2012)

Ex Parte Gupta et al

Patent Trial and Appeal BoardDec 26, 2012

10741634 (P.T.A.B. Dec. 26, 2012)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 10/741,634 12/19/2003 Pratik Gupta 4541-011 4066 67419 7590 12/26/2012 COATS & BENNETT/IBM 1400 CRESCENT GREEN SUITE 300 CARY, NC 27518 EXAMINER PAPPAS, PETER ART UNIT PAPER NUMBER 2444 MAIL DATE DELIVERY MODE 12/26/2012 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE _____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD _____________ Ex parte PRATIK GUPTA, GOVINDARAJ SAMPATHKUMAR, DAVID G. KUEHR-McLAREN, VINCENT C. WILLIAMS, SHARON L. CUTCHER, SUMIT TAANK, BRIAN A. STUBE, and HARI SHANKAR _____________ Appeal 2010-007604 Application 10/741,634 Technology Center 2400 ______________ Before KALYAN K. DESHPANDE, JOHNNY A. KUMAR and, BRYAN F. MOORE, Administrative Patent Judges. MOORE, Administrative Patent Judge. DECISION ON APPEAL This is a decision on appeal under 35 U.S.C. § 134(a) of the Final Rejection of claims 12-19. App. Br. 1. Claims 1-11 and 20-22 are cancelled. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM-IN-PART, and enter a NEW GROUND of rejection in accordance with 37 C.F.R. § 41.50(b). Appeal 2010-007604 Application 10/741,634 2 INVENTION The invention is directed to a system and method of automated role discovery in role based control systems. See Spec. [0001]. Claims 12 and 15 are exemplary of the invention and reproduced below: 12. A method of auditing the access permissions of an information technology (IT) system via a role based access control system, comprising: automatically generating initial roles of identities having access to said IT system, based on attributes associated with said identities; later, automatically generating subsequent roles of identities then having access to said IT system, based on attributes then associated with said identities; and comparing said initial roles and said subsequent roles to discover erroneous system accesses. 15. A method of refining roles in a role based control system, comprising: automatically generating initial roles of identities based on attributes associated with said identities; and aggregating said initial roles to generate refined roles. REFERENCES Shohat US 2002/0144142 A1 Oct. 3, 2002 Griffin US 2002/0178119 A1 Nov. 28, 2002 REJECTIONS AT ISSUE Claims 12-14 and 19 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination of Shohat and Griffin. Ans. 3-8. Appeal 2010-007604 Application 10/741,634 3 Claims 15-18 stand rejected under 35 U.S.C. § 102(b) as being anticipated by Shohat. Ans. 8-9. ISSUES 1. Did the Examiner err in finding the combining Shohat and Griffin collectively teaches or suggests “automatically generating initial roles of identities having access to said IT system, based on attributes associated with said identities; later, automatically generating subsequent roles of identities then having access to said IT system, based on attributes then associated with said identities; and comparing said initial roles and said subsequent roles to discover erroneous system accesses” as recited in claim 12? 2. Did the Examiner err in finding that Shohat discloses aggregating the “initial roles to generate refined roles” as recited in claim 15? ANALYSIS 35 U.S.C. § 103(a) – Shohat and Griffin Claims 12-14 and 19 Claim 12 Appellants present arguments with respect to claims 12. As to the limitation recited in issue 1 above, Appellants argue that “[n]othing in Shohat discloses or remotely suggests grouping users into roles based on their existing access rights and permissions a first time, and then subsequently grouping the same users into new roles, as recited in claims 12 Appeal 2010-007604 Application 10/741,634 4 and 19.” App. Br. 5. Specifically, Appellants argue that “Shohat discloses only an initial role formation, and reassignment of users from an existing security scheme to the newly-created roles.” Id. (emphases omitted). We are not persuaded by this argument. Shohat teaches that a roles based security system is created by: 1) mining existing users’ access rights, 2) finding similarities between various user’s rights, and 3) assigning roles in order to group users who have similar rights. Shohat, See Abstract. Shohat also teaches that after role assignment has been completed, it is possible to reduce the rights of a user by de- assigning him or her from a particular role, thus changing the role of the user. Shohat, ¶0041. Therefore we agree with the Examiner that Shohat teaches or suggests “automatically generating subsequent roles of identities then having access to said IT system.” See Ans. 3. Claim 12 also recites “comparing said initial roles and said subsequent roles to discover erroneous system accesses.” As to Griffin, first, Appellants argue while “Griffin . . . discloses an ‘active role’ method to update a role- based access control system automatically every time a user or resource is changed [,] Griffin does not disclose, and does not remotely suggest, that new roles are created from the user/attribute data multiple times.” App. Br. 6-8. Second, Appellants argue that Griffin’s capability filter does not compare one role to another. Id. We note initially that Examiner relies on the combination of Shohat and Griffin to show the limitation recited in issue 1 above,. Griffin teaches that users are automatically assigned to roles. Griffin ¶0010. As to whether new roles are created multiple times, Griffin further teaches using the so Appeal 2010-007604 Application 10/741,634 5 called “active role processing” to examine changes to a particular role, including changes to the users assigned to the role, so called “principals.” Griffin ¶0048. The Examiner does not rely solely on the capability filters of Griffin but also relies on role filters as shown in block 412 of Fig. 4. Griffin, Fig. 4. Thus, Griffin discloses using the system to examine changes that have occurred in the relationships of roles and users. See Ans. 12; Griffin ¶ 0048. Thus, as to Griffin’s capacilty filter, we find that Griffin explicitly contemplates that roles may be changed. Griffin [0048] (“Active role processing examines additions, deletions, and modifications of a . . . role”). Also, as noted above, Shohat teaches that a role may be changed at least once (Shohat ¶0041), which is all that is required by the claim 12. We further note, as discussed above, Shohat teaches automatically defining roles based on data mining so Shohat teaches new roles are created from the user/attribute. Shohat, See Abstract. Shohat discloses using a system that automatically generates roles to discover unauthorized access rights. Shohat ¶0033. Therefore, we agree with the Examiner that: it would have been obvious to one of ordinary skill in the art at the time the invention was made to take the teachings of related to creation of active role (initial role) and a subsequently created role (i.e., new or updated instance of a role) and funning capability filter of matched capabilities of the roles (comparing) and have modified the teachings of Shohat in order to facilitate "control of secure access to protected resources on behalf of certain users, groups of users, services, etc., so as to efficiently manage relationships with respect to potentially thousands of users and thousands of resources that may be in a continual state of change" (Griffin Page 4, ¶ 0037, Lines 14-18) and enhancing the ability of security administers to provide secure Appeal 2010-007604 Application 10/741,634 6 access to resources by users (Griffin, Page 6, ¶ 0065, Lines, ¶ 0065 [sic]). Ans. 4. Therefore, we affirm the Examiner’s rejection of claims 12-14 and 19. 35 U.S.C. § 102(b) - Shohat Claims 15-18 As to claim 15, Appellants argue “Shohat is completely silent as to aggregating roles to reduce the number of distinct roles.” We note that claim 15 recites “automatically generating initial roles of identities based on attributes associated with said identities; and aggregating said initial roles to generate refined roles,” and does not specifically require reducing the number of roles. However, the Examiner has not shown that Shohat separately generates initial roles and aggregates those initial roles to refine them in some way as required by claims 15-18. Shohat runs data mining of user attributes to security data to generate initial roles (Shohat, See Abstract) but does not aggregate initial roles to refined roles based on the initial roles. App. Br. 9-11. We find that Shohat does disclose that security data includes “organization data for example the position of a person in the enterprise; i.e. the company, the division and/or the location the person works.” Shohat ¶¶ 0024-0025. However, there is no indication in Shohat that the position of a person in the organization contained in the security data is automatically generated based on attributes associated with the individual’s identities. Specifically, Shohat is silent as to how the security data is generated and as such it would be improper to assume that the security data or initial roles are Appeal 2010-007604 Application 10/741,634 7 “automatically generated.” Therefore, we find that the security data does not disclose the claimed “automatically generating initial roles.” Because Shohat dos not disclose automatically generating initial roles, Shohat does not disclose a process in which previously generated roles are then aggregated to generate refined roles. As such, Shohat does not anticipate the subject matter of claims 15-18. NEW GROUND OF REJECTION - 37 C.F.R. § 41.50(b) We enter the following new ground of rejection for claims 15-18 pursuant to our authority under 37 C.F.R. § 41.50(b). 35 U.S.C. § 103(a) – Shohat Claims 15-18 With respect to claims 15-18, Shohat fails to explicitly disclose the limitation “generating initial roles…and aggregating said initial roles to generate refined roles,” as argued by the Appellants. App. Br. 9-11. However, the issue of whether Shohat teaches or suggests “generating initial roles…and aggregating said initial roles to generate refined roles” under 35 U.S.C. § 103(a) requires that the scope of this limitation to be constructed. Claim construction is a legal issue which is reviewed de novo. Cybor Corp. v. FAS Techs., Inc., 138 F.3d 1448, 1456 (Fed. Cir. 1998). During examination of a patent application, pending claims are given their broadest reasonable construction consistent with the specification. In re Prater, 415 F.2d 1393, 1404-05 (CCPA 1969); In re Am. Acad. of Sci. Tech Ctr., 367 F.3d 1359, 1369, (Fed. Cir. 2004). As noted above, at issue here is the distinction between the claim terms “initial roles” and “refined roles.” Although the Specification and Appeal 2010-007604 Application 10/741,634 8 claim limitations fail to limit the scope a “role,” the Specification does provide examples of a role to include an “engineer, manager, and human resources (HR) personnel.” Specification ¶ 004. Shohat describes that security data is mined to determine roles, where the security data includes “organization data for example the position of a person in the enterprise; i.e. the company, the division and/or the location the person works.” Shohat ¶¶ 0024-0025. That is, the security data comprises initial role information. For example, “human resources personnel” is a division of a company and “engineer” and “manager” is a position of a person in the enterprise. As such, Shohat explicitly describes roles, as illustrated by the Specification. Furthermore, these roles are the first data loaded in to the system and therefore are “initial roles.” However, Shohat does not explicitly disclose that the “initial roles” in the security data be automatically generated as required by claim 15. We find that it would have been obvious to one of ordinary skill in the art to recognize that the security data can be automatically generated through data entry and subsequent data mining, for example, by the method of data mining disclosed in Shohat. See Shohat ¶ 0028. Therefore, we find that Shohat teaches or suggests “automatically generating initial roles.” As to aggregating initial roles into refined roles, the Specification describes the process of “aggregation” to include combining roles to create more general purpose roles. Specification ¶ 0021. Shohat further describes that the security data or initial roles are mined “for similarities and groups as much as possible of the security data in to as little as possible roles.” Shohat ¶ 0028. We find that it would have been obvious to one of ordinary skill in the art to combine the initial roles based on attributes in order to create more Appeal 2010-007604 Application 10/741,634 9 general purpose roles. As such, Shohat teaches or suggests “aggregating said initial roles to generate refined roles.” For the reasons stated above, we enter a new ground of rejection of claims 15 under 35 U.S.C. § 103 (a) as being unpatentable over Shohat. As to claims 16-18, given our finding that Shohat teaches automatically generating initial roles, as stated above, we also find that the remaining limitations of claims 16-18 would have been obvious to one of ordinary skill in the art as shown by the analysis and citations provided by the Examiner at pages 8-9 of the Answer. Ans. 8-9. DECISION The Examiner’s decision to reject claims 12-19 is affirmed. The Examiner’s decision to reject claims 15-18 is reversed. We newly reject claims 15-18 under 35 U.S.C. § 103 (a) as being unpatentable over Shohat. 37 C.F.R. § 41.50(b) provides that “[a] new ground of rejection pursuant to this paragraph shall not be considered final for judicial review.” 37 C.F.R. § 41.50(b) also provides that Appellants, WITHIN TWO MONTHS FROM THE DATE OF THE DECISION, must exercise one of the following two options with respect to the new grounds of rejection to avoid termination of proceedings (37 C.F.R. § 1.197 (b)) as to the rejected claims: (1) Reopen prosecution. Submit an appropriate amendment of the claims so rejected or new evidence relating to the claims so rejected, Appeal 2010-007604 Application 10/741,634 10 or both, and have the matter reconsidered by the examiner, in which event the proceeding will be remanded to the examiner. . . . (2) Request rehearing. Request that the proceeding be reheard under 37 C.F.R. § 41.52 by the Board upon the same record. . . . No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED-IN-PART; 37 C.F.R. § 41.50(b) ke Appeal 2010-007604 Application 10/741,634 11 Dissenting Opinion Deshpande, Administrative Patent Judge I join the majority in affirming the Examiner’s rejection of claims 12- 14 and 19 under 35 U.S.C. § 103(a) as unpatentable over Shohat and Griffin. However, I respectfully dissent from the majority in reversing of the Examiner’s anticipation rejection of claims 15-18. With respect to claims 15-18, the majority finds that Shohat fails to describe the limitation “generating initial roles…and aggregating said initial roles to generate refined roles,” as argued by the Appellants. App. Br. 9-11. Specifically, the majority agrees with the Appellants that Shohat describes the process of generating initial roles, but fails to describe aggregating the initial roles. App. Br. 9-11. The issue of whether Shohat describes “generating initial roles…and aggregating said initial roles to generate refined roles” requires that the scope of this limitation to be constructed. Claim construction is a legal issue which is reviewed de novo. Cybor Corp. v. FAS Techs., Inc., 138 F.3d 1448, 1456 (Fed. Cir. 1998). During examination of a patent application, pending claims are given their broadest reasonable construction consistent with the specification. In re Prater, 415 F.2d 1393, 1404-05 (CCPA 1969); In re Am. Acad. of Sci. Tech Ctr., 367 F.3d 1359, 1369, (Fed. Cir. 2004). At issue here is the distinction between the claim terms “initial roles” and “refined roles.” Although the Specification and claim limitations fail to limit the scope a “role,” the Specification does provide examples of a role to include an “engineer, manager, and human resources (HR) personnel.” Specification ¶ 004. Shohat describes that security data is mined to determine roles, where the security data includes “organization data for Appeal 2010-007604 Application 10/741,634 12 example the position of a person in the enterprise; i.e. the company, the division and/or the location the person works.” Shohat ¶¶ 0024-0025. That is, the security data comprises initial role information. For example, “human resources personnel” is a division of a company and “engineer” and “manager” is a position of a person in the enterprise. As such, Shohat explicitly describes roles, as illustrated by the Specification. Furthermore, these roles are the first data loaded in to the system and therefore are “initial roles.” The Specification describes the process of “aggregation” to include combining roles to create more general purpose roles. Specification ¶ 0021. Shohat further describes that the security data or initial roles are mined “for similarities and groups as much as possible of the security data in to as little as possible roles.” Shohat ¶ 0028. That is, the initial roles are combined based on attributes in order to create more general purpose roles. As such, Shohat explicitly describes “aggregating said initial roles to generate refined roles.” While the majority understands Shohat to only describe “initial roles,” I find that claimed “initial roles” encompass Shohat’s security data that includes position information and “refined roles” encompasses Shohat’s roles generated by aggregating the roles in the security data. As such, Shohat describes “generating initial roles” and further describes “aggregating said initial roles to generate refined roles.” Therefore, I respectfully dissent from the majority’s reversal of the Examiner’s rejection of claims 15-18 under 35 U.S.C. § 102(b) as being anticipated by Shohat.