DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Amendment
This is a reply to the request for Continued Examination (RCE) filed on 01/12/2021, in which Claim(s) 1-12, 16 and 19-25 are presented for examination. Claim(s) 1, 2, 5, 6, 10, 11, 16, 19 and 20 are amended. Claim(s) 13-15, 17 and 18 are cancelled. Claim(s) 21-25 are newly added.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/12/2021 has been entered.

Response to Arguments
Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicants’ arguments, see pages 8-10, filed 01/12/2021, regarding the U.S.C. 102 and 103 rejections of Claims 1-12, 16 and 19-25 have been fully considered and are not persuasive.
Applicants argue that “the Prior Art Fails to Disclose a Policy Engine that Implements a Declarative Policy Provided by a Tenant via an API Request so that the Tenant Configures an Ordered List of Rules that Form the Declarative Policy ”.
Applicant’s interpretation of the reference has been noted; however, examiner respectfully disagrees. Sondhi teaches a Policy Engine that Implements a Declarative Policy Provided by a Tenant via an API Request ([0049], “invoke an application programming interface (API) that will look up the customer's policy””, [0050], “When client application 204 makes a request…responsive calls to the APIs related to that request”, [0062], “Each service can have a set of associated authorization policies (i.e. a declarative policy) that are specific to that service”, [0063], “a policy engine”, [0072], “determine, by applying its authorization policies to the parameters of the request (e.g., client application identity, user identity, resource identity), the scope of access that should be granted”).
Applicant’s arguments with respect to the limitation “so that the Tenant Configures an Ordered List of Rules that Form the Declarative Policy” have been considered but are moot in view of the new ground(s) of rejection.
Besides, in response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Therefore, the rejection is maintained.



Claim Objections
Claims 1, 19-20 and 23-25, are objected to because of the following informalities:  
Claim 1 (line 6), claim 19 (line 9) and claim 20 (line 7) limitations “the API request” should be “the at least one API request” since the term “at least one API request” is previously mentioned in claims.
Claim 23, claim 24 and claim 25 preambles “The computer-readable medium of claim 20” should be “The non-transitory computer-readable medium of claim 20” since the term “non-transitory computer-readable medium” is previously mentioned in claim 20.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
Claims 1-5, 12, and 19-24, are rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further in view of Hugo Filipe Parreira Pernicha (US 2016/0191466 A1).
Regarding Claims 1, 19, and 20, Sondhi discloses A method for declarative policy management in a multi-tenant cloud-based identity and access management (IAM) system ([0014], “a framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures”, [0064], “a multi-identity domain cloud computing environment”), the method comprising: 
receiving at least one Application Programming Interface (API) request by a policy engine of the multi-tenant cloud-based IAM system from a tenant of the multi-tenant cloud-based IAM system ([0049], “invoke an application programming interface (API) that will look up the customer's policy”, [0050], “The interfaces may be published so that customers (tenants) are aware of the parameters that each interface expects to receive and the values that each interface expects to return. When client application 204 makes a request of OAuth authorization server 220, OAuth authorization server 220 makes responsive calls to the APIs related to that request”, [0063], “a policy engine”, [0066], “various different tenants who are served by the cloud computing environment”); 
the API request comprising a declarative policy provided by the tenant, the declarative policy comprising a tenant customized access management policy or a tenant customized identity management policy ([0049], “invoke an application programming interface (API) that will look up the customer's policy”, based on [0050], “the parameters that each interface expects to receive”, i.e. provided by the tenant, [0072], “In response to such an inquiry, the resource server can determine, by applying its authorization policies to the parameters of the request (e.g., client application identity, user identity, resource identity), the scope of access that should be granted”).
configuring the declarative policy for the tenant of the multi-tenant cloud-based IAM system based on the at least one API request ([0049], “invoke an application programming interface (API) that will look up the customer's policy”, [0050], configuring “the parameters that each interface expects to receive and the values that each interface expects to return”, [0062], “Each service can have a set of associated authorization policies (i.e. a declarative policy) that are specific to that service”); and 
wherein the policy engine exposes APIs for creating policy artifacts associated with the declarative policy ( [0021], “a multi-identity domain cloud-based computing environment”, [0022], “interacts with clients from separate enterprises, having different identity domains, in order to authorize those clients relative to cloud-provided services”, [0050], “The interfaces may be published so that customers (tenants) are aware of the parameters that each interface expects to receive and the values that each interface expects to return”, [0062], “Each service can have a set of associated authorization policies that are specific to that service”, [0063], “a policy engine”, [0072], “determine, by applying its authorization policies to the parameters of the request (e.g., client application identity, user identity, resource identity), the scope of access that should be granted”),
enforcing the declarative policy in an IAM service performed for the tenant; and the policy engine defines a data model comprising resource types corresponding to the policy artifacts.
Maes teaches enforcing the declarative policy in an IAM service performed for the tenant ([0010], “implementing service level consolidated user information management can comprise receiving and/or intercepting, at a policy enforcer, a manipulation request of data. The selection of a policy to process/execute is a function of the manipulation request (i.e., viewing/accessing rights, changing/modifying rights, deletion rights, etc.) and the target data”, “This is further detailed in… U.S. application Ser. No. 11/565,578, filed on Nov. 30, 2006, entitled ADDING FACTORED OUT FLOWS IN DECLARATIVE POLICY RULE SETS”, [0072], “policy enforcer may provide a unified interface for all data”), and
the policy engine defines a data model comprising resource types corresponding to the policy artifacts ([0010], “a check of the data manipulation type and make a decision as to how to treat the manipulation request based on the (data, i.e. resource) type”, [0072], “customer data model”).  
Sondhi and Maes are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Maes with the disclosure of Sondhi. The motivation/suggestion would have been to provide a policy enforcing mechanism to manage routing of requests related to user information (Maes, [0002]).
	The combined teaching of Sondhi and Maes teaches the declarative policy the declarative policy is a policy comprising an ordered list of rules that are configured by the tenant.
Pernicha teaches a policy comprising an ordered list of rules that are configured by the tenant ([0005], “policy is implemented in a rule base, which is an ordered list of rules”, [0069], “different policy rules that are defined/configured by the user/administrator”, i.e. configured by the tenant).
Sondhi, Maes and Pernicha are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Pernicha with the combined teaching of Sondhi and Maes. The motivation/suggestion would have been for dynamically optimized rule-based security policy management (Pernicha, Abstract).

Regarding Claim 2, the combined teaching of Sondhi, Maes and Pernicha teaches 
wherein the policy engine is a common module available for uptake by components of the multi-tenant cloud-based IAM system (Sondhi, [0062], “Each service can have a set of associated authorization policies that are specific to that service”, [0063], “a policy engine”, therefore the policy engine is a common module for the set of policies), and the at least one API request comprises a Representational State Transfer (REST) request configured according to System for Cross-domain Identity Management (SCIM) and the policy engine exposes SCIM-based REST APIs for evaluating the declarative policy (Sondhi, [0021], “a multi-identity domain cloud-based computing environment”, [0022], “interacts with clients from separate enterprises, having different identity domains, in order to authorize those clients relative to cloud-provided services”, [0030], “provides a Representational State Transfer (REST) interface”, [0081], “invoke its policy engine to determine a particular set of policies that applies to the identity domain of the particular client”).  

Regarding Claim 3, the combined teaching of Sondhi, Maes and Pernicha teaches 
wherein the components of the multi-tenant cloud-based IAM system include one or more microservices providing cloud-based IAM services to tenants of the multi-tenant cloud-based IAM system (Sondhi, [0062], “Each service (i.e. one or more microservices) can have a set of associated authorization policies that are specific to that service”).

Regarding Claims 4, 21 and 23, the combined teaching of Sondhi, Maes and Pernicha teaches 
wherein the tenant customized access management policy comprises one of a login policy, a multi-factor authentication policy or a trust policy (Sondhi, [0072], “apply those policies itself to determine the scope of access that should be granted”, [0125], “the user can sign on to all of the mobile native applications in a group of applications that belong to a circle of trust”), and the tenant customized identity management policy comprises one of a password policy, an ID synchronization policy or a user provisioning policy (Sondhi, [0125], “if a user logs into one mobile native application by supplying a user identity and password, then the fact that the user logged into that mobile native application can be used by other mobile native applications from the same vendor in order to allow the user to access those other mobile native applications without separately requiring the user to supply a user identity and password for each one”).

Regarding Claims 5, 22 and 24, the combined teaching of Sondhi, Maes and Pernicha teaches 
wherein the policy artifacts comprise the declarative policy, a policy type, rules, condition groups, and conditions (Maes, [0010], “The selection of a policy to process/execute is a function of the manipulation request (i.e., viewing/accessing rights, changing/modifying rights, deletion rights, etc.) and the target data… DECLARATIVE POLICY RULE SETS”, “a check of the data manipulation type and make a decision as to how to treat the manipulation request based on the type. These can be viewed as a sequence of conditions”, “determine a data type associated with the manipulation request and, based on the data type, selecting a policy from a plurality of policies”, [0016], “combination of any condition” as condition groups).

Regarding Claim 12, the combined teaching of Sondhi, Maes and Pernicha teaches 
wherein the declarative policy is associated with a resource or a container of the tenant of the multi-tenant cloud-based IAM system (Sondhi, [0062], “Each a set of associated authorization policies (i.e. a declarative policy) that are specific to that service”, i.e. a resource of the tenant, [0097], “The repositories (container) into which a tenant's client profiles are stored can be configured on a per-tenant basis”).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further in view of Hugo Filipe Parreira Pernicha (US 2016/0191466 A1) and further in view of Tuatini et al. (US 2016/0020917 A1).
Regarding Claim 6, the combined teaching of Sondhi, Maes and Pernicha teaches 
wherein the policy type defines a contract between the policy engine and a component of the multi-tenant cloud-based IAM system that uptakes the policy engine (Maes, [0070], “the customer's contract information is restricted to only be accessed by the owner of the data (i.e., subscriber manager 410), then policy enforcer 405 would instruct subscriber manager 410 to execute the request”).
The combined teaching of Sondhi, Maes and Pernicha does not explicitly teach but Tuatini teaches specifies whether the policy can be configured as a Groovy script ([0079], “In other implementations the script or scripts can use "Groovy"”).
Sondhi, Maes, Pernicha and Tuatini are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tuatini with the combined teaching of Sondhi, Maes and Pernicha. The .

Claims 8, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further in view of Hugo Filipe Parreira Pernicha (US 2016/0191466 A1) and further in view of Szabo et al. (US 2015/0142948 A1).
Regarding Claim 8, the combined teaching of Sondhi, Maes and Pernicha does not explicitly teach but Szabo teaches wherein each condition comprises an IF/THEN/ELSE statement ([0083], “condition 502 may be arranged to generate a true or false result, such as, result 506. If result 506 is TRUE, action 504 may execute. If result 506 is FALSE, the action may be barred from execution and the system may enter another state, such as, state 508”).
Sondhi, Maes, Pernicha and Szabo are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Szabo with the combined teaching of Sondhi, Maes and Pernicha. The motivation/suggestion would have been to help implementing the declarative policy.

Regarding Claim 9, the combined teaching of Sondhi, Maes and Pernicha does not explicitly teach but Szabo teaches wherein each condition group comprises a Boolean combination of one or more conditions using OR/AND/NOT operators condition expressions may be combined together using various operators, such as, Boolean operators”).
Sondhi, Maes, Pernicha and Szabo are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Szabo with the combined teaching of Sondhi, Maes and Pernicha. The motivation/suggestion would have been to help implementing the declarative policy.

Regarding Claim 10, the combined teaching of Sondhi, Maes and Pernicha does not explicitly teach but Szabo teaches wherein each rule comprises a Boolean combination of one or more condition groups or conditions using OR/AND/NOT operators and defines a value to be returned if the Boolean combination is evaluated positively ([0085], “one or more condition expressions may be combined together using various operators, such as, Boolean operators”, [0124], “the computed operands may be returned in a list of name-value pairs”).
Sondhi, Maes, Pernicha and Szabo are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Szabo with the combined teaching of Sondhi, Maes and Pernicha. The motivation/suggestion would have been to help implementing the declarative policy.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further .
Regarding Claim 16, the combined teaching of Sondhi, Maes and Pernicha does not explicitly teach but Vaidya teaches wherein the declarative policy is configured using JavaScript Object Notation (JSON) ([0177], “a script uses a JSON based REST API to define the template policy”).
Sondhi, Maes, Pernicha and Vaidya are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya with the combined teaching of Sondhi, Maes and Pernicha. The motivation/suggestion would have been to make it convenient for programs to consume (or utilize) the network virtualization platform policy (Vaidya, [0071]).

Allowable Subject Matter
Claims 7, 11 and 25 are objected to as being dependent upon rejected base claims 1 and 20, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Examiner, Art Unit 2497