DETAILED ACTION
This office action is in response to communication filed on 12/23/2020.
Claims 1, 3-8, 10-15, and 17-20 are being considered on the merits.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Amendments
The amendment filed 12/23/2020 has been entered. Claims 1, 3-8, 10-15, and 17-20 remain pending in the application. 
Response to Arguments
Regarding the rejection of claims 1, 8, and 15 under 35 USC 103:
The Applicant submits on page 9 that the metamodel of Lang (US 20180069899 A1) in Para. [0077] refers to data structure relating to a user interface and further Lang does not teach restriction based on business role as the AC module and the metamodel are separate and thus fails to meet the limitation “accessing a set of master data defined in the custom code used to determine restrictions to be associated with each of the end users associated with the particular business role”.
The Examiner respectfully disagrees.
Further expanding on the arguments presented in the Non-Final Office Action of 10/1/2020, while the metamodel is an option for the data structure related to the user interface in Para. [0077] Lang also teaches the limitation “accessing a set of master data defined in the custom code used to determine restrictions to be associated with each of the end users associated with the particular business role” in Para. [0094] where the access control policy model is based on a specified metamodel, which is a customizable data structure. Further, in Para. [0094 and 0284] the role based access control is applied to the access control overlay module which is based on the metamodel. The 
Regarding the rejection of claims 1, 8, and 15 under 35 USC 103:
The Applicant submits on page 10 “Moloian merely describes resources that a user or resource is permitted to access” and not a set of parameters that identify a business role of the end user and thus fails to meet the limitation “wherein the master data identifies a set of parameters associated with each of the end users, and wherein the set of parameters identify a business role of the end user”.
The Examiner respectfully disagrees.
Further expanding on the arguments presented in the Non-Final Office Action of 10/1/2020, Moloian (US 20140289207 A1) teaches the limitation “wherein the master data identifies a set of parameters associated with each of the end users, and wherein the set of parameters identify a business role of the end user” in Para. [0055] access rights associate roles with users. The Examiner respectfully submits that the reference does provide parameters for identifying the role associated with a user, thus the arguments are not found to be persuasive.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, providing better policy management (Lang, Para. [0045]) to a system that deals with custom restriction rules. Further as mentioned above the examiner considers the metamodel of Lang to be broader than the applicant states.
Regarding the rejection of claims 6, 13, and 19 under 35 USC 103:

The Examiner respectfully disagrees.
Further expanding on the arguments presented in the Non-Final Office Action of 10/1/2020, Orsini (US 20090097661 A1) teaches the limitation “providing the first subset of the requested set of data in the response to the request while excluding the second subset of the requested set of data” in Para. [0396] discloses limiting the access to secured data to just those who are permitted to access the portion (i.e. subset) of data based on roles, while some roles can have access to all data. A “portion of the data” is considered to be synonymous with a “subset set of the data”, further defined by the applicant in the arguments to be “some of the data but not all”. The Examiner respectfully submits that the reference does provide providing access to only a subset of the data, thus the arguments are not found to be persuasive.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of  

Claims 1, 3-5, 7-8, 10-12, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over  Moloian (US 20140289207 A1) in view of Lang (US20180069899 A1) in further view of Bartholomay (US 20140137188 A1).
Regarding claim 1 Moloian teaches a computerized method executed by at least one processor, the method comprising: presenting, via a user interface, a listing of a plurality of restriction rules for association with a particular business role (Moloian, in Para. [0113-0114], discloses a role configuration interface used to associate rights (e.g. tasks, permissions) (i.e. restriction rules) with a role, where the interface can include a list of the rights (e.g. tasks, permissions) (i.e. restriction rules))
the business role associated with at least one end user in an enterprise software system executed by a customer, (Moloian, in Para. [0055 and 0057], discloses a user being associated with a role, where access rights are associated with users and roles in a an enterprise system)
the listing of the plurality of restriction rules including at least one predefined restriction rule (Moloian, in Para. [0062], discloses resource access information which identifies users and resources with associated access rights (i.e. restriction rules)).
associating the selected [particular custom] restriction rule placeholder with the particular business role; (Moloian, in Para. [0114], discloses associating role with access rights (i.e. restriction rule))
wherein the master data identifies a set of parameters associated with each of the end users, and wherein the set of parameters identify a business role of the end user; (Moloian, in Para. [0055], discloses access rights (i.e. master data) including identifying roles associated with users (i.e. parameters))
(Moloian, in Para. [0009 and 0055], discloses access rights (i.e. master data) including resource permissions (i.e. object associated with user))
generating, for each end user associated with the identified business role, an end user authorization identifying the set of access objects authorized for the particular end user to access at runtime (Moloian, in Para. [0054 and 0062], discloses a permission provisioned to a particular user or role as an entitlement, which is associated with access rights to a resource, and a list of current entitlements (i.e. end user authorizations)).
While Moloian teaches listing rules in relation to roles, Moloian fails to explicitly teach the placeholder.
However, Lang from the analogous technical field teaches at least one custom restriction rule placeholder (Lang, in Para. [0007], discloses a policy input (i.e. custom restriction rule placeholder))
wherein each of the at least one predefined restriction rules are delivered with the enterprise software system and defined by a software vendor providing the enterprise software system, and (Lang, in Para. [0007], discloses retrieving from memory (i.e. defined by the vendor) at least one pre-configure policy selection template with at least on applicable policy (i.e. restriction rule))
wherein each of the at least one customer restriction rule placeholders are associated with a link to custom code developed as a customer-specific restriction rule; (Lang, in Para. [0007 and 0085], discloses loading a pre-configured policy generation template (i.e. custom code) which pertains to the policy (i.e. custom restriction rule placeholder))
receiving, via the user interface, an indication of a selection of a particular custom restriction rule placeholder from the listing of the plurality of restriction rules; (Lang, in Para. [0007], discloses a policy input (i.e. custom restriction rule placeholder) can be entered via the user interface)
(Lang, in Para. [0007], discloses in response to indicating (i.e. trigger) an input policy (i.e. custom restriction rule) leading the pre-configured policy generation template (i.e. custom code))
accessing a set of master data defined in the custom code used to determine restrictions to be associated with each of the end users associated with the particular business role; and (Lang, in Para. [0007-0008, 0094 and 0283], discloses a metamodel (i.e. master data) that contains elements such as attributes of policies where the pre-configured policy generation template (i.e. custom code) is used to automatically or semi-automatically fill the placeholder attributes, where role based access control can be used)
deriving, based on logic defined within the custom code, a set of access objects to be associated with each end user; and (Lang, in Para. [0007 and 0107], discloses generating a machine enforceable rule and/or configuration that is compliant with the policy, where the metamodel (i.e. master data) contains the complete policy data structure).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Moloian to incorporate the teachings of Lang, with a motivation to provide better policy management (Lang, Para. [0045]).  
While Moloian as modified by Lang teaches custom code, Moloian as modified by Lang fails to explicitly teach data being defined after delivery of the software.
However, Bartholomay from the analogous technical field teaches wherein the master data defined in the custom code comprises customer-defined master data that was defined by the customer after delivery of the enterprise software system (Bartholomay, in Para. [0111 and 0139], discloses custom rules created by users (i.e. after delivery), where the rules are created on user data (i.e. master data)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Moloian as modified by Lang to incorporate the teachings of Bartholomay, with a motivation to improve the scalability and flexibility of a service (Bartholomay, Para. [0013]).  
Regarding claim 3, Moloian as modified by Lang and Bartholomay teaches the method of claim 1. 
Moloian further teaches wherein the triggering event comprises a save action associated with an updated business role after the association of the selected custom restriction rule (Moloian, in Para. [0117], discloses saving (i.e. triggering) the changes to the role being configured (i.e. associated of rule with rile)).
Regarding claim 4, Moloian as modified by Lang and Bartholomay teaches the method of claim 1. 
Moloian further teaches wherein the triggering event comprises a periodic restriction rule evaluation (Moloian, in Para. [0065], discloses periodically performing resource evaluation (i.e. restriction rule evaluation)).
Regarding claim 5, Moloian as modified by Lang and Bartholomay teaches the method of claim 1. 
Moloian further teaches wherein the triggering event comprises an assignment of a new business role to a user (Moloian, in Para. [0117], discloses saving the changes (i.e. trigger) to the role being configured (i.e. associated of rule with rile)).
Regarding claim 7, Moloian as modified by Lang and Bartholomay teaches the method of claim 1. 
Lang further teaches wherein the listing of the plurality of restriction rules including at least one custom restriction rule placeholder provided by a partner to the customer, the at least one customer (Lang, in Para. [0223], discloses third party (i.e. partner) policy templates (i.e. rule placeholder)).
As per claims 8, 10-11 and 14, these claims recite a token system to perform the steps as recited by the method of claims 1, 3-5 and 7, and has limitations that are similar to those of claims 1, and 1, 3-5 and 7, thus is rejected with the same rationale applied against claims 1, 3-5 and 7.
As per claims 15, 17-18 and 20, these claims recite a token non-transitory computer readable medium to perform the steps as recited by the method of claims 1, 3, 5 and 7, and has limitations that are similar to those of claims 1, 3, 5 and 7, thus is rejected with the same rationale applied against claims 1, 3, 5 and 7.
Claims 6, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over  Moloian in view of Lang and Bartholomay in further view of Orsini (US 20090097661 A1).
Regarding claim 6, Moloian as modified by Lang and Bartholomay teaches the method of claim 1. 
While Moloian as modified by Lang and Bartholomay teaches end user authorization, Moloian as modified by Lang and Bartholomay fails to explicitly teach providing data based on authorization.
However, Orsini from the analogous technical field teaches the method further comprising, in response to receiving a request at runtime for a set of data, the request associated with a first end user: determining a first subset of the requested set of data included in the generated end user authorization associated with the first end user, determining a second subset of the requested set of data that is not included in the generated end user authorization associated with the first end user; and providing the first subset of the requested set of data in the response to the request while excluding the second subset of the requested data (Orsini, in Para. [0396], discloses providing management and access (i.e. in response to a request) to a portion of data based on roles (i.e. first subset), where others might have access to all the data (i.e. including second subset)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Moloian as modified by Lang and Bartholomay to incorporate the teachings of Orsini, with a motivation to share data while maintaining security (Orsini, Para. [0396]).  
As per claim 13, this claim recites a token system to perform the steps as recited by the method of claim 6, and has limitations that are similar to those claim 6, thus is rejected with the same rationale applied against claim 6.
As per claim 19, this claim recites a token non-transitory computer readable medium to perform the steps as recited by the method of claim 6, and has limitations that are similar to those claim 6, thus is rejected with the same rationale applied against claim 6.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JESSICA JANA SOUTH whose telephone number is (571)272-3208.  The examiner can normally be reached on M-Th 9:00-18:00 (Flex).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JESSICA J SOUTH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/TRANG T DOAN/Primary Examiner, Art Unit 2431