Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed on 2/12/2021. Claims 1-18 are pending. This Office Action is Non-Final.


Allowable Subject Matter
Claims 6, 12 and 18 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Response to Arguments
	A) Applicant’s arguments with respect to claim(s) 1, 7 and 13 have been considered but are moot because the new ground of rejection does not rely on the same exact references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

	B) Applicant’s filing of a Terminal Disclaimer on 2/12/2021 has been approved.  As result the Double patenting rejections have been withdrawn.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 7 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wilson et al. (US 8,347,349) in view of Cuomo et al. (US 2018/0268151) and Cobb (US 2019/0342286).

As per claim 1, Wilson teaches a computer-implemented method for account management, the method comprising: receiving a permission query message from a service system, wherein the service system sends the permission query message to query operation permission of a current user for an enterprise account registered with the service system in response to the current user performing a service operation based on the enterprise account (Wilson, Fig. 2 and Col. 7 Lines 40-59 recites “where the server machine receives login credentials from a client computing device. The client computing device may include a browser and may be associated with a substantially arbitrary operating system. The login credentials may include cloud-based or cloud-aware login credentials, or non-cloud-based or non-cloud aware login credentials. The login credentials may be associated with a browser of the client computing device. The login credentials may be entered when a user starts up the browser of the client computing device. The client computing device may be an enterprise device. Alternatively, the client computing device may not be an enterprise device or may be associated with an enterprise different from an enterprise associated with the server machine. The client computing device may be associated with the login credentials of an enterprise account. In one implementation, the server machine may receive information identifying an enterprise account associated with either the client computing device or a user of the client computing device in place of the login credentials.” Permission query can be read on by the browser policy, since the login credentials would be seen as a request for permission to use the browser.);
obtaining verification information from a first client different from the service system based on the permission query message, wherein the first client is installed on a first end-user device of the current user, and the verification information is associated with an identity of the current user; determining that the verification information is valid (Wilson, Col. 4 Lines 54-60 recites “ The login/policy association module 110 may be configured to receive login credentials 112 and verify that the login credentials 112 are valid. If the login credentials are valid, the login/policy association module may generate or provide browser policy data 114 associated with the login credentials 112. The browser policy data 114 may be transmitted to the device associated with the login credentials 112.”).
But fails to teach in response to determining that the verification information is valid, obtaining, from a blockchain, proxy permission information for the current user, wherein the proxy permission information for the current user comprises at least operation permission information of the current user for the enterprise account, and sending the proxy permission information to the service system, the proxy permission information configured to be usable by the service system to determine whether to authorize the current user to perform an operation on the enterprise account.
However, in an analogous art Cuomo teaches to determining that the verification information is valid, obtaining, from a blockchain, proxy permission information for the current user, wherein the proxy permission information for the current user comprises at least operation permission information of the current user for the enterprise account,  (Cuomo, Paragraph 0034 recites “the method may include identifying a plurality of data parameters to extract from a blockchain based on a request for analytic data 312, creating one or more queries based on the data parameters 314, executing the one or more queries and retrieving the data parameters from the blockchain 316, identifying one or more permissions of a user account associated with the request for analytic data 318, and populating an interface with analytic figures based on the data parameters retrieved from the blockchain 322.”);
and sending the proxy permission information to the service system, the proxy permission information configured to be usable by the service system to determine whether to authorize the current user to perform an operation on the enterprise account (Cuomo, Paragraph 0034 recites “ identifying one or more permissions of a user account associated with the request for analytic data 318, and populating an interface with analytic figures based on the data parameters retrieved from the blockchain 322.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Cuomo’s automatic generating analytics from blockchain data with Wilson’s Configuring browser policy settings on client computing devices because it offers the advantage of distributed data so resistant to failures and attacks.
And fails to teach wherein operation permission indicated by the operation permission information is uploaded to the blockchain in response to verifying an identity of an administrator of the enterprise account that provided the operation permission information.
However, in an analogous art Cobb teaches wherein operation permission indicated by the operation permission information is uploaded to the blockchain in response to verifying an identity of an administrator of the enterprise account that provided the operation permission information (Cobb, Paragraph 0023 recites “wherein operation permission indicated by the operation permission information is uploaded to the blockchain in response to verifying an identity of an administrator of the enterprise account that provided the operation permission information.” Cobb is relied upon solely to teach the need to verify the identity of an administrator prior to an update/upload.  Wilson in combination with Cuomo and Cobb teaches blockchain technology.).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Cobb’s biometric cybersecurity and workflow management with Wilson’s Configuring browser policy settings on client computing devices because it 


Regarding claims 7 and 13, claims 7 and 13 are directed to a non-transitory readable medium and system associated with the method of claim 1. Claims 7 and 13 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Claims 2-4, 8-10 and 14-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wilson et al. (US 8,347,349), Cuomo et al. (US 2018/0268151) and Cobb (US 2019/0342286) and in further view of Ramarathinam et al. (US 2012/0096271).

As per claim 2, Wilson in combination with Cuomo and Cobb teaches the computer-implemented method of claim 1, wherein: the verification information comprises an authorization code; and obtaining the verification information from the first client comprises: sending an authorization instruction to the first client, wherein the authorization instruction requests the authorization code; and receiving the authorization code from the first client, wherein the authorization code is generated by the first client based on the authorization instruction and a client token.
	However, in an analogous art Ramarathinam teaches wherein: the verification information comprises an authorization code; and obtaining the verification information from the first client comprises: sending an authorization instruction to the first client, (Ramarathinam, Paragraph 0117 recites “Virtualization Host's Virtual Machine Management System (single port listener) mandates authenticating incoming connections using the CredSSP protocol. Enterprise end user's client needs to use the user account "Cloud\EnterpriseT" for authenticating at the CloudProvider's virtualization host using the CredSSP protocol. This credential is handed to the client by the Enterprise Virtual Machine Management system along with the signed token. Credential SSP is a Security Support Provider that provides Single-Sign-On (SSO). It is important to note that the end user does not enter this credential explicitly, but it is handled automatically by the client after communicating with the Enterprise Virtual Machine Management system. More importantly, in our case, this authentication mechanism imposed by Single Port Listener is useless because we do not want a user of the enterprise getting access to a VM belonging to even another user of the same enterprise. Our primary authentication and authorization mechanism is using signed tokens.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Ramarathinam’s Remote Access to Hosted Virtual Machines By Enterprise Users  with Wilson’s Configuring browser policy settings on client computing devices because it offers the advantage of a secure form of authentication.

As per claim 3, Wilson in combination with Cuomo and Cobb and Ramarathinam teaches the computer-implemented method of claim 2, Ramarathinam further teaches wherein, (Ramarathinam, Paragraph 0117 recites “Virtualization Host's Virtual Machine Management System (single port listener) mandates authenticating incoming connections using the CredSSP protocol. Enterprise end user's client needs to use the user account "Cloud\EnterpriseT" for authenticating at the CloudProvider's virtualization host using the CredSSP protocol. This credential is handed to the client by the Enterprise Virtual Machine Management system along with the signed token. Credential SSP is a Security Support Provider that provides Single-Sign-On (SSO). It is important to note that the end user does not enter this credential explicitly, but it is handled automatically by the client after communicating with the Enterprise Virtual Machine Management system. More importantly, in our case, this authentication mechanism imposed by Single Port Listener is useless because we do not want a user of the enterprise getting access to a VM belonging to even another user of the same enterprise. Our primary authentication and authorization mechanism is using signed tokens.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Ramarathinam’s Remote Access to Hosted Virtual Machines 


As per claim 4, Wilson in combination with Cuomo and Cobb and Ramarathinam teaches the computer-implemented method of claim 3, Ramarathinam further teaches wherein generating the client token comprises generating the client token using a digital signature function based on a private key, the identity information of the current user, and a random number (Ramarathinam, Paragraph 0117 recites “Virtualization Host's Virtual Machine Management System (single port listener) mandates authenticating incoming connections using the CredSSP protocol. Enterprise end user's client needs to use the user account "Cloud\EnterpriseT" for authenticating at the CloudProvider's virtualization host using the CredSSP protocol. This credential is handed to the client by the Enterprise Virtual Machine Management system along with the signed token. Credential SSP is a Security Support Provider that provides Single-Sign-On (SSO). It is important to note that the end user does not enter this credential explicitly, but it is handled automatically by the client after communicating with the Enterprise Virtual Machine Management system. More importantly, in our case, this authentication mechanism imposed by Single Port Listener is useless because we do not want a user of the enterprise getting access to a VM belonging to even another user of the same enterprise. Our primary authentication and authorization mechanism is using signed tokens.”).


Regarding claims 8 and 14, claims 8 and 14 are directed to a non-transitory readable medium and system associated with the method of claim 2. Claims 8 and 14 are of similar scope to claim 2, and are therefore rejected under similar rationale.

Regarding claims 9 and 15, claims 9 and 15 are directed to a non-transitory readable medium and system associated with the method of claim 3. Claims 9 and 15 are of similar scope to claim 3, and are therefore rejected under similar rationale.

Regarding claims 10 and 16, claims 10 and 16 are directed to a non-transitory readable medium and system associated with the method of claim 4. Claims 10 and 16 are of similar scope to claim 4, and are therefore rejected under similar rationale.

Claims 5, 11 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wilson et al. (US 8,347,349), Cuomo et al. (US 2018/0268151) and Cobb (US 2019/0342286) and in further view of Rathod et al. (US 2015/0215297).

As per claim 5, Wilson in combination with Cuomo and Cobb teaches the computer-implemented method of claim 1, but fails to teach wherein before the receiving the permission query message from the service system, the method further comprises: 
obtaining initialization information when an initialization request for the administrator is received from a second client, wherein the second client is installed on a second end-user device of the administrator, and the initialization information comprises personal information of the administrator, device information of the second end-user device of the administrator, and information about an enterprise associated with the enterprise account; determining whether the initialization information is valid; obtaining identity information of the administrator from the second client in response to determining that the initialization information is valid; performing identity verification on the administrator based on the identity information of the administrator to verify an identity of the administrator; in response to verifying the identity of the administrator, determining a digital certificate, wherein the digital certificate is used to prove authenticity of the administrator and the enterprise; and sending the digital certificate to the second client.
	However, in an analogous art Rathod teaches wherein before the receiving the permission query message from the service system, the method further comprises: 
obtaining initialization information when an initialization request for the administrator is received from a second client, wherein the second client is installed on a second end-user device of the administrator, and the initialization information comprises personal information of the administrator, device information of the second end-user device of the administrator, and information about an enterprise associated with the enterprise account; determining whether the initialization information is valid; obtaining identity (Rathod, Paragraph 0043 recites “In stage 1, the administrator device 350 sends administrator credentials 301A to a first identity-provider device 320A. In stage 2, in response to verifying the administrator credentials 301A, the first identity-provider device 320A generates and sends a first token 320A, which may indicate administrator rights and may indicate an organization of the administrator, to the administrator device 350.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Rathod’s  devices, systems, and methods for device provisioning with Wilson’s Configuring browser policy settings on client computing devices because it offers the advantage of a secure form of authentication.

Regarding claims 11 and 17, claims 11 and 17 are directed to a non-transitory readable medium and system associated with the method of claim 5. Claims 11 and 17 are of similar scope to claim 5, and are therefore rejected under similar rationale.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439