DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 14, were amended, claims 1-24 are pending.
Response to Arguments
Applicant's arguments filed 02/16/2021have been fully considered but they are not persuasive. On page the applicant argued that "The key to supporting any rejection under 35 U.S.C. 103 is the clear articulation of the reason(s) why the claimed invention would have been obvious. . . . [R]ejections on obviousness cannot be sustained with mere conclusory statements." M.P.E.P. § 2142, 9th Ed. (Mar. 2014) (internal citation and inner quotation omitted). "[T]he framework for the objective analysis for determining obviousness under 35 U.S.C. 103 is stated in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966). ... The factual inquiries . . . are as follows: (A) [d]etermining the scope and content of the prior art; and (B) [a]scertaining the differences between the claimed invention and the prior art; and (C) [r]esolving the level of ordinary skill in the pertinent art." M.P.E.P. § 2141(11). In rejecting a claim, "Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art." M.P.E.P. § 2141(111)”.    Examiner recognizes that obviousness can only be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge .

Rest of the applicant’s arguments with respect to claims 1, 14 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 8, 10-16, 18-19, 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al (US 20150082373 A1) in view of Gupta et al(US 20060242405 A1).

With regards to claim 1, 14 Kottahachchi discloses, A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for automatically provisioning dynamic privileged access resources, the operations comprising: 
receiving a notification that an identity is seeking to participate in a privileged session with an access-restricted network resource or seeking to perform a privileged action with the access-restricted network resource; ([0022] Session access to at least one secure resource may be provided when a user is authenticated. In some examples, a request to perform an action associated with the secure resource may be received during the session.[0023] Session access to at least one secure resource may be provided when a user is authenticated. In some examples, a request to perform an action associated with the secure resource may be received during the session.[0052]; [0052] In some examples, the account management service 108 is configured to enable dynamic policies, roles, permissions, etc., by offering session access that can be monitored (e.g., each keystroke, command, etc.), two-man rule functionality, and/or step-up authentication/authorization services. Note: when user send log in request to access  it trigger monitoring process.); 
automatically provisioning, in response to the notification, a dynamic privileged access resource for use by the identity in participating in the privileged session with the access-restricted network resource ([0023]; According to at least one example, a system may include memory, processors configured to access the memory, and a privileged access management module that provides a privileged access the dynamic privileged access resource being provisioned to account for one or more changes occurring in a network environment, the one or more chanqes comprising an elevation of the identity's privileged access riqhts, ([0040] Additionally, in some examples, during a single session of a user 102, the rights of that user 102 may change. For example, a user 102 may have rights to change a password during a session (e.g., while a session is checked out and the account management service 108 is providing the controlled proxy service to the user 102); however, an administrator or other entity associated with the account management service 108 may change the rights of the user 102 during the session such that the user 102 can no longer change passwords. Actions may be taken by the session module 156 (e.g., the proxy service) to limit, block, cancel, and/or change the actions, rights, roles, and/or permissions of the user 102 while accessing the session.)
wherein the automatically provisioning includes at least one of: 
providing authentication information for use by the identity in accessing the access-restricted network resource ([0051] Additionally, in some examples, step-up authorization may be implemented by the account management service 108. A user 102 may attempt to check out a password or session from the account management service 108, and the account management service 108 may request a token (e.g., via the workflow described above) and/or 
limiting network access of the privileged access resource based on network access rights needed to participate in the privileged session with the access-restricted network resource or the privileged action the identity is authorized to perform ([0052]; For example, the account management service 108 may provide a user 102 permission to implement a first action, but not allow it again later; to provide a user 102 permission to implement actions or access resources only during certain periods (windows of time in the year, month, week, day, hour, etc.); and/or to provide a user 102 permission to implement actions or access resources for limited amounts of time.); and 
limiting functionality of the privileged access resource based on functionality needed to participate in the privileged session with the access-restricted network resource or the privileged action the identity is authorized to perform ([0064]; [0064] A privileged account may be allowed to perform a list of actions/commands on a system based on its privileges. A user accessing such a privileged account gets to perform all of those allowed commands. The privileged account management service 108 provides an additional layer of policy based restriction on which commands can be executed, by whom and based on runtime factors. Further the privileged account management service 108 may allow useradd/userdel to be run only on working hours between 9-5 Mon to Fri for one user but let another user have 24/7 access to the command (again, in some cases, 
determining that the privileged session with the access-restricted network resource has ended or that the privileged action has been performed ([0093] The privileged account management service session manager wants to extend this functionality to sessions in privileged session management. During a session, two authorized users must always be present at all the times. If at any time any user logs out, the session is terminated. Suppose Alice and Bob are two users who have been granted access to a privileged resource. If any action needs to be performed on the resource, flow would be: [0094] Alice logs in and tries to initiate the session; session manager would make Alice wait till Bob logs in as well and initiates the session. (Vice-versa). [0095] Once both are logged in, the session starts. Both the users would see the same screen. All the actions performed by any of them are visible to both of them. [0096] If any of the user logs out, the session is terminated.); and 
automatically deprovisioning, based on the determination, the privileged access resource ([0054]; In some aspects, when the user 102 is finished accessing the account 212, the user 102 may check the password back in with the access manager 202 and/or end the session.).  

Kottahachchi does not but Gupta discloses, 
controlling a local operation running locally on a computing device associated with the identity seeking to participate in a privileged session with an access-restricted network resource or seekinq to perform a privileged action with the access-restricted network resource ([0063] Once a user token is created, the trusted resource can attempt to be accessed in an analogous manner to that described in detail above. Specifically, the process or processes impersonating the remote user on the host computing device can use an "open file" command, causing the operating system, or other process that controls access to the trusted resource, to check the user's token to determine if the user is authorized to access the trusted resource. If the user is not authorized to access the trusted resource, the operating system, or other process controlling access to the trusted resource, can return a failure indicator to the process or processes impersonating the remote user, and that failure indicated can be forwarded over the peer-to-peer connection to one or more processes on the requesting device, which can notify the user of the failure.[0064] ..), the controllinq includinq at least one of: 
disablinq a communication port of the computinq device; 
blocking the communication port of the computing device; 
restrictinq the communication port of the computinq device; 
disablinq a packet filter of the computinq device; 
blockinq the packet filter of the computinq device; 
restrictinq the packet filter of the computinq device; 
terminating an unfamiliar process or application running on the computinq device ( [0063] Once a user token is created, the trusted resource can attempt to be accessed in an analogous manner to that described in detail above. Specifically, the process or processes impersonating the remote user on the host computing device can use an "open file" command, causing the operating system, or other process that controls access to the trusted resource, to check the user's token to determine if the user is 
terminatinq an irreqular process or application runninq on the computinq device;
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Kottahachchi’s method with teaching of Gupta in order to secure transaction between peer to peer with trust (Gupta [0006])

With regards to claim 2, Kottahachchi further discloses, wherein the privileged access resource is an on-premises computer system being used by the identity ([0033] The user devices 104 may be any type of computing device such as, but not limited to, a mobile phone, a smart phone, a personal digital assistant (PDA), a laptop computer, a desktop computer, a thin-client device, a tablet PC, etc.).

With regards to claim 3, Kottahachchi further discloses,  wherein the automatically provisioning includes automatically elevating the identity's privileged access rights ([0040]; Additionally, in some examples, during a single session of a user 102, the rights of that user 102 may change. For example, a user 102 may have rights to change a password during a session (e.g., while a session is checked out and the account management service 108 is providing the controlled proxy service to the user 102); Note: here rights are lowered but it could be elevated too.).

With regards to claim 4, Kottahachchi further discloses, wherein the privileged access resource is a virtual computing resource spun up for use by the identity ([0044] As noted above, the account management service 108 may be configured with a plug-in framework, using one or more APIs, that enable custom logic of customers (e.g., developers, administrators, and/or resource owners) for accessing software applications (e.g., enterprise solutions or the like) and/or network resources (e.g., virtual machines, network-accessible data, etc.) of the customers. In some examples, the account management service may be implemented or deployed within a single virtual machine (e.g., a java virtual machine or the like) or processor.).

With regards to claim 8, Kottahachchi further discloses, wherein providing the authentication information includes providing the authentication information to the privileged access resource for use by the identity ([0028]; The target system may include one or more databases, lightweight directory access protocol (LDAP) servers, 

With regards to claim 10, Kottahachchi further discloses,, wherein automatically deprovisioning the privileged access resource includes revoking the identity's access to the authentication information ([0040]; Additionally, in some examples, during a single session of a user 102, the rights of that user 102 may change. For example, a user 102 may have rights to change a password during a session (e.g., while a session is checked out and the account management service 108 is providing the controlled proxy service to the user 102); however, an administrator or other entity associated with the account management service 108 may change the rights of the user 102 during the session such that the user 102 can no longer change passwords….. Actions may be taken by the session module 156 (e.g., the proxy service) to limit, block, cancel, and/or change the actions, rights, roles, and/or permissions of the user 102 while accessing the session.  ).

With regards to claim 11, Kottahachchi further discloses, wherein limiting the network access rights of the privileged access resource includes limiting the IP addresses with which the privileged access resource is allowed to communicate ([0062] The privileged account management service 108 policies allow flexibility to decide whether access is granted or not based on runtime factors such as the time at which the request is made, the locality from which the request is received, the software client making the 

With regards to claim 12, Kottahachchi further discloses,, wherein limiting the functionality of the privileged access resource includes blocking a local operation running locally on a computing device associated with the identity ([0070] On the other hand, if the process determines at 918 that the action/command is not allowed, the process 900 may deny the action/command at 922 and then continue to 924.[0065-66] Note: as local operation  not defined Examiner interpreting  deleting  write protected file will be blocked if he is not the owner).

With regards to claim 13, Kottahachchi in view of  Gupta teaches, wherein limiting the functionality of the privileged access resource includes hooking a local operation running locally on a computing device associated with the identity (Gupta [0063] Once a user token is created, the trusted resource can attempt to be accessed in an analogous manner to that described in detail above. Specifically, the process or processes impersonating the remote user on the host computing device can use an "open file" command, causing the operating system, or other process that controls access to the trusted resource, to check the user's token to determine if the user is authorized to access the trusted resource. If the user is not authorized to access the trusted resource, the operating system, or other process controlling access to the trusted resource, can return 

With regards to claim 15, Kottahachchi further discloses,, wherein the notification is received by a software agent running locally on a computing device associated with the identity ([0034] In some aspects, the account management service computers 108 may also be any type of computing devices such as, but not limited to, mobile, desktop, thin-client, and/or cloud computing devices, such as servers).

With regards to claim 16, Kottahachchi further discloses, wherein the notification is received by a server remote from a computing device associated with the identity ([0034] In some aspects, the account management service computers 108 may also be any type of computing devices such as, but not limited to, mobile, desktop, thin-client, and/or cloud computing devices, such as servers).

With regards to claim 18, Kottahachchi further discloses, wherein limiting the functionality of the privileged access resource includes terminating a non-permitted process running on the privileged access resource ([0108]; The privileged account management service session manager adds a temporal component to the grant. A white list or blacklist of actions can be specified with the mapping to the time periods. 

With regards to claim 19, Kottahachchi further discloses, wherein limiting the functionality of the privileged access resource includes forcing the identity to terminate an open account session ([0093] The privileged account management service session manager wants to extend this functionality to sessions in privileged session management. During a session, two authorized users must always be present at all the times. If at any time any user logs out, the session is terminated.).

With regards to claim 23, Kottahachchi further discloses, wherein receiving the notification occurs automatically based on monitoring activities of the identity ([0022] Session access to at least one secure resource may be provided when a user is authenticated. In some examples, a request to perform an action associated with the secure resource may be received during the session. [0052] In some examples, the account management service 108 is configured to enable dynamic policies, roles, permissions, etc., by offering session access that can be monitored (e.g., each keystroke, command, etc.), two-man rule functionality, and/or step-up authentication/authorization services. Note: when user send log in request to access resource trigger monitoring process.).

With regards to claim 24, Kottahachchi further discloses, wherein receiving the notification occurs based on a request by the identity to provision the privileged access resource ([0023]; from a user, a log-in request including at least first authentication information, the log-in request corresponding to the privileged access management service, provide access to at least one secure resource of the secure resources through a session when the user is authenticated with respect to the privileged access management service[0052]).

Claims 5, 7 are rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al (US 20150082373 A1) in view of Gupta et al(US 20060242405 A1).
and  in view of Wegner et al(US 9652306 B1).

With regards to claim 5  Kottahachchi  in view of Gupta do not but Wegner teaches,  wherein the virtual computing resource is dynamically spun up in response to the notification (Wegner col 2 line 65 to col 3 line 30; In some implementations, code execution on such a virtual compute system can be triggered by one or more events that occur….. The program code may perform any actions specified by the user who generated the trigger or by the virtual compute system, such as sending a notification or initiating a workflow. For example, a trigger can be configured to generate an event every time a given database is modified. In such an example, the triggered events can each cause the database modification to be recorded in permanent storage to create an audit trail of the activity in the database (e.g., by causing a program code configured to perform such storing operation to be executed). The events may further cause a program code that sends a notification to the administrator of the database to be executed on the virtual compute system. ). It would have been obvious to one of ordinary skill in the art before 

With regards to claim 7, Kottahachchi in view of Gupta and  Wegner Discloses,  wherein the virtual computing resource is dynamically terminated in response to the determination that the privileged session with the access-restricted network resource has ended (Wegner For example, after a threshold time has passed (e.g., 5 minutes, 30 minutes, 1 hour, 24 hours, 30 days, etc.) without any activity (e.g., running of the code), the container and/or the virtual machine instance is shutdown (e.g., deleted, terminated, etc.), and resources allocated thereto are released. In some embodiments, the threshold time passed before a container is torn down is shorter than the threshold time passed before an instance is torn down.  ).  Motivation would be same as stated in claim 5.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al (US 20150082373 A1) in view of Gupta et al(US 20060242405 A1) and  in view of Koppes et al(US 20190294477 A1).

With regards to claim 6, Kottahachchi in view of Gupta do not but  Koppes teaches, wherein the virtual computing resource is a serverless code element (Koppes [0075] 

Claims 9, 22 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al (US 20150082373 A1) in view of Gupta et al(US 20060242405 A1) and in view of Hinton et al(US 20090100438 A1).

With regards to claim 9 Kottahachchi in view of Gupta do not but Hinton teaches, wherein providing the authentication information includes enabling the privileged access resource to use the authentication information without providing the authentication information to the privileged access resource ([0006] A web browser is provided with a logout enablement function that traps a browser or page shutdown request and prevents that request from completing until the browser (or page) has logged 

With regards to claim 22 Kottahachchi in view of Gupta and Hinton teaches, wherein automatically deprovisioning the privileged access resource includes deleting a local process memory associated with the privileged access resource (Hinton [0036] The present invention provides several advantages. As one of ordinary skill in the an will appreciate, the inventive method provides a simple technique to facilitate "browser logoff" with respect to server-side application sessions. An advantage of this technique is that client-side browser shutdown is not permitted until server-side session artifacts (e.g., execution threads, local memory, data structures and session cookies) are first destroyed, killed or released.  ).  Motivation would be same as stated in above claim 9. 

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al (US 20150082373 A1) in view of Gupta et al(US 20060242405 A1) and in view of Bailor et al(WO 2015/168203 Al).

wherein the notification is received based on machine learning process that predicts that the identity will seek to participate in the privileged session with the access-restricted network resource (Bailor [0022]  Table 3 : Detect inappropriate use of administrative access) .   It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Kottahachchi in view of Gupta’s method/product with teaching of Bailor in order to protect system from cyber attack (Bailor ABSTRACT)

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al (US 20150082373 A1) in view of Gupta et al(US 20060242405 A1) and  in view of Burnett et al(US 7,080,406 B2).

With regards to claim 20, Kottahachchi in view of Gupta do not but Burnett teaches, wherein automatically provisioning the privileged access resource includes restarting the privileged access resource (Col 7 line 50 to col 8 line 25;  The installation of the new product requires the shutting down of the security manager. The security administrator shuts down the security manager. The result of the security manager shut down is that those privileged processes would now terminate. When the last of these processes terminates, the result is that the privilege of the security manager reverts back to the native system administrator identity. The system administrator then installs the new product on the system. The product on the system gets successfully installed. At this point, the system security will be restarted. The system administrator, which has the 

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al (US 20150082373 A1) in view of Gupta et al(US 20060242405 A1) and in view of Mao et al(US 20140068767 A1).

With regards to claim 21 Kottahachchi in view of Gupta do not but Mao teaches,, wherein automatically provisioning the privileged access resource includes installing an application on the privileged access resource for use by the identity in accessing the access-restricted network resource (Mao  FIG 3 and associated text; [0069] In certain embodiments, and with reference to exemplary computing system 510 of FIG. 5, a communication interface, such as communication interface 522 in FIG. 5, may be used to provide connectivity between each client system 610, 620, and 630 and network 650. Client systems 610, 620, and 630 may be able to access information on server 640 or 645 using, for example, a web browser or other client software. [0001] In some cases, malware may gain root access on a user's mobile computing device, modifying system files and/or installing illegitimate applications without the user's awareness.).  It would 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498