DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant's amendments filed on 02/24/2021 has been received and entered.  Currently Claims 1-20 are pending.

Response to Arguments
Applicant argues on page 14 of applicant’s remarks that none of the cited references, alone or combined, teach or suggest wherein the highly secured network location consists of a company VPN and company intranet network.
The examiner respectfully disagrees.  Barhudarian teaches determining a location of a user, where the location corresponds to a network such as a corporate network, where a corporate network is safer and less risky than a public or home network ([0020]-[0021]).  Therefore, Barhudarian teaches limitations of the claims.

Applicant argues on page 14 of applicant’s remarks that none of the cited references, alone or combined, teach or suggest “...responsive to determining the network location of the user is located on the highly secured network location, the user has access to an admin ACL(access control list) and the login and password is valid, assigning, by the one of more processors, a Data API token to the user..." and "...responsive to determining the network location of the user is located not located on the highly secured network location, the user has access to a client ACL(access control list) and the login and password is valid, assigning, by the one of more processors, an Interaction API token to the user...”
Applicant’s arguments are moot in view of the new ground(s) of rejection.

Claim Objections
Claim 1 is objected to because of the following informalities:  the claim recites “responsive to determining the network location of the user is located not located on the highly secured network 

Claims 1, 8 and 15 are objected to because of the following informalities: the claims recite the term “VPN” without defining it.  It is suggested to amend to “virtual private network (VPN)”.
Appropriate corrections are required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claims 1, 8 and 15, the claims recite “determining, by the one of more processors, whether the received network location of the user is associated with a highly secured network location, wherein the highly secured network location consists of a company VPN and company intranet network”.  It is unclear to the examiner on whether the user is associated with one or both of the highly secured locations.  In other words, it is unclear if the user is associated with both the company VPN and the intranet or just one of the locations.  If the limitation is that the user is associated with both locations, it is unclear to the examiner on how the user can be associated with both the VPN and the intranet locations at the same time.  For examination purposes in applying prior art the examiner interprets the limitation as: determining whether the received network location of the user is associated with a highly secured network location, wherein the highly secured network location is one of a company VPN and a company intranet network.
Dependent claims 2-7, 9-14 and 16-20 depend on independent claims 1, 8 and 15 respectively and they do not further clarify the issues therefore they are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 6-8, 12-15 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lander et al. US2017/0331832 hereinafter referred to as Lander, in view of Barhudarian et al. US2020/0007535 hereinafter referred to as Barhudarian, and Davis et al. US2017/0111336 hereinafter referred to as Davis.
As per claim 1, Lander teaches a computer implemented method for allowing API access for different types of users to an application, the computer implemented method comprising: receiving, by one of more processors, a request for access to an API (Application Programming Interface) from a user (Lander paragraph [0090]-[0091], [0138], [0188], [0242], receive request for access to API resource); 
sending, by the one of more processors, a request for a login credential to the user based on a type of API requested (Lander paragraph [0090]-[0091], [0190], [0242], provide login page to user based on the requested access); 
receiving, by the one of more processors, the login credential from the user (Lander paragraph [0138], [0190], [0242], receive user credentials and authenticate user); 

receiving, by the one of more processors, the login credential (Lander paragraph [0138], [0190], [0242], receive user credentials and authenticate user); 
validating, by the one of more processors, the login credential (Lander paragraph [0138], [0190], [0242], receive user credentials and authenticate user); 
responsive to the login and password is valid, assigning, by the one of more processors, a Data API token to the user (Lander paragraph [0190], [0192]-[0194], [0242], authenticating user credential and generating a token including allowed scopes); and 
responsive to the login and password is valid, assigning, by the one of more processors, an Interaction API token to the user (Lander paragraph [0190], [0192]-[0194], [0242], authenticating user credential and generating a token including allowed scopes); and
granting, by the one of more processors, the user access to the API based on the API token (Lander paragraph [0142], [0194], [0250], [0252], receive and verify token and allow access to API resource).  
Lander does not explicitly disclose receiving, by one of more processors, a network location associated with user; 
validating, by the one of more processors, the network location; 
determining, by the one of more processors, whether the received network location of the user is associated with a highly secured network location, wherein the highly secured network location consists of a company VPN and company intranet network; 
responsive to determining the network location of the user is located on the highly secured network location assigning, by the one of more processors, a token to the user;
responsive to determining the network location of the user is located not located on the highly secured network location assigning, by the one of more processors, a token to the user.
Barhudarian teaches receiving, by one of more processors, a network location associated with user (Barhudarian paragraph [0004], [0018], [0020]-[0021], determine device location and verify risk of device location); 

determining, by the one of more processors, whether the received network location of the user is associated with a highly secured network location, wherein the highly secured network location consists of a company VPN and company intranet network (Barhudarian paragraph [0020]-[0021], determine risk factor of device location); 
responsive to determining the network location of the user is located on the highly secured network location assigning, by the one of more processors, a token to the user (Barhudarian paragraph [0004], [0018], [0020]-[0021], generate token based on location);
responsive to determining the network location of the user is located not located on the highly secured network location assigning, by the one of more processors, a token to the user (Barhudarian paragraph [0004], [0018], [0020]-[0021], generate token based on location).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lander with the teachings of Barhudarian to include creating a token based on network location in order to provide different tokens for access to resources for different resources having different levels of sensitivity.
Lander in view of Barhudarian does not explicitly disclose user has access to an admin ACL(access control list);
the user has access to a client ACL(access control list).
Davis teaches user has access to an admin ACL(access control list) (Davis paragraph [0078]-[0080], [0095], admin acl);
the user has access to a client ACL(access control list) (Davis paragraph [0078]-[0080], [0095], user acl).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lander in view of Barhudarian with the teachings of Davis to include an access control list because the results would have been predictable and resulted in the access control of resources based on an access control list.

As per claim 3, Lander in view of Barhudarian and Davis teaches the method of claim 1, wherein the API comprises a data API and an interaction API (Lander paragraph [0090], [0102], [0133], [0301], [0306], plurality of APIs).  

As per claim 6, Lander in view of Barhudarian and Davis teaches the method of claim 1, sending a request for a login credential to the user further comprising: transmitting, by the one of more processors, a request to a mobile device of the user; and transmitting, by the one of more processors, the request to a client computing device of the user (Lander Fig. 1, paragraph [0041], [0055], [0190], provide login page to user).  

As per claim 7, Lander in view of Barhudarian and Davis teaches the method of claim 1, wherein the predetermined network location further comprises a highly secured network location and a public network location (Barhudarian paragraph [0021]).  

As per claims 8, 12-15 and 19-20, the claims claim a computer program product and a system essentially corresponding to the method claims 1, 3 and 6-7 above, and they are rejected, at least for the same reasons.

Allowable Subject Matter
Claims 2, 4-5, 9-11 and 16-18 would be allowable if rewritten to overcome the claim objections and the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959.  The examiner can normally be reached on M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HENRY TSANG/Primary Examiner, Art Unit 2495