Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
2.	This Office Action is issued in response to the claims filed on 01/08/2020.
Claims 1-20 are pending in this Office Action.	

Priority
3.	Acknowledgement is made of applicant’s claim of continuation of U.S. Patent Application Serial. 15/697,862, filed on September 7, 2017, which claims priority of U.S. Provisional Patent Application Serial No. 62/394,470, filed on September 14, 2016.

Information Disclosure Statement
4.	The information disclosure statements (IDS) submitted on 2/2/2021, 12/29/2020, 9/23/2020, 5/12/2020, 1/8/2020 have been considered by the examiner except the International Search Reports in IDS dated 12/29/20 because the documents have not been provided on file.

Embedded hyperlink	
5.	The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code (paragraphs 72, 134, and 155 of the printed publication). Applicant is required to delete the embedded hyperlink and/or other form of 
Appropriate corrections are required.

Objections
6.	The specification is objected to because it lacks support for all details cited in Fig.13.
	Appropriate correction is required.

Double Patenting
7.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
8.	Claims 1-20 of current application are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of US Patent No. 10,594,684.  Although the claims at issue are not identical, they are not patentably distinct from each other. The claims of the current application are anticipated by the claims of the patent 10,594,684 and they are drawn towards generating a derived access token for a job that has a timeframe to complete that exceeds a first validity time of a request access token.  

Instant Application 16/737,147
US patent 10,594,684
1. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud based identity management, the providing comprising: 

receiving a request to execute a job, wherein the job has a timeframe to complete that exceeds a first validity time of a request access token; 




generating the request access token corresponding to the job, the request access token comprising access privileges; 

scheduling the job; 



persisting the request access token; 


triggering the job at a scheduled start time; 

generating a derived access token based on the request access token, wherein the derived access token comprises the access privileges and comprises a second validity time that is greater than the timeframe to complete; 

injecting the derived access token; and 


calling a service using the derived access token to execute the job.

2. The non-transitory computer readable medium of claim 1, wherein the service comprises a microservice and the request access token is persisted in an operational data store and cannot be accessed by other users.

3. The non-transitory computer readable medium of claim 1, further comprising signing the derived access token using current signing keys.

4. The non-transitory computer readable medium of claim 1, wherein the calling the service comprises invoking an application programming interface that corresponds to the service.


5. The non-transitory computer readable medium of claim 1, wherein the request access token is persisted with metadata corresponding to the job.



7. The non-transitory computer readable medium of claim 1, wherein the request comprises an identity of a tenant of a plurality of tenants that comprises a resource needed to execute the job.


8. A method to provide cloud based identity management, the method comprising: receiving a request to execute a job, wherein the job has a timeframe to complete that exceeds a first validity time of a request access token;




generating the request access token corresponding to the job, the request access token comprising access privileges; 

scheduling the job; 



persisting the request access token; 


triggering the job at a scheduled start time;

generating a derived access token based on the request access token, wherein the derived access token comprises the access privileges and comprises a second validity time that is greater than the timeframe to complete; 

injecting the derived access token; and 

calling a service using the derived access token to execute the job.

9. The method of claim 8, wherein the service comprises a microservice and the request access token is persisted in an operational data store and cannot be accessed by other users.



11. The method of claim 8, wherein the calling the service comprises invoking an application programming interface that corresponds to the service.

12. The method of claim 8, wherein the request access token is persisted with metadata corresponding to the job.

13. The method of claim 12, wherein the request access token is retrieved from the metadata and decoded.

14. The method of claim 8, wherein the request comprises an identity of a tenant of a plurality of tenants that comprises a resource needed to execute the job.

15. A system for providing cloud-based identity and access management, comprising: 
a plurality of tenants; 

a plurality of services; and 

one or more processors that: receive a request to execute a job, wherein the job has a timeframe to complete that exceeds a first validity time of a request access token; 


generate the request access token corresponding to the job, the request access token comprising access privileges; 


schedule the job; 



persist the request access token; 


trigger the job at a scheduled start time; 



inject the derived access token; and 


call a service using the derived access token to execute the job.

16. The system of claim 15, wherein each of the services comprises a microservice and the request access token is persisted in an operational data store and cannot be accessed by other users.

17. The system of claim 15, further comprising signing the derived access token using current signing keys.

18. The system of claim 15, wherein the call the service using the derived access token comprises invoking an application programming interface that corresponds to the service.

19. The system of claim 15, wherein the request access token is persisted with metadata corresponding to the job.

20. The system of claim 19, wherein the request access token is retrieved from the metadata and decoded.


receiving, at a current time, a request to execute a job, the job requiring a corresponding access token to be executed, the access token comprising an expiration time, wherein the job has a scheduled start time later than the current time plus the expiration time; 

generating, before the scheduled start time, a first access token corresponding to the job, the first access token comprising access privileges;

before the scheduled start time, scheduling the job to be executed at the scheduled start time using the first access token; 

persisting the first access token before the scheduled start time; 

triggering the job at the scheduled start time; 

in response to the triggering, generating a second access token that is derived from the first access token, wherein the second access token comprises the same access privileges as the first access token; 

injecting the second access token during runtime of the job; and 

using the second access token to execute the job after an expiration of the first access token. 

    2. The non-transitory computer readable medium of claim 1, wherein the second access token comprises an expiration time that exceeds a timeframe to complete the job. 

    
3. The non-transitory computer readable medium of claim 1, further comprising signing the second access token using current signing keys. 

    4. The non-transitory computer readable medium of claim 1, wherein executing the job comprises calling a microservice comprising invoking an application programming interface that corresponds to the microservice. 

    5. The non-transitory computer readable medium of claim 1, wherein the first access token is persisted with metadata corresponding to the job. 



    7. The non-transitory computer readable medium of claim 1, wherein the request comprises an identity of a tenant of a plurality of tenants that comprises a resource needed to execute the job. 

    8. A method to provide cloud based identity management, the method comprising: receiving, at a current time, a request to execute a job, the job requiring a corresponding access token to be executed, the access token comprising an expiration time, wherein the job has a scheduled start time later than the current time plus the expiration time,; 

generating, before the scheduled start time, a first access token corresponding to the job, the first access token comprising access privileges;

before the scheduled start time, scheduling the job to be executed at the scheduled start time using the first access token; 

persisting the first access token before the scheduled start time; 

triggering the job at the scheduled start time; 

in response to the triggering, generating a second access token that is derived from the first access token, wherein the second access token comprises the same access privileges as the first access token; 

injecting the second access token during runtime of the job; and 
using the second access token to execute the job after an expiration of the first access token. 

    9. The method of claim 8, wherein the second access token comprises an expiration time that exceeds a timeframe to complete the job. 

   


    11. The method of claim 8, executing the job comprises calling a microservice comprising invoking an application programming interface that corresponds to the microservice. 

    12. The method of claim 8, wherein the first access token is persisted with metadata corresponding to the job. 

    13. The method of claim 12, wherein the first access token is retrieved from the metadata and decoded. 

    14. The method of claim 8, wherein the request comprises an identity of a tenant of a plurality of tenants that comprises a resource needed to execute the job. 

    15. A system for providing cloud-based identity and access management, comprising: 
a plurality of tenants; 

a plurality of microservices; and 

one or more hardware processors that execute instructions to: receive, at a current time, a request to execute a job, the job requiring a corresponding access token to be executed, the access token comprising an expiration time, wherein the job has a scheduled start time later than the current time plus the expiration time,;
 generate, before the scheduled start time, a first access token corresponding to the job, the first access token comprising access privileges; 

before the scheduled start time, schedule the job to be executed at the scheduled start time using the first access token; 

persist the first access token before the scheduled start time; 

trigger the job at the scheduled start time; 



 inject the second access token during runtime of the job; and 

use the second access token to execute the job after an expiration of the first access token. 

    16. The system of claim 15, wherein the second access token comprises an expiration time that exceeds a timeframe to complete the job. 
   

 
17. The system of claim 15, further comprising signing the second access token using current signing keys. 

    18. The system of claim 15, wherein executing the job comprises calling a microservice comprising invoking an application programming interface that corresponds to the microservice. 

    19. The system of claim 15, wherein the first access token is persisted with metadata corresponding to the job. 

    20. The system of claim 19, wherein the first access token is retrieved from the metadata and decoded.


Claim Rejections - 35 U.S.C. § 103
9.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.	

10.	Claims 1, 4, 7, 8, 11, 14, 15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Thomas et al. (US 2008/0301685), hereinafter “Thomas”, in view of Carter et al. (US 2012/0017085), hereinafter “Carter”.
	Regarding claim 1, Thomas discloses a non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud based identity management (paragraphs [0025]-[0026]), the providing comprising: 
receiving a request to execute a job, [wherein the job has a timeframe to complete that exceeds a first validity time of a request access token] (paragraph [0029]: a time-based scheduling job is registered with the scheduling service); 
generating the request access token corresponding to the job, the request access token comprising access privileges (paragraphs [0009], [0043], [0053]); 
scheduling the job (paragraphs [0029]-[0030]); 
persisting the request access token (paragraph [0009]: creation of token; paragraph [0053]:  it is obvious to store a created token and retrieved it for using at scheduled time); triggering the job at a scheduled start time (paragraph [0031]: payload is delivered as scheduled); 
Thomas does not explicitly disclose the job has a timeframe to complete that exceeds a first validity time of a request access token, generating a derived access token based on the request access token, wherein the derived access token comprises the access privileges and comprises a second validity time that is greater than the timeframe to complete; injecting the derived access token; and calling a service using the derived access token to execute the job.  However, obtaining a new token for a job (paragraph [0027]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Thomas’s teaching of job scheduling with Carter’s teaching of obtaining a new token for a job that operates longer than the expiration specification.  The motivation to do so would be to ensure network efficiency as taught by Carter (paragraph [0015]).
Regarding claim 4, Thomas and Carter disclose the non-transitory computer readable medium of claim 1, wherein the calling the service comprises invoking an application programming interface that corresponds to the service (Thomas, paragraph [0071] and Fig. 16 with associated text).
Regarding claim 7, Thomas and Carter disclose the non-transitory computer readable medium of claim 1, wherein the request comprises an identity of a tenant of a plurality of tenants that comprises a resource needed to execute the job (Thomas, paragraphs [0001] and [0008]: different scheduling jobs are delivered to different receivers of an enterprise).
Claims 8, 11, and 14 claim similar subject matters to claims 1, 4, and 7 respectively; therefore, claims 8, 11, and 14 are rejected at least for the same reasons as claims 1, 4, and 7 respectively.
Claims 15 and 18 claim similar subject matters to claims 1 and 4 respectively; therefore, claims 15 and 18 are rejected at least for the same reasons as claims 1 and 4 respectively.
11.	Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Thomas et al. (US 2008/0301685), hereinafter “Thomas”, in view of Carter et al. (US 2012/0017085), hereinafter “Carter”, in view of “Rangasamy” et al .(US 2016/0124742), hereinafter “Rangasamy” and in view of Goldfarb (US 2017/0366547), hereinafter “Goldfarb”.
Regarding claim 2, Thomas and Carter disclose the non-transitory computer readable medium of claim 1. Thomas and Carter do not explicitly disclose the service comprises a microservice and the request access token is persisted in an operational data store and cannot be accessed by other users.  However, using token for microservice is known in the art and Rangasamy’s teaching is an example (Abstract and Fig. 6 with associated text).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Thomas and Carter’s teachings of job scheduling with obtaining a new token for a job that operates longer than the expiration specification and with Rangasamy’s teaching of microservice.  The motivation to do so would be to take advantage of microservice’s benefits (e.g., independently deployable and allow for more team autonomy, independently scalable, simpler to maintain).
Thomas, Carter and Rangasamy do not explicitly disclose the request access token is persisted in an operational data store and cannot be accessed by other users.  However, storing a token in a restricted area is known in the art and Goldfarb’s teaching is an example (paragraphs [0053] and [0067]).

Claims 9 and 16 claim similar subject matters to claim 2; therefore, claims 9 and 16 are rejected at least for the same reasons as claim 2.
12.	Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Thomas et al. (US 2008/0301685), hereinafter “Thomas”, in view of Carter et al. (US 2012/0017085), hereinafter “Carter” and in view of Brown (US 10021077), hereinafter “Brown”.
Regarding claim 3, Thomas and Carter disclose the non-transitory computer readable medium of claim 1.  Thomas and Carter do not explicitly disclose signing the derived access token using current signing keys.  However, signing a token is known in the art and Brown’s teaching is an example (Abstract, Fig.3, box 312 with associated text).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Thomas and Carter’s teachings of job scheduling with obtaining a new token for a job that operates longer than the expiration specification and with Brown’s teaching of signing a token.  The motivation to do so would be to allow a user to have access to a protected network as taught by Brown (Abstract).
Claims 10 and 17 claim similar subject matters to claim 3; therefore, claims 10 and 17 are rejected at least for the same reasons as claim 3.
13.	Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Thomas et al. (US 2008/0301685), hereinafter “Thomas”, in view of Carter et al. (US 2012/0017085), hereinafter “Carter” and in view of Park et al. (US 2011/0067097), hereinafter “Park”.
Regarding claim 5, Thomas and Carter disclose the non-transitory computer readable medium of claim 1.  Thomas and Carter do not explicitly disclose the request access token is persisted with metadata corresponding to the job.  However, storing token with metadata corresponding to the job is known in the art and Park’s teaching is an example (Figs 3 and 4 with associated text: authentication keys are stored with corresponding functions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Thomas and Carter’s teachings of job scheduling with obtaining a new token for a job that operates longer than the expiration specification and with Park’s teaching of storing token with metadata corresponding to the job because the results would be predictable and resulted in storing the token with its corresponding data.
Claims 12 and 19 claim similar subject matters to claim 5; therefore, claims 12 and 19 are rejected at least for the same reasons as claim 5.
14.	Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Thomas et al. (US 2008/0301685), hereinafter “Thomas”, in view of Carter et al. (US 2012/0017085), hereinafter “Carter”, in view of Park et al. (US 2011/0067097), hereinafter “Park” and in view of Brady et al. (US 2015/0271200), hereinafter “Brady”.
Regarding claim 6, Thomas, Carter and Park disclose the non-transitory computer readable medium of claim 5. Thomas, Carter and Park do not explicitly disclose the request access token is retrieved from the metadata and decoded.  However, storing encrypted token is known in the art and Brady’s teaching is an example (paragraph [0098]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Thomas, Carter and Park’s teachings of job scheduling with obtaining a new token for a job that operates longer than the expiration specification and storing token with metadata corresponding to the job with Brady’s teaching of storing encrypted token so that the request access token is retrieved from the metadata and decoded.  The motivation to do so would be to protect the token from unauthorized entities.
Claims 13 and 20 claim similar subject matters to claim 6; therefore, claims 13 and 20 are rejected at least for the same reasons as claim 6.
Conclusion	
15.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH T. LE whose telephone number is (571)270-0279.  The examiner can normally be reached on Monday-Thursday 8:00 am - 2:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THANH T. LE/
Examiner, Art Unit 2495

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495