DETAILED ACTION
Claim Status
This action is responsive to the application filed on 7/19/2019.  Claims 1-20 are pending in the case and are original claims.  Claims 1, 8, and 15 are independent.  Claims 1-20 are rejected.  
Specification Objections
The disclosure is objected to because of the following informalities:
Page 5, paragraph 22 should be amended as follows:  “Over time”
Appropriate correction is required. 

CLAIM REJECTIONS
35 U.S.C. 103 Claim Rejections
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Claim(s) 1, 8, and 15 are rejected under 35 U.S.C. § 103 as being unpatentable over Fitzpatrick, III, U.S. 8,973,118 in view of Feekes, U.S. 2014/0337957. 

Regarding claims 1, 8, and 15, Fitzpatrick teach:  
A data processing device, comprising:
primary resources; (Fitzpatrick, column 4, lines 17-19, and Fig. 1, teach servers 140, 142, 144 which are primary resources Primary resources are not further defined in the specification.)
an authentication engine programmed to: (Fitzpatrick, column 6, lines 6-13 and Fig. 1, teach ensuring authentication processes being “implemented at server 144. Alternatively, the service provider can deploy an authentication server (not shown).”)
obtain, via the always-on in-band connection, an operation request and an authentication token corresponding to the operation request; (Fitzpatrick, column 4, lines 47-49, Fig. 1, teach in-band Ethernet connections.  Fitzpatrick, column 13, lines 5-11, and Fig. 3, teach that values in a token will be “used in process 300 for determining whether or not the client is authorized to access to the function of the service as requested (e.g., as specified in the message body)”.)
in response to obtaining the authentication token: 
obtain a list of authorized operations using the authentication token; (Fitzpatrick, column 13, lines 40-45, and Fig. 3, teach “Step 303 includes performing a lookup operation to find the requested function name or other identifier”… “using a list of allowed functions. For example, this list of functions may be used to control the individual functions of the service that the particular client is authorized to access.”)
make a determination that an operation indicated by the operation request is allowable based on the list of authorized operations; and (Fitzpatrick, column 13, lines 59-60, and Fig. 3, teach determining, at step 304, if the requested function is in the allowed functions list.)
perform the operation based on the determination.  (Fitzpatrick, column 16, lines 53-59, and Figs. 2 and 3, message processing proceeds from process 300 back to process 200 and the function, based on the determination, is executed at block 208.)
Fitzpatrick does not, but in related art, Feekes teaches:  
… an out-of-band manager operably connected to the primary resources via an always-on in-band connection; and …  (Feekes, ¶ [0022], lines 11-13, and Fig. 3, teach an out-of-band (OOB) communication module 308 (.i.e., out-of-band manager).  Feekes, ¶ [0038], lines 12-14, and Fig. 8, teach an in-band connection between a computing device 802/primary resource and a network back end 806/out-of-band communication module 308.)
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Fitzpatrick and Feekes, to authenticate the execution of functions or setting configurations as taught in Fitzpatrick combined with the out-of-band manager connected to primary resources with an always-on in-band connection of Feekes.  The motivation to do so is to have a secondary way to authenticate a client with the out-of-band manager if a primary in-band connection becomes inoperable.


Regarding claims 2, 9, and 16, Fitzpatrick and Feekes teach:  
The data processing device of claim 1, 
wherein the authentication engine is further programmed to: 
obtain a second operation request and a second authentication token corresponding to the second operation request; (Fitzpatrick, column 13, lines 5-7, and Figs. 2-3, if a first operation request can be made/received, then a second operation request can be made/received.  If a first authentication token can be obtained then a second authentication token can be obtained.)
in response to obtaining the second authentication token: 
obtain a second list of authorized operations using the second authentication token; (Fitzpatrick, column 13, lines 40-45, and Fig. 3, teach “Step 303 includes performing a lookup operation to find the requested function name or other identifier”… “using a list of allowed functions”.)
make a second determination that the operation indicated by the second operation request is not allowable based on the second list of authorized operations; and (Fitzpatrick, column 13, lines 59-60, and Fig. 3, teach determining, at step 304, if the requested function is in the allowed second functions list and is allowable.)
reject the operation based on the second determination. (Fitzpatrick, column 16, lines 44-53, and Figs. 2 and 3, message processing proceeds from process 300 back to process 200 and function, based on the determination, is rejected at block 211.) 
Fitzpatrick does not, but in related art, Feekes teaches: 
… via the always-on in-band connection, … (Feekes, ¶ [0038], lines 12-13, and Fig. 8, teach an in-band connection.)

Regarding claims 3, 10, and 17, Fitzpatrick and Feekes teach:  
The data processing device of claim 1, 
wherein the authentication token is generated by an authenticator and the list of authorized operations is obtained from the authenticator. (Fitzpatrick, column 6, lines 6-13, and Fig. 1, teach ensuring authentication processes performs authentication using a token being “implemented at server 144. Alternatively, the service provider can deploy an authentication server (not shown).”  Fitzpatrick, column 7, lines 35-39, teach generating a token.  Fitzpatrick, column 13, lines 5-11, teach extracting functions (i.e., a list of operations) supported by the token from a header of a token.  Because the list of supported instructions correspond with the token, they were earlier obtained by the token.)

Regarding claims 4, 11, and 18, Fitzpatrick and Feekes teach:  
The data processing device of claim 3, 
wherein the authentication engine is operably connected to the authenticator by an in-band connection and (Fitzpatrick, column 6, lines 6-13, and Fig. 1, teach ensuring authentication processes “implemented at server 144. Alternatively, the service provider can deploy an authentication server (not shown).” Fitzpatrick, column 4, lines 36-49, and Fig. 1, teach a server 140/authenticator connected to a network 130 that may be a wired Ethernet network with an in-band connection.)
Fitzpatrick does not, but in related art, Feekes teaches: 
	the out-of-band manager is operably connected to the authenticator by an out-of-band connection. (Feekes, ¶ [0005], lines 10-18, and Fig. 2, teach the out-of-band manager (e.g., network backend 202) is operably connected to the authenticator 
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Fitzpatrick and Feekes, to authenticate the execution of functions or setting configurations as taught in Fitzpatrick combined with the out-of-band manager connected to an out-of-band connection of Feekes.  The motivation to do so is to have a secondary way to authenticate a client with the out-of-band manager if a primary in-band connection becomes inoperable.

Regarding claim 5, Fitzpatrick and Feekes teach:  
The data processing device of claim 1, 
wherein the operation impacts the primary resources. (Fitzpatrick, column 6, lines 59 to column 7, line 7, teach a client using a server(s)/primary resources to process a message.  A change in a memory content or any bit of any state of a server/primary resource is an impact of the primary resources.)

Regarding claims 7 and 14, Fitzpatrick and Feekes teach:  
The data processing device of claim 6,
wherein the authentication token is obtained from an authenticator that provides the list of authorized operations. (Fitzpatrick, column 6, lines 6-13, teach ensuring authentication processes performs authentication using a token being “implemented at server 144. Alternatively, the service provider can deploy an authentication server (not shown).”  Fitzpatrick, column 13, lines 5-11, teach extracting functions (i.e., a 

Regarding claims 12 and 19, Fitzpatrick and Feekes teach:  
The method of claim 8, 
wherein the operation impacts primary resources of the data processing device and the out-of-band manager is hosted by the data processing device.  (The specification, page 5, ¶ [0020], states that a data processing device is a computer device which may be a server.  Fitzpatrick, column 6, lines 59 to column 7, line 7, teach a client using a server(s)/primary resource(s) to process a message.  A change in a memory content or any bit of any state of a server/data processing device is an impact of the data processing device.  Because the data processing device may be a computer (specification, page 5, ¶ [0020]), the data processing device may host the out-of-band manage).

Claim 6 is rejected under 35 U.S.C. § 103 as being unpatentable over Fitzpatrick, in view of Feekes, and in further view of Cahill et al. (US 10,944,561). 

Regard claim 6, Fitzpatrick and Feekes teach:  The data processing device of claim 1,
Fitzpatrick and Feekes do not, but in related art, Cahill teaches: wherein the out-of-band manager is programmed to: 
obtain a remote operation request for the operation from an entity; (Cahill, column 21, lines 17-19, and Fig. 6, teach a computing resource service (e.g., out-of-band manager) receives 602 a request from a user to access one or more resources (e.g., operation request) provided by the computing resource service (e.g., an entity).) 
obtain the authentication token for the entity; (Cahill, column 21, lines 29-31, and Fig. 6, teach determining “whether a security token has been provided by the user” at block 604, of Fig. 6.  Thus, if a token is received, it is axiomatic to have been obtained.)
generate the operation request based on the operation; and (Cahill, column 21, lines 47-50, teach the received request is transmitted to the authorization service.  It is axiomatic to convert/generate the operation to another format, if needed, before sending it to the authorization engine.)
provide, via the always-on in-band connection, the operation request and the authentication token to the authentication engine. (Cahill, column 21, lines 47-50, and Fig. 6, teach the computing resource service transmits, at block 608, the received request and the security token to an authorization service (authentication engine).  Cahill, Fig. 3 illustrates an in-band connection between the authorization system and the computing resource service.)
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Fitzpatrick, Feekes, and Cahill to authenticate the execution of functions or setting configurations as taught combined with in-band and out-of-band features as taught in Fitzpatrick and Feekes combined with policy implementation with the use of tokens as taught by Cahall.  The motivation to do so is to enable tokens to be used to access resources in accordance with a set of access control policies.
 
Regarding claims 13 and 20, Fitzpatrick and Feekes teach:  The method of claim 8, 
Fitzpatrick and Feekes do not, but in related art, Cahill teaches:
further comprising: 
obtaining, by the out-of-band manager, a remote operation request for the operation from an entity; (Cahill, column 21, lines 17-19, and Fig. 6, teach a computing resource service (e.g., out-of-band manager) receives 602 a request from a user to access one or more resources (e.g., operation requests) provided by the computing resource service (e.g., an entity).)
obtaining, by the out-of-band manager, the authentication token for the entity; (Cahill, column 21, lines 29-31, and Fig. 6, teach determining “whether a security token has been provided by the user” at block 604, of Fig. 6.  Thus, if a token is received it is axiomatic to be received.)
generating, by the out-of-band manager, the operation request based on the operation; and (Cahill, column 21, lines 47-50, teach the received request is transmitted to the authorization service.  It is axiomatic to convert/generate the operation to another format, if needed, before sending it to the authorization engine.)
providing, by the out-of-band manager and via the always-on in-band connection, the operation request and the authentication token to the authentication engine. (Cahill, column 21, lines 47-50, and Fig. 6, teach the computing resource service transmits, at block 608, the received request and the security token to an authorization service (authentication engine).  Fig. 3 illustrates an in-band connection between the authorization service and the computing resource service.) 

Conclusion
In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  US 2007/0283011 discloses synchronizing configuration information among multiple clients.  US 2012/0096272 discloses a security model for industrial devices.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODNEY E HAVEN whose telephone number is (313) 446-6648.  The examiner can normally be reached on 7:30 - 4:30 Monday to Thursday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

/R.E.H./Examiner, Art Unit 2435                                                                                                                                                                                                        
/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435