DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The use of the trademark BLUETOOTH [paragraph 0064], have been noted in this application.  It should be capitalized wherever it appears and be accompanied by the generic terminology. 
Although the use of trademarks is permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as trademarks.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 6-12 and 14-25 of U.S. Patent  10,609,077. Although the claims at issue are not identical, they are not patentably distinct from each other because aside from a few minor differences, these claims contain the same limitations and perform the same functions.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-2, 5-8, 10-11, 13-15, and 18-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Brooker et al., (US 20140196130 A1) hereinafter referred to as Brooker.
Regarding Claim 1, Brooker discloses A computer-implemented method, comprising: detecting a notification event associated with a customer of a resource provider environment; [paragraph 0084, The policy collector 1004 may update the policy cache 1008 responsive to policy update notifications, for example, received from the policy management service 602 (FIG. 6) and/or the virtual resource servers 804-806 (FIG. 8). The policy collector 1004 may subscribe to notifications of updates to relevant policies and/or policy sets maintained at the policy management service 602 and/or the virtual resource servers 804-806. Alternatively, or in addition, the policy collector 1004 may periodically search for changes to policies in the policy cache 1008 and/or for newly relevant policies] [paragraph 0085, The decision data collector(s) 1012 may furthermore maintain one or more subsets and/or types of decision data in the decision data cache 1014, for example, responsive to update notifications from the decision data providers 512 and/or with updates discovered by periodic searching] 
determining a registered function corresponding to the notification event, the registered function including code to be executed on behalf of the customer; [paragraph 0080, Some provisioned resources 812-818 (FIG. 8) may have functionality that can be activated, and the activate resource functionality interface element 910 may be utilized to request an activation of that functionality. For example, some types of data object store may have a capability to analyze stored data objects, and the activate resource functionality interface element 910 may enable authorized clients to start, stop, suspend and/or perform the analysis. The delete resource attribute(s) interface element 912 may enable clients 204-206 (FIG. 2) to request a deletion and/or re-initialization of one or more attributes of one or more of the provisioned resources 812-818. For example, clients 204-206 with sufficient authorization may delete specified data objects from specified data object stores – the “registered functions” are functionalities such as analyzing, deleting, or re-initializing. The “event” is the request for activation of functionality] 
determining a base credential associated with the registered function, the base credential granting access to a plurality of network resources in the resource provider environment; [paragraph 0024, credentials are generated and distributed to computing resources of a security domain… Credentials may also encode metadata about associated computing resources. For instance, using the example of a virtual machine instance, credentials may encode an identifier of an owner of the instance, software installed on the instance, a machine image used to instantiate the instance, an operating system of the instance, one or more software licenses attached to the instance's machine image, an Internet protocol (IP) or other identifier of the instance, and/or other information – credentials are generated for requested resources and can encode metadata which is the “base credential”]
determining a template policy associated with the registered function, the template policy including one or more variables; [paragraph 0083, The policy enforcement component 1002 may include a policy collector 1004 configured at least to collect relevant policies 534-542, 546 (FIG. 5) from locations throughout the virtual resource provider 502, and store them local to a decision engine 1006 in a policy cache 1008] 
causing values for the one or more variables to be inserted into the template policy to generate an event-specific policy, the values being determined based at least in part upon the notification event; [paragraph 0083, The policy enforcement component 1002 may include a policy collector 1004 configured at least to collect relevant policies 534-542, 546 (FIG. 5) from locations throughout the virtual resource provider 502, and store them local to a decision engine 1006 in a policy cache 1008… The decision engine 1006 may evaluate requests submitted to the policy enforcement component 1002 with respect to relevant policies in the policy cache 1008. At times, additional data may be required to support particular decisions with respect to particular policies. The policy enforcement component 1002 may still further include one or more decision data collectors 1012 configured at least to collect the required decision support data ("decision data") from locations throughout the virtual resource provider 502. Collected decision data may be stored local to the decision engine 1006 in a decision data cache 1014] 
obtaining an event-specific credential using the event-specific policy and the base credential, [paragraph 0024, credentials are generated and distributed to computing resources of a security domain… Credentials may also encode metadata about associated computing resources. For instance, using the example of a virtual machine instance, credentials may encode an identifier of an owner of the instance, software installed on the instance, a machine image used to instantiate the instance, an operating system of the instance, one or more software licenses attached to the instance's machine image, an Internet protocol (IP) or other identifier of the instance, and/or other information – credentials are generated for requested resources and can encode metadata which is the “base credential”] 
the event-specific credential granting a subset of permissions granted by the base credential; [paragraph 0025, different credentials are generated for each of a plurality of subsets of a set of computing resources.…Generation of the credentials may be made according to granularity information received from a user. The granularity information may be determinative of the subsets, such as by specifying information by which the subsets are defined. The granularity information may be received in connection with a user request to provision virtual computing resources] 
allocating a resource instance for executing the registered function; [paragraph 0080, Some provisioned resources 812-818 (FIG. 8) may have functionality that can be activated, and the activate resource functionality interface element 910 may be utilized to request an activation of that functionality] 
causing the resource instance to obtain the event information and the event- specific credential; [paragraph 0102, When the credentials in connection with the request to access the computing resource are received 1402, in an embodiment, a determination is made 1404 whether the requester has a privilege allowing the requested access] 
and causing the resource instance to process the notification event at least in part by executing the registered function using data obtained via the event-specific credential. [paragraph 0103, If it is determined that the requester has a privilege allowing the requested access, the requested access may be provided 1406]
Regarding Claims 2, 8, and 15, Brooker discloses further comprising: storing the event-specific credential to a credential cache, [paragraph 0026, In some instances, possession of particular credentials and/or a class of credentials may be part of a set of one or more conditions for policies. In an embodiment, computing resources having credentials distributed in accordance with the various embodiments described herein submit requests to perform one or more actions in connection with one or more other computing resources – teaches computing resources with stored credentials which is a credential cache] 
wherein the event- specific credential is able to be utilized for processing of similar notification events for the customer during a valid lifetime of the event-specific credential. [paragraph 0102, The policy enforcement component may utilize an authentication service to authenticate the credentials and, if successfully authenticated, establish a connection with the virtual machine instance that provided the credentials, at least for a period of time – teaches a time-limited authentication based on a credential]
Regarding Claims 5, 13, and 18, Brooker discloses further comprising: receiving the template policy from the customer, [paragraph 0026, Other information may also be received from a user in addition to granularity information. As an example, information stating and/or defining one or more policies may be received from a user] 
enabling the customer to determine which subset of the permissions, granted under the base credential for the customer, are granted by the event-specific credential. [paragraph 0024, credentials are generated and distributed to computing resources of a security domain… Credentials may also encode metadata about associated computing resources. For instance, using the example of a virtual machine instance, credentials may encode an identifier of an owner of the instance, software installed on the instance, a machine image used to instantiate the instance, an operating system of the instance, one or more software licenses attached to the instance's machine image, an Internet protocol (IP) or other identifier of the instance, and/or other information – credentials are generated for requested resources and can encode metadata which is the “base credential”]
Regarding Claim 6, Brooker discloses wherein the resource instance is a virtual machine or a container executing on the virtual machine. [Figure 2, elements 218 and 220 are multiple virtual resources which is the “resource instance”]
Regarding Claims 7 and 14, Brooker discloses A computer-implemented method, comprising: detecting an event associated with a registered function; [paragraph 0080, Some provisioned resources 812-818 (FIG. 8) may have functionality that can be activated, and the activate resource functionality interface element 910 may be utilized to request an activation of that functionality. For example, some types of data object store may have a capability to analyze stored data objects, and the activate resource functionality interface element 910 may enable authorized clients to start, stop, suspend and/or perform the analysis. The delete resource attribute(s) interface element 912 may enable clients 204-206 (FIG. 2) to request a deletion and/or re-initialization of one or more attributes of one or more of the provisioned resources 812-818. For example, clients 204-206 with sufficient authorization may delete specified data objects from specified data object stores – the “registered functions” are functionalities such as analyzing, deleting, or re-initializing. The “event” is the request for activation of functionality]
determining a template policy associated with the registered function; [paragraph 0083, The policy enforcement component 1002 may include a policy collector 1004 configured at least to collect relevant policies 534-542, 546 (FIG. 5) from locations throughout the virtual resource provider 502, and store them local to a decision engine 1006 in a policy cache 1008] 
generating an event-specific policy by filling one or more variables of the template policy, associated with the registered function, with values determined based at least in part upon the event; [paragraph 0083, The policy enforcement component 1002 may include a policy collector 1004 configured at least to collect relevant policies 534-542, 546 (FIG. 5) from locations throughout the virtual resource provider 502, and store them local to a decision engine 1006 in a policy cache 1008… The decision engine 1006 may evaluate requests submitted to the policy enforcement component 1002 with respect to relevant policies in the policy cache 1008. At times, additional data may be required to support particular decisions with respect to particular policies. The policy enforcement component 1002 may still further include one or more decision data collectors 1012 configured at least to collect the required decision support data ("decision data") from locations throughout the virtual resource provider 502. Collected decision data may be stored local to the decision engine 1006 in a decision data cache 1014] 
obtaining an event-specific credential using the event-specific policy and a base credential, the base credential granting access to a plurality of electronic resources associated with the registered function, [paragraph 0024, credentials are generated and distributed to computing resources of a security domain… Credentials may also encode metadata about associated computing resources. For instance, using the example of a virtual machine instance, credentials may encode an identifier of an owner of the instance, software installed on the instance, a machine image used to instantiate the instance, an operating system of the instance, one or more software licenses attached to the instance's machine image, an Internet protocol (IP) or other identifier of the instance, and/or other information – credentials are generated for requested resources and can encode metadata which is the “base credential”] 
the event-specific credential granting a subset of permissions granted with respect to the plurality of electronic resources by the base credential, the subset of permissions being relevant to the event; [paragraph 0025, different credentials are generated for each of a plurality of subsets of a set of computing resources.…Generation of the credentials may be made according to granularity information received from a user. The granularity information may be determinative of the subsets, such as by specifying information by which the subsets are defined. The granularity information may be received in connection with a user request to provision virtual computing resources] 
allocating a resource instance, of a plurality of resource instances of a resource allocation service, on behalf of the event; [paragraph 0080, Some provisioned resources 812-818 (FIG. 8) may have functionality that can be activated, and the activate resource functionality interface element 910 may be utilized to request an activation of that functionality] 
and causing the resource instance to execute the registered function in order to process the event, [paragraph 0103, If it is determined that the requester has a privilege allowing the requested access, the requested access may be provided 1406]
the resource instance obtaining event data for the event and the event-specific credential for accessing the plurality of electronic resources according to the subset of permissions. [paragraph 0102, When the credentials in connection with the request to access the computing resource are received 1402, in an embodiment, a determination is made 1404 whether the requester has a privilege allowing the requested access]
Regarding Claims 10 and 19, Brooker discloses further comprising: determining an identity role associated with the registered function; and binding the identity role to the registered function, [paragraph 0054, The principal(s) 408 element of the policy 402 may specify one or more entities known to the virtual resource provider 202 (FIG. 2) that are capable of making requests of the virtual resource provider 202. Such entities may include users having a user account with the virtual resource provider 202, customers having a commercial account (e.g., a cost-tracking account) with the virtual resource provider 202, and groups of users and/or customers including role-based groups such as administrators. Virtual machine instances or other virtual resources, other resources, and/or groups thereof may be also be principals. Such entities may be specified with any suitable identifier including user identifiers, customer account numbers, group identifiers, and alphanumeric strings] 
wherein the base credential is able to be obtained for the registered function with the permissions granted according to the identity role. [paragraph 0024, credentials are generated and distributed to computing resources of a security domain… Credentials may also encode metadata about associated computing resources. For instance, using the example of a virtual machine instance, credentials may encode an identifier of an owner of the instance, software installed on the instance, a machine image used to instantiate the instance, an operating system of the instance, one or more software licenses attached to the instance's machine image, an Internet protocol (IP) or other identifier of the instance, and/or other information – credentials are generated for requested resources and can encode metadata which is the “base credential”]
Regarding Claims 11 and 20, Brooker discloses wherein the plurality of electronic resources are configured as part of a multi-tenant resource environment, [Figure 2, elements 218 and 220 are multiple virtual resources which is a “multi-tenant resource environment”] 
the registered function accessible to a plurality of customers of the multi-tenant resource environment, [Figure 2, elements 204 and 206 are a “plurality of customers” who have access to the multi-tenant resource environment] 
the event-specific credential being allocated for an associated customer of the plurality of customers. [paragraph 0102, When the credentials in connection with the request to access the computing resource are received 1402, in an embodiment, a determination is made 1404 whether the requester has a privilege allowing the requested access]

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 3, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Brooker, as applied to Claims 1, 7, and 14, respectively, above, in view of Vaidya et al., (US 9762619 B1) hereinafter referred to as Vaidya.
Regarding Claims 3, 9, and 16, Brooker does not explicitly teach further comprising: executing at least one customer-provided script to determine at least one of the values for the one or more variables.
Vaidya teaches further comprising: executing at least one customer-provided script to determine at least one of the values for the one or more variables. [Column 6, lines 8-14, the policy model in some embodiments is built in a manner that allows inline injection and execution of tasks that belong to the consumers. For instance, some embodiments allow users to write custom made services (e.g., as scripts) that are applicable to the user's specific application. The user can then register the custom made service as one of the PEPs 105] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Vaidya with the disclosure of Brooker. The motivation or suggestion would have been “To provide maximum flexibility to cloud consumers and external workflows.” (Column 6, lines 7-8)

Claims 4, 12, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Brooker, as applied to Claims 1, 7, and 14, respectively, above, in view of Brown et al., (US 20100083355 A1) hereinafter referred to as Brown.
Regarding Claims 4, 12, and 17, Brooker does not explicitly teach further comprising: receiving the base credential from a token service; sending the event-specific policy to the token service to be used with the base credential to generate the event-specific credential; and receiving the event-specific credential from the token service.
Brown teaches further comprising: receiving the base credential from a token service; [paragraph 0034, a systems management request can be received for a target resource in a particular security domain for a particular user. In block 490, a base credential can be retrieved for the particular user] 
sending the event-specific policy to the token service to be used with the base credential to generate the event-specific credential; and receiving the event-specific credential from the token service. [paragraph 0034, and in block 500, the base credential can be mapped to a requisite authentication credential for the target resource and authentication into the particular security domain can be requested with the mapped credential in block 510] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Brown with the disclosure of Brooker. The motivation or suggestion would have been for “flexibly, different mappings can be provided.” (paragraph 0034)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923.  The examiner can normally be reached on M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ANDREW J STEINLE/Primary Examiner, Art Unit 2497