DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-25 were cancelled by preliminary amendments.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. US62/581,495, filed on 11/03/2017.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on10/26/20, 11/14/19.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 26, 28, 35, 37, 39, 46, 48, 50 are rejected under 35 U.S.C. 103 as being unpatentable over Dave et al (US 20140096199 A1).

With regards to claim 26, 37, 48 Dave discloses, A mediator device (FIG 1, 3 Security server), comprising: communications circuitry; processing circuitry; and a memory device including instructions embodied thereon, wherein the instructions, which when executed by the processing circuitry, configure the processing circuitry to perform operations of a mediator service to: 
process a request to onboard a client device onto a security-restricted domain (FIG 3 303 and associated text; ), the request received from the client device via the communications circuitry, wherein the security-restricted domain restricts communication operations of the client device to a defined security level ([0031]; In block 304, the database management module 202 may create a new cloud security server account. The cloud security server account may be associated with a particular user of the cloud security server 102. The cloud security server account provides a single logical connection point for distributed data sources, authorized client devices, and assigned trust levels. The cloud security server account may be authenticated based on credentials supplied by the user of the cloud security server 102, such as a password or a cryptographic certificate.); 
process a request to register a cloud service with the security-restricted domain, the request received from the cloud service via the communications circuitry, wherein the security-restricted domain restricts communication operations of the cloud service to the defined security level ([0033]; For example if the user desires to add a data source, in block 314, the database management module 202 may add a new data source. New data sources are added by configuring a data source connector 210 to 
generate communication information usable to establish a communication link, between the cloud service and the client device, at the defined security level in the security-restricted domain ([0014]; In use, as discussed in more detail below, the cloud security server 102 is configured to associate a plurality of trust levels to the client computing devices 104, the cloud service providers 106, and the local storage device 108. Individual client computing devices 104 are configured to request data from the cloud security server 102, which brokers connections to the cloud service providers 106 and the local storage device 108. ); and 
cause the communications circuitry to transmit the communication information to the client device and the cloud service ([0046]; For example, such data may be transmitted to the client computing device 104 directly from the cloud security server 102. In block 618, in some embodiments the client computing device 104 may access data using a connection to a cloud service provider 106 brokered by the cloud security server 102. The cloud security server 102 may broker such connections, for example, by providing appropriate credentials to the cloud service provider 106. In block 620, in some embodiments the client computing device 104 may access data using a connection to a 

With regards to claim 28, 39, 50 Dave further discloses, the operations further to: process a user authorization of the requests to onboard the client device and register the cloud service, the user authorization received from an authentication service via the communications circuitry ([0031]; The cloud security server account provides a single logical connection point for distributed data sources, authorized client devices, and assigned trust levels. The cloud security server account may be authenticated based on credentials supplied by the user of the cloud security server 102, such as a password or a cryptographic certificate. The user may interact with the database management module 202 through an interface on a local console of the cloud security server 102, or through a remote interface such as a web application. Such interaction by the user may also be employed for the other steps of the method 300. For example).

With regards to claim 35,  46 Dave further discloses, wherein the mediator service, the client device, and the cloud service are the only participants of the security-restricted domain (Dave FIG 1 and associated text; [0015] The disclosed system and .

Claims 27, 30-33, 38, 41-44, 49  are rejected under 35 U.S.C. 103 as being unpatentable over Dave et al (US 20140096199 A1) in view of Koushik et al(US 20160134616 A1).

With regards to claim 27, 38, 49, Dave does not exclusively but Kaoushik teaches, cause the communications circuitry to transmit a command to the cloud service to perform discovery and brokering of additional devices in the security-restricted domain, the discovery and brokering to allow a second client device to communicate with the client device via the cloud service (Koushik [0036] In another example, other service provider services 150 may include one or more other authentication services, identity services, or security services, which may be used in authenticating and/or identifying an end user or an end user's computing resource instance instead of or in combination with various ones of the fulfillment control plane services 126 described herein; FIG 6 606 and associated text; fulfillment platform plane provide brokering and identifying) . It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Dave 

With regards to claim 30, 41 Dave in view of Kaoushik discloses,  the operations further to: process a delegation to implement the mediator service within the security-restricted domain, the delegation to implement the mediator service received from an onboarding service via the communications circuitry, wherein the onboarding service operates within a trusted domain (Koushik [0102]; If (or once) an end user's identity has been validated, the proxy service may pass or dispatch requests received from the end user to the appropriate backend service (e.g., a fulfillment service, an entitlement service, or a delivery service) for processing.  ). Motivation would be same as stated in claim 27.

With regards to claim 31, 42 Dave in view of Koushik discloses, the operations further to: process device onboarding information received from the onboarding service, the device onboarding information received via the communications circuitry (Koushik [0093] In some embodiments, when a "create fulfillment" workflow is invoked, the entitlement service may expose one or more APIs to the IT administrator (e.g., through a service provider system console 616). For example, these APIs may include a "register fulfillment" API, a "create monthly subscription" API, an API to request an end user license to be used for a particular application, or an API to request that a subscription be enrolled in a subscription renewal program (e.g., a monthly renewal program).); and process mediator service provisioning information received from the onboarding service, the provisioning information received via the communications circuitry (Koushik [0094] In some embodiments, a delivery service (such as delivery service 626 illustrated in FIG. 6) may be responsible for application lifecycle management, the delivery of applications, and the fulfillment of applications on targeted machines.); wherein the mediator service and the onboarding service operate on different devices (Koushik FIG 6 620, 626 and associated text; [0036] As illustrated in FIG. 1, the service provider network may include physical and/or virtualized computing resource instances (e.g., computation resource instances and/or storage resource instances) that may be provisioned on behalf of the business, enterprise, or organization (and its end users). ). Motivation would be same as stated in claim 27.

With regards to claim 32, 43 Dave in view of Koushik discloses, wherein the mediator service and the onboarding service each operate on the mediator device (Dave FIG 2 102 and associated text;  ). 

With regards to claim 33, 44 Dave in view of Koushik further teaches,  wherein the client device operates in the trusted domain, wherein the client device is onboarded by the onboarding service (Koushik [0100] In various embodiments, computing resource instances (including virtualized computing resource instances or virtual desktop instances) may be implemented on computing devices that are domain joined to an active directory. In such embodiments, a user may log into a computing resource instance using their active directory. In some embodiments, in order to access service provider services and/or resources, the end user may have to go through an identity access management wherein the client device operates in an untrusted device state within the trusted domain during communications with the security-restricted domain (Dave [0014] Referring now to FIG. 1, in one embodiment, a system 100 for managing and accessing distributed data sources includes a cloud security server 102, a plurality of client computing devices 104, a plurality of cloud service providers 106, and a local storage device 108, all in communication with each other over a network 110. In use, as discussed in more detail below, the cloud security server 102 is configured to associate a plurality of trust levels to the client computing devices 104, [0015] The disclosed system and methods allow the owner of the data to apply a single security model to any number of distinct, distributed data sources. Such single security model may allow for simplified and efficient management of numerous distributed data sources. Note: new client is untrusted until authenticated, once authenticated assigned trust level within cloud services).

Claims 29, 40 are rejected under 35 U.S.C. 103 as being unpatentable over Dave et al (US 20140096199 A1) in view of Sanso et al(US 20150033297 A1).

With regards to claim 29, 40 Dave  does not exclusively but Sanso teaches,  wherein the authentication service is a single-sign-on (SSO) service utilized by an administrative user, and wherein the SSO service comprises at least one of a: OAuth2, Security Assertion Markup Language (SAML), OpenIDConnect, Kerberos,  Lightweight Directory Access Protocol (LDAP) authentication service (Sanso  [0017] SSO, which can be provided using LDAP, can be used to for user authentication and for applying an entity's login code to the entity's computing resources. With SSO, one password for a user accocan be shared amongst multiple services.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Dave device/method with teaching of Sanso in order to authenticating users based on email addresses and credentials, and dynamically mapping users to groups in a hierarchical repository. (Sanso [0001]).

Claims 36, 47 are rejected under 35 U.S.C. 103 as being unpatentable over Dave et al (US 20140096199 A1) in view of Lee et al(US 20180063879 A1).

With regards to claim 36, 47 Dave does not but Lee teaches,  wherein network communications used to cause the respective operations comprise Representational State Transfer (RESTful) interactions among one or more Internet of Things (IoT) network topologies, and wherein the network communications are conducted according to one or more Open Connectivity Foundation (OCF) specifications (Lee [0150] That is, at step S221, the IoT device interoperation apparatus 100 may receive a CRUDN message for performing respective operations which satisfy RESTful-style CRUDN operation (CREATE, RETRIEVE, UPDATE, DELETE and NOTIFY) from the OCF device 10.  ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Dave device/method with teaching of Sanso in order to connect an OCF device that supports .

Allowable Subject Matter
Claims 34, 45 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  






/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498