DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application 16/586742 filed on 09/27/2019.
Claims 1-20 have been examined and are pending in this application. 

Specification Objections
The disclosure is objected to as the specification does not include the section “Brief Summary of the invention.”  See MPEP 6.01 and 37 CFR 1.77(b) for detail.

Information Disclosure Statement 
The information disclosure statement (IDS), submitted on 11/17/2020, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned 

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mathew et al. (“Mathew,” US 2019/0014102), published on January 10, 2019, in view of Mandadi et al. (“Mandadi,” US 9894067), published on February 13, 2018.

Regarding claim 1: Mathew discloses a computer-implemented method comprising:
receiving, at an access control service of a provider network, a first request to create a session to permit access to resources of the provider network from an electronic device, the first request including a first one or more attributes, wherein the first one or more attributes include a user-specified attribute (Mathew: ¶0155 at step 602, the data center will receive (e.g., from a client device) a request for a user to access a resource; ¶0156 at step 604, the data center will receive credentials for the user; ¶0072 authentication credentials (e.g., user name/password, or the like) [user attribute]; ¶0046 multiple access manager servers can be deployed as an access manager cluster in a data center);
permitting the first request based at least in part on an evaluation of a first rule with at least one attribute of the first one or more attributes (Mathew: ¶0157 at step 606, the data center will determine authentication and authorization of the user based on user credentials supplied by the user; ¶0158 at step 608, once the user is successfully authenticated, the data center will check security data associated with the user);
generating session data including the user-specified attribute, wherein the user-specified attribute replaced another attribute included in the first one or more attributes, and wherein the user-specified attribute and the other attribute share a key name (Mathew: ¶0159 the data center will be free to establish a new session for the user to access the requested resource. The data center will change the security data associated with the user (in the data store) to include an identifier for the data center (to signify that a session has been established by the data center));
sending the session data to the electronic device (Mathew: ¶0161 at step 614, the data center will establish the new session for the user to access the requested resource. The relevant session information will be provided by the data center to the user (e.g., to the client device) [...] the session information may be sent as a token);
receiving, at a resource interface, a second request to perform an action with a resource hosted by the provider network, the second request including the session data (Mathew: ¶0047 the user may provide the second data center a cookie/token that was received from the first data center);
obtaining the user-specified attribute from the session data in the second request (Mathew: ¶0047 the second data center may read the cookie/token data [...] which can include session identifier information and other details; ¶0130 the session information, which the client 402 can use to access or log in to the session);
permitting the second request based at least in part on evaluation of a second rule with at least the user-specified attribute, wherein the second rule governs whether the action can be performed with the resource (Mathew: ¶0168 at step 712, the data center will determine whether the security data associated with the user stores the identifier of a different data center in the multi data center deployment); and
performing the action by the resource (Mathew: ¶0047 the second data center may adopt that session (e.g., by creating a session at the second data center) while preserving the same session identifier, allowing the user to access resources (e.g., resources governed by the second data center)).
Mathew does disclose each user may be associated with the identity attribute which serves the role of a session but does not explicitly disclose an identification of a role to assume for the session and wherein the first rule governs whether the role can be assumed.
However, Mandadi discloses an identification of a role to assume for the session (Mandadi: col. 35 lines 8-15 FIG. 30 illustrates an example environment 3000 where cross-region roles are assumed across regions using session credentials; col. 37 lines 7-10 customer 3202 [...] may send a signed request 3204 to assume a role 3206 to a security service 3208); and
wherein the first rule governs whether the role can be assumed (Mandadi: col. 37 lines 12-17 the security service 3208 [...] may first verify that the role 3214 exists [...] verifying that the second customer 3202 has permission to assume the role 3214, and validating the signature of the signed request 3204).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Mandadi with the system and method of Mathew to include an identification of a role to assume for the session to provide user with a means for managing message authentication within a computing resource service provider environment (Mandadi: col. 2 lines 66-67).

Regarding claim 2: Mathew in view of Mandadi discloses the computer-implemented method of claim 1.
Mathew further discloses wherein the other attribute is at least one of a first attribute specified in an identity provider credential included with the first request (Mathew: ¶0083 requests may be communicated to device 114 via communication network 130. A request may prompt user 102 for user credentials to determine authentication of a session. Request may include information (e.g., a URL) to a web page or a user interface (e.g., a web page, portal, or dashboard) to receive credential information).
Mandadi further discloses a second attribute associated with the role via a role object stored in the provider network (Mandadi: col. 35 lines 40-44 each of the roles may have a set of permissions associated with access to the resources and may also have a set of access policies associated with the role so that, for example, only designated users and/or user accounts may have access to the role).
The motivation is the same that of claim 1 above.

Regarding claim 3: Mathew in view of Mandadi discloses the computer-implemented method of claim 1.
Mandadi further discloses wherein the session data is sent to the electronic device as part of an encrypted token (Mandadi: col. 12 lines 59-61 the session data 304 may be encrypted using the session encryption key 306 [...] to produce the session token 308).
The motivation is the same that of claim 1 above.

Regarding claim 4: Mathew discloses a computer-implemented method comprising:
receiving a first request to create a first session to permit access to resources of a provider network, the first request including a first one or more attributes, wherein the first one or more attributes include a user-specified attribute (Mathew: ¶0155 at step 602, the data center will receive (e.g., from a client device) a request for a user to access a resource; ¶0156 at step 604, the data center will receive credentials for the user; ¶0072 authentication credentials (e.g., user name/password, or the like) [user attribute]; ¶0046 multiple access manager servers can be deployed as an access manager cluster in a data center);
generating first session data including the user-specified attribute (Mathew: ¶0159 the data center will be free to establish a new session for the user to access the requested resource. The data center will change the security data associated with the user (in the data store) to include an identifier for the data center (to signify that a session has been established by the data center));
receiving a second request to perform an action with a resource hosted by the provider network (Mathew: ¶0047 the user may provide the second data center a cookie/token that was received from the first data center);
obtaining the user-specified attribute from the first session data based at least in part on the second request (Mathew: ¶0047 the second data center may read the cookie/token data [...] which can include session identifier information and other details; ¶0130 the session information, which the client 402 can use to access or log in to the session); and
performing the action by the resource (Mathew: ¶0047 the second data center may adopt that session (e.g., by creating a session at the second data center) while preserving the same session identifier, allowing the user to access resources (e.g., resources governed by the second data center)).
Mathew does disclose each user may be associated with the identity attribute which serves the role of a session but does not explicitly disclose an identification of a role to assume for the first session.
However, Mandadi discloses an identification of a role to assume for the first session (Mandadi: col. 35 lines 8-15 FIG. 30 illustrates an example environment 3000 where cross-region roles are assumed across regions using session credentials; col. 37 lines 7-10 customer 3202 [...] may send a signed request 3204 to assume a role 3206 to a security service 3208).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Mandadi with the system and method of Mathew to include an identification of a role to assume for the session to provide user with a means for managing message authentication within a computing resource service provider environment (Mandadi: col. 2 lines 66-67).

Regarding claim 5: Mathew in view of Mandadi discloses the computer-implemented method of claim 4.
Mathew further discloses wherein the first session data includes the user-specified attribute in place of another attribute included in the first one or more attributes, and wherein the user-specified attribute and the other attribute share a key name (Mathew: ¶0135 the security data associated with that user would be updated within data center 406. For instance, if the security data includes a "lockedBy" attribute, the value of the "lockedBy" attribute would be changed to an identifier of the data center 406 in order to signify that the data center 406 established the session).

Regarding claim 6: Mathew in view of Mandadi discloses the computer-implemented method of claim 5.
Mathew further discloses wherein the other attribute is at least one of a first attribute specified in an identity provider credential included with the first request (Mathew: ¶0083 requests may be communicated to device 114 via communication network 130. A request may prompt user 102 for user credentials to determine authentication of a session. Request may include information (e.g., a URL) to a web page or a user interface (e.g., a web page, portal, or dashboard) to receive credential information).
Mandadi further discloses a second attribute associated with the role via a role object stored in the provider network (Mandadi: col. 35 lines 40-44 each of the roles may have a set of permissions associated with access to the resources and may also have a set of access policies associated with the role so that, for example, only designated users and/or user accounts may have access to the role).
The motivation is the same that of claim 1 above.

Regarding claim 7: Mathew in view of Mandadi discloses the computer-implemented method of claim 4. 
Mandadi further discloses wherein the second request includes an encrypted token that contains the user-specified attribute (Mandadi: col. 3 lines 54-59 the security service can then generate a set of session data (also referred to herein as "short-term credential data") that includes a session key and encrypt the short-term credential data to produce a short-term credential such as a session credential (also referred to herein as a "session token"). The session token is encrypted with a session encryption key), and wherein the obtaining the user- specified attribute from the first session data based at least in part on the second request comprises decrypting the encrypted token to extract the user-specified attribute (Mandadi: col. 11 lines 3-6 the security service 220 may extract the session key 210 from the session token 208 by decrypting the session token using the session encryption key).
The motivation is the same that of claim 4 above.

Regarding claim 8: Mathew in view of Mandadi discloses the computer-implemented method of claim 4.
Mathew further discloses wherein the second request includes an identifier of the first session data, and wherein the obtaining the user-specified attribute from the first session data based at least in part on the second request comprises retrieving the first session data from a session data store based on the identifier (Mathew: ¶0047 the first data center will create for the user a session with a unique session identifier [...] then the user may provide the second data center a cookie/token that was received from the first data center. The second data center may read the cookie/token data and extract the server side session information, which can include session identifier information and other details. For instance, the second data center may determine from the information that the session was originally initiated by the first data center).

Regarding claim 9: Mathew in view of Mandadi discloses the computer-implemented method of claim 4.
Mandadi further discloses permitting the first request based at least in part on an evaluation of a first rule with at least one attribute of the first one or more attributes, wherein the first rule is part of a first set of rules that govern whether the role can be assumed (Mandadi: col. 5 lines 23-28 a user in a first region may create a set of permissions for access to resources in a second region such as, for example, the ability to access a particular database. This set of permissions defines a role for access to those resources and other users can assume that role to access the resources), and
wherein the first set of rules include a rule identifying a set of necessary attributes that must be included with a request to assume the role, wherein metadata associates the role to the first rule (Mandadi: col. 35 lines 29-34 a user of a user account may then assume one or more of these roles to have access to the database. For example, a user may assume the first role if the user only requires permission to read data from the database. Using the first role, the user could analyze, but not alter, the data in the database).
The motivation is the same that of claim 4 above.

Regarding claim 10: Mathew in view of Mandadi discloses the computer-implemented method of claim 9.
Mathew further discloses receiving a third request to create a second session to permit access to resources of the provider network, the third request including a third one or more attributes (Mathew: ¶0088 agent-server interactions including requests [requests can be more than two request/third request] for access to a resource managed by access management system 140; ¶0155 at step 602, the data center will receive (e.g., from a client device) a request for a user to access a resource; ¶0156 at step 604, the data center will receive credentials for the user; ¶0072 authentication credentials (e.g., user name/password, or the like) [user attribute]; ¶0046 multiple access manager servers can be deployed as an access manager cluster in a data center).
Mandadi further discloses and an identification of a role to assume for the second session (Mandadi: col. 35 lines 8-15 FIG. 30 illustrates an example environment 3000 where cross-region roles are assumed across regions using session credentials; col. 37 lines 7-10 customer 3202 [...] may send a signed request 3204 to assume a role 3206 to a security service 3208); and 
denying the third request based at least in part on an absence of at least one attribute identified in the set of necessary attributes in the third one or more attributes (Mandadi: col. 21 lines 41-44 services generally have a policy to deny unknown users and, when accounts are regional, those accounts are unknown in regions where they are not authorized).
The motivation is the same that of claim 4 above.

Regarding claim 11: Mathew in view of Mandadi discloses the computer-implemented method of claim 9.
Mathew further discloses wherein the first set of rules include a rule identifying a set of attributes that cannot be user-specified (Mathew: ¶0014 each data center of the multiple data centers may be associated with its own identifier (e.g., a data center identifier), such as a ClusterID).

Regarding claim 12: Mathew in view of Mandadi discloses the computer-implemented method of claim 11.
Mathew further discloses receiving a third request to create a second session to permit access to resources of the provider network, the third request including a third one or more attributes, the third one or more attributes including a second user-specified attribute (Mathew: ¶0088 agent-server interactions including requests [requests can be more than two request/third request] for access to a resource managed by access management system 140; ¶0155 at step 602, the data center will receive (e.g., from a client device) a request for a user to access a resource; ¶0156 at step 604, the data center will receive credentials for the user; ¶0072 authentication credentials (e.g., user name/password, or the like) [user attribute]; ¶0046 multiple access manager servers can be deployed as an access manager cluster in a data center); and
denying the third request based at least in part on a presence of the second user-specified attribute (Mathew: ¶0150 if the security data includes an identifier for a data center, that means a session exists for the user; ¶0151 if a session exists for the user, then at step 520, the second data center will deny the creation of a new session for the user and the user will not be granted access to the resource), wherein the second user-specified attribute shares a key name with at least one attribute identified in the set of attributes that cannot be user-specified (Mathew: ¶0014 each data center of the multiple data centers may be associated with its own identifier (e.g., a data center identifier), such as a ClusterID).
Mandadi further discloses an identification of a role to assume for the second session (Mandadi: col. 35 lines 8-15 FIG. 30 illustrates an example environment 3000 where cross-region roles are assumed across regions using session credentials [...] a first customer 3002 in a first region 3006 may create 3004 a role. The role 3008 may have a role identifier 3014 [...] and a set of permissions 3010 for access to a set of customer resources 3012 in the first region; col. 37 lines 7-10 customer 3202 [...] may send a signed request 3204 to assume a role 3206 to a security service 3208); and
The motivation is the same that of claim 4 above.

Regarding claim 13: Mathew in view of Mandadi discloses the computer-implemented method of claim 4.
Mathew further discloses receiving a third request to create a second session to permit access to resources of the provider network, the third request including a reference to the first session data (Mathew: ¶0088 agent-server interactions including requests [requests can be more than two request/third request] for access to a resource managed by access management system 140; ¶0155 at step 602, the data center will receive (e.g., from a client device) a request for a user to access a resource; ¶0156 at step 604, the data center will receive credentials for the user; ¶0072 authentication credentials (e.g., user name/password, or the like) [user attribute]; ¶0046 multiple access manager servers can be deployed as an access manager cluster in a data center; ¶0037 the enterprise computer network may offer a single sign-on (SSO) functionality that allows a user to log into one data center and then access other data centers using the same authentication session); and
generating second session data including the user-specified attribute from the first session data (Mathew: ¶0038 a user may have access to two different resources stored and/or managed in two different data centers. Thus, a first data center may create a session at the first data center for a user with a unique session ID (e.g., session ID 1), and the second data center may adopt that session (e.g., by creating a session at the second data center for the user with the same session ID 1)).
 Mandadi further discloses an identification of another role to assume for the second session (Mandadi: col. 35 lines 8-15 FIG. 30 illustrates an example environment 3000 where cross-region roles are assumed across regions using session credentials [...] a first customer 3002 in a first region 3006 may create 3004 a role. The role 3008 may have a role identifier 3014 [...] and a set of permissions 3010 for access to a set of customer resources 3012 in the first region; col. 37 lines 7-10 customer 3202 [...] may send a signed request 3204 to assume a role 3206 to a security service 3208); and
permitting the third request based at least in part on an evaluation of another role trust policy associated with the other role (Mandadi: col. 36 lines 38-39 policies associated with cross-region roles are applied using session credentials; lines 43-45 the allowed users policy 3106 indicates that a first user 3108 may assume the role 3102, a second user 3110 may also assume the role 3102).
The motivation is the same that of claim 4 above.

Regarding claim 14: Mathew in view of Mandadi discloses the computer-implemented method of claim 4.
Mathew further discloses permitting the second request based at least in part on evaluation of a first rule with at least the user-specified attribute, wherein the first rule is part of a first set of rules that govern whether the action can be performed (Mathew: ¶0168 at step 712, the data center will determine whether the security data associated with the user stores the identifier of a different data center in the multi data center deployment), and
wherein the evaluation of the first rule with at least the user-specified attribute includes matching a value of the user-specified attribute with a value of another attribute associated with the resource (Mathew: ¶0058 checking user-supplied credentials against user IDs stored in an identity store (e.g., data store 150). For instance, the user 102 may supply credentials that correspond to a user identity in the data store 150).

Regarding claim 15: Mathew discloses a system comprising:
a first one or more electronic devices implementing an access control service (Mathew: fig. 1), the access control service including instructions that upon execution cause the first one or more electronic devices to:
receive a first request to create a first session to permit access to resources of a provider network, the first request including a first one or more attributes, wherein the first one or more attributes include a user-specified attribute (Mathew: ¶0155 at step 602, the data center will receive (e.g., from a client device) a request for a user to access a resource; ¶0156 at step 604, the data center will receive credentials for the user; ¶0072 authentication credentials (e.g., username/password, or the like) [user attribute]; ¶0046 multiple access manager servers can be deployed as an access manager cluster in a data center);
generate first session data including the user-specified attribute (Mathew: ¶0159 the data center will be free to establish a new session for the user to access the requested resource. The data center will change the security data associated with the user (in the data store) to include an identifier for the data center (to signify that a session has been established by the data center));
a second one or more electronic devices implementing a resource interface (Mathew: ¶0225 communications subsystem 1024 serves as an interface for receiving data from and transmitting data to other systems from computer system 1000), the resource interface including instructions that upon execution cause the second one or more electronic devices to:
receive a second request to perform an action with a resource hosted by the provider network (Mathew: ¶0047 the user may provide the second data center a cookie/token that was received from the first data center);
obtain the user-specified attribute from the first session data based at least in part on the second request (Mathew: ¶0047 the second data center may read the cookie/token data [...] which can include session identifier information and other details; ¶0130 the session information, which the client 402 can use to access or log in to the session); and
cause the resource to perform the action (Mathew: ¶0047 the second data center may adopt that session (e.g., by creating a session at the second data center) while preserving the same session identifier, allowing the user to access resources (e.g., resources governed by the second data center)).
Mathew does disclose each user may be associated with the identity attribute which serves the role of a session but does not explicitly disclose an identification of a role to assume for the first session.
However, Mandadi discloses an identification of a role to assume for the first session (Mandadi: col. 35 lines 8-15 FIG. 30 illustrates an example environment 3000 where cross-region roles are assumed across regions using session credentials; col. 37 lines 7-10 customer 3202 [...] may send a signed request 3204 to assume a role 3206 to a security service 3208).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Mandadi with the system and method of Mathew to include an identification of a role to assume for the session to provide user with a means for managing message authentication within a computing resource service provider environment (Mandadi: col. 2 lines 66-67).
 
Regarding claim 16: Mathew in view of Mandadi discloses the system of claim 15.
Mathew further discloses wherein the first session data includes the user-specified attribute in place of another attribute included in the first one or more attributes, and wherein the user-specified attribute and the other attribute share a key name (Mathew: ¶0135 the security data associated with that user would be updated within data center 406. For instance, if the security data includes a "lockedBy" attribute, the value of the "lockedBy" attribute would be changed to an identifier of the data center 406 in order to signify that the data center 406 established the session).

Regarding claim 17: Mathew in view of Mandadi discloses the system of claim 16.
Mathew further discloses wherein the other attribute is at least one of a first attribute specified in an identity provider credential included with the first request (Mathew: ¶0083 requests may be communicated to device 114 via communication network 130. A request may prompt user 102 for user credentials to determine authentication of a session. Request may include information (e.g., a URL) to a web page or a user interface (e.g., a web page, portal, or dashboard) to receive credential information).
Mandadi further discloses a second attribute associated with the role via a role object stored in the provider network (Mandadi: col. 35 lines 40-44 each of the roles may have a set of permissions associated with access to the resources and may also have a set of access policies associated with the role so that, for example, only designated users and/or user accounts may have access to the role).
The motivation is the same that of claim 15 above.

Regarding claim 18: Mathew in view of Mandadi discloses the system of claim 15.
Mandadi further discloses wherein the second request includes an encrypted token that contains the user-specified attribute (Mandadi: col. 3 lines 54-59 the security service can then generate a set of session data (also referred to herein as "short-term credential data") that includes a session key and encrypt the short-term credential data to produce a short-term credential such as a session credential (also referred to herein as a "session token"). The session token is encrypted with a session encryption key), and wherein the obtaining the user- specified attribute from the first session data based at least in part on the second request comprises decrypting the encrypted token to extract the user-specified attribute (Mandadi: col. 11 lines 3-6 the security service 220 may extract the session key 210 from the session token 208 by decrypting the session token using the session encryption key).
The motivation is the same that of claim 15 above. 

Regarding claim 19: Mathew in view of Mandadi discloses the system of claim 15.
Mathew further discloses wherein the second request includes an identifier of the first session data, and wherein the obtaining the user-specified attribute from the first session data based at least in part on the second request comprises retrieving the first session data from a session data store based on the identifier (Mathew: ¶0047 the first data center will create for the user a session with a unique session identifier [...] then the user may provide the second data center a cookie/token that was received from the first data center. The second data center may read the cookie/token data and extract the server side session information, which can include session identifier information and other details. For instance, the second data center may determine from the information that the session was originally initiated by the first data center).

Regarding claim 20: Mathew in view of Mandadi discloses the system of claim 15.
Mandadi further discloses permit the first request based at least in part on an evaluation of a first rule with at least one attribute of the first one or more attributes, wherein the first rule is part of a first set of rules that govern whether the role can be assumed (Mandadi: col. 5 lines 23-28 a user in a first region may create a set of permissions for access to resources in a second region such as, for example, the ability to access a particular database. This set of permissions defines a role for access to those resources and other users can assume that role to access the resources), and
wherein the first set of rules include a rule identifying a set of necessary attributes that must be included with a request to assume the role, wherein metadata associates the role to the first rule (Mandadi: col. 35 lines 29-34 a user of a user account may then assume one or more of these roles to have access to the database. For example, a user may assume the first role if the user only requires permission to read data from the database. Using the first role, the user could analyze, but not alter, the data in the database).
The motivation is the same that of claim 15 above.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857.  The examiner can normally be reached on Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FAHIMEH MOHAMMADI/    Examiner, Art Unit 2439