DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Amendment
This is a reply to the amendment filed on 05/24/2021, in which, claim(s) 1-12, 16 and 19-25 are pending. Claim(s) 1, 19, 20 and 23-25 are amended. Claim(s) 13-15 and 17-18 are cancelled. No claim(s) are newly added.

Response to Arguments
Claim Objection: 
Applicant’s arguments with respect to objection of claim(s) 1, 19-20 and 23-25 have been considered. The objection of claim(s) 1, 19-20 and 23-25 have been withdrawn in view of the amendment to claim.

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicants’ arguments, see pages 8-12, filed 05/24/2021, regarding the U.S.C. 102 and 103 rejections of claims 1-12, 16 and 19-25 have been fully considered and are not persuasive.
Applicants argue that “Sondhi…fails to disclose that the customer itself can modify the policies by configuring (via an API) an ordered set of rules that make up the policy”.
In response to applicant's argument that the references fail to show certain " the customer itself can modify the policies by configuring (via an API) an ordered set of rules that make up the policy") are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Applicants further argue that “Pernicha further fails to disclose the newly added limitations of…the declarative policy is configured based on the at least one API request”
Applicant’s interpretation of the reference has been noted; however, examiner respectfully disagrees because Pernicha is not used to teach this limitation. Instead, Sondhi teaches the declarative policy is configured based on the at least one API request ([0049], [0050] and [0062]).
Applicant’s arguments with respect to the limitation “the declarative policy determining access for the tenant to a resource associated with the IAM system” have been considered but are moot in view of the new ground(s) of rejection.
Besides, in response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Therefore, the rejection is maintained.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-5, 12, and 19-24, are rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further in view of Hugo Filipe Parreira Pernicha (US 2016/0191466 A1) and further in view of Sedky et al. (US 10,819,747 A1).
Regarding Claims 1, 19, and 20, Sondhi discloses A method for declarative policy management in a multi-tenant cloud-based identity and access management (IAM) system ([0014], “a framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures”, [0064], “a multi-identity domain cloud computing environment”), the method comprising: 
receiving at least one Application Programming Interface (API) request by a policy engine of the multi-tenant cloud-based IAM system from a tenant of the multi-tenant cloud-based IAM system ([0049], “invoke an application programming interface (API) that will look up the customer's policy”, [0050], “The interfaces may be published so that customers (tenants) are aware of the parameters that each interface expects to receive and the values that each interface expects to return. When client application 204 makes a request of OAuth authorization server 220, OAuth authorization server 220 makes responsive calls to the APIs related to that request”, [0063], “a policy engine”, [0066], “various different tenants who are served by the cloud computing environment”); 
the at least one API request comprising a declarative policy provided by the tenant, the declarative policy comprising a tenant customized access management policy or a tenant customized identity management policy ([0049], “invoke an application programming interface (API) that will look up the customer's policy”, based on [0050], “the parameters that each interface expects to receive”, i.e. provided by the tenant, [0072], “In response to such an inquiry, the resource server can determine, by applying its authorization policies to the parameters of the request (e.g., client application identity, user identity, resource identity), the scope of access that should be granted”).
configuring the declarative policy for the tenant of the multi-tenant cloud-based IAM system based on the at least one API request and the declarative policy is configured based on the at least one API request ([0049], “invoke an application programming interface (API) that will look up the customer's policy”, [0050], a set of associated authorization policies (i.e. a declarative policy) that are specific to that service”); and 
wherein the policy engine exposes APIs for creating policy artifacts associated with the declarative policy ( [0021], “a multi-identity domain cloud-based computing environment”, [0022], “interacts with clients from separate enterprises, having different identity domains, in order to authorize those clients relative to cloud-provided services”, [0050], “The interfaces may be published so that customers (tenants) are aware of the parameters that each interface expects to receive and the values that each interface expects to return”, [0062], “Each service can have a set of associated authorization policies that are specific to that service”, [0063], “a policy engine”, [0072], “determine, by applying its authorization policies to the parameters of the request (e.g., client application identity, user identity, resource identity), the scope of access that should be granted”),
Sondhi does not explicitly teach enforcing the declarative policy in an IAM service performed for the tenant; and the policy engine defines a data model comprising resource types corresponding to the policy artifacts.
Maes teaches enforcing the declarative policy in an IAM service performed for the tenant ([0010], “implementing service level consolidated user information management can comprise receiving and/or intercepting, at a policy enforcer, a manipulation request of data. The selection of a policy to process/execute is a function of the manipulation request (i.e., viewing/accessing rights, changing/modifying rights, deletion rights, etc.) and the target data”, “This is further detailed in… U.S. application DECLARATIVE POLICY RULE SETS”, [0072], “policy enforcer may provide a unified interface for all data”), and
the policy engine defines a data model comprising resource types corresponding to the policy artifacts ([0010], “a check of the data manipulation type and make a decision as to how to treat the manipulation request based on the (data, i.e. resource) type”, [0072], “customer data model”).  
Sondhi and Maes are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Maes with the disclosure of Sondhi. The motivation/suggestion would have been to provide a policy enforcing mechanism to manage routing of requests related to user information (Maes, [0002]).
	The combined teaching of Sondhi and Maes teaches the declarative policy (e.g. Sondhi, [0062], & Maes, [0010]). However, the combined teaching of Sondhi and Maes does not explicitly teach the declarative policy is a policy comprising an ordered list of rules that are configured by the tenant.
Pernicha teaches a policy comprising an ordered list of rules that are configured by the tenant ([0005], “policy is implemented in a rule base, which is an ordered list of rules”, [0069], “different policy rules that are defined/configured by the user/administrator”, i.e. configured by the tenant).
Sondhi, Maes and Pernicha are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in dynamically optimized rule-based security policy management (Pernicha, Abstract).
The combined teaching of Sondhi, Maes and Pernicha does not explicitly teach the declarative policy determining access for the tenant to a resource associated with the IAM system.
Sedky teaches the declarative policy determining access for the tenant to a resource associated with the IAM system (page 6 lines 10-31, “policy data associated with the user identities”, “the policy data may specify levels of access to the resources of the service using a declarative policy”),
Sondhi, Maes, Pernicha and Sedky are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sedky with the combined teaching of Sondhi, Maes and Pernicha. The motivation/suggestion would have been to provide a visualization of policies based at least in part on a set of resources (Sedky, Abstract).

Regarding Claim 2, the combined teaching of Sondhi, Maes, Pernicha and Sedky teaches 
wherein the policy engine is a common module available for uptake by components of the multi-tenant cloud-based IAM system (Sondhi, [0062], “Each service can have a set of associated authorization policies that are specific to that , and the at least one API request comprises a Representational State Transfer (REST) request configured according to System for Cross-domain Identity Management (SCIM) and the policy engine exposes SCIM-based REST APIs for evaluating the declarative policy (Sondhi, [0021], “a multi-identity domain cloud-based computing environment”, [0022], “interacts with clients from separate enterprises, having different identity domains, in order to authorize those clients relative to cloud-provided services”, [0030], “provides a Representational State Transfer (REST) interface”, [0081], “invoke its policy engine to determine a particular set of policies that applies to the identity domain of the particular client”).  

Regarding Claim 3, the combined teaching of Sondhi, Maes, Pernicha and Sedky teaches 
wherein the components of the multi-tenant cloud-based IAM system include one or more microservices providing cloud-based IAM services to tenants of the multi-tenant cloud-based IAM system (Sondhi, [0062], “Each service (i.e. one or more microservices) can have a set of associated authorization policies that are specific to that service”).

Regarding Claims 4, 21 and 23, the combined teaching of Sondhi, Maes, Pernicha and Sedky teaches 
wherein the tenant customized access management policy comprises one of a login policy, a multi-factor authentication policy or a trust policy (Sondhi, policies itself to determine the scope of access that should be granted”, [0125], “the user can sign on to all of the mobile native applications in a group of applications that belong to a circle of trust”), and the tenant customized identity management policy comprises one of a password policy, an ID synchronization policy or a user provisioning policy (Sondhi, [0125], “if a user logs into one mobile native application by supplying a user identity and password, then the fact that the user logged into that mobile native application can be used by other mobile native applications from the same vendor in order to allow the user to access those other mobile native applications without separately requiring the user to supply a user identity and password for each one”).

Regarding Claims 5, 22 and 24, the combined teaching of Sondhi, Maes, Pernicha and Sedky teaches 
wherein the policy artifacts comprise the declarative policy, a policy type, rules, condition groups, and conditions (Maes, [0010], “The selection of a policy to process/execute is a function of the manipulation request (i.e., viewing/accessing rights, changing/modifying rights, deletion rights, etc.) and the target data… DECLARATIVE POLICY RULE SETS”, “a check of the data manipulation type and make a decision as to how to treat the manipulation request based on the type. These can be viewed as a sequence of conditions”, “determine a data type associated with the manipulation request and, based on the data type, selecting a policy from a plurality of policies”, [0016], “combination of any condition” as condition groups).

Regarding Claim 12, the combined teaching of Sondhi, Maes, Pernicha and Sedky teaches 
wherein the declarative policy is associated with a resource or a container of the tenant of the multi-tenant cloud-based IAM system (Sondhi, [0062], “Each service can have a set of associated authorization policies (i.e. a declarative policy) that are specific to that service”, i.e. a resource of the tenant, [0097], “The repositories (container) into which a tenant's client profiles are stored can be configured on a per-tenant basis”).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further in view of Hugo Filipe Parreira Pernicha (US 2016/0191466 A1) and further in view of Sedky et al. (US 10,819,747 A1) and further in view of Tuatini et al. (US 2016/0020917 A1).
Regarding Claim 6, the combined teaching of Sondhi, Maes, Pernicha and Sedky teaches 
wherein the policy type defines a contract between the policy engine and a component of the multi-tenant cloud-based IAM system that uptakes the policy engine (Maes, [0070], “the customer's contract information is restricted to only be accessed by the owner of the data (i.e., subscriber manager 410), then policy enforcer 405 would instruct subscriber manager 410 to execute the request”).
The combined teaching of Sondhi, Maes, Pernicha and Sedky does not explicitly teach but Tuatini teaches specifies whether the policy can be configured as a Groovy script ([0079], “In other implementations the script or scripts can use "Groovy"”).
Sondhi, Maes, Pernicha, Sedky and Tuatini are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tuatini with the combined teaching of Sondhi, Maes, Pernicha and Sedky. The motivation/suggestion would have been to provide specific services (Tuatini, [0079]) for helping implementing the declarative policy.

Claims 8, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further in view of Hugo Filipe Parreira Pernicha (US 2016/0191466 A1) and further in view of Sedky et al. (US 10,819,747 A1) and further in view of Szabo et al. (US 2015/0142948 A1).
Regarding Claim 8, the combined teaching of Sondhi, Maes, Pernicha and Sedky does not explicitly teach but Szabo teaches wherein each condition comprises an IF/THEN/ELSE statement ([0083], “condition 502 may be arranged to generate a true or false result, such as, result 506. If result 506 is TRUE, action 504 may execute. If result 506 is FALSE, the action may be barred from execution and the system may enter another state, such as, state 508”).
Sondhi, Maes, Pernicha, Sedky and Szabo are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to 

Regarding Claim 9, the combined teaching of Sondhi, Maes, Pernicha and Sedky does not explicitly teach but Szabo teaches wherein each condition group comprises a Boolean combination of one or more conditions using OR/AND/NOT operators ([0085], “one or more condition expressions may be combined together using various operators, such as, Boolean operators”).
Sondhi, Maes, Pernicha, Sedky and Szabo are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Szabo with the combined teaching of Sondhi, Maes, Pernicha and Sedky. The motivation/suggestion would have been to help implementing the declarative policy.

Regarding Claim 10, the combined teaching of Sondhi, Maes, Pernicha and Sedky does not explicitly teach but Szabo teaches wherein each rule comprises a Boolean combination of one or more condition groups or conditions using OR/AND/NOT operators and defines a value to be returned if the Boolean combination is evaluated positively ([0085], “one or more condition expressions may be combined together using various operators, such as, Boolean operators”, [0124], “the computed operands may be returned in a list of name-value pairs”).
.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Sondhi et al. (US 2015/0089569 A1) in view of Stephane H. Maes  (US 2011/0126261 A1) further in view of Hugo Filipe Parreira Pernicha (US 2016/0191466 A1) and further in view of Sedky et al. (US 10,819,747 A1) and further in view of Vaidya et al. (US 2018/0063194 A1).
Regarding Claim 16, the combined teaching of Sondhi, Maes, Pernicha and Sedky does not explicitly teach but Vaidya teaches wherein the declarative policy is configured using JavaScript Object Notation (JSON) ([0177], “a script uses a JSON based REST API to define the template policy”).
Sondhi, Maes, Pernicha, Sedky and Vaidya are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya with the combined teaching of Sondhi, Maes, Pernicha and Sedky. The motivation/suggestion would have been to make it convenient for programs to consume (or utilize) the network virtualization platform policy (Vaidya, [0071]).

Allowable Subject Matter
Claims 7, 11 and 25 are objected to as being dependent upon rejected base claims 1 and 20, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497