DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the communication filed on 9/1/2020.
Claims 1-20 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –



Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Kung et al. (US 20180234459, provisional applications filed on 1/23/2017, 1/24/2017 and 3/27/2017) (hereinafter Kung).
Regarding claim 1, Kung discloses a method for facilitating creation of a segmentation policy controlling communications between a plurality of workloads, the method comprising: identifying a user group associated with an administrator logged into an administrative client accessing a segmentation server (Kung: for example, paragraphs , 0065, 0127, 0128, 0206 and figures 3-4, “it may be desirable to use additional mechanisms to identify the user, instead of relying only on its IP address, such that only the authorized user is allowed to access the workload unit”… “The agent monitors network traffic generated by the user and intercept requests to access workload units managed by the policy manager. If the agent detects such an attempt, it forwards a request to access the workload unit to the policy manager on behalf of the user. The policy manager checks if the user is authorized to access the workload unit by checking the set of application level policy rules for that workload unit” 
    PNG
    media_image1.png
    463
    605
    media_image1.png
    Greyscale
); identifying, from a user group database, a group of label sets associated with the user group (Kung: paragraphs 0144-0145, 0164, 0232, 0241 and 0244, “Logical group assigned. A logical group can also define “assign” attributes in addition to the "selection" attributes. "Assign" attributes are automatically added to resources that are selected as member of the logical group”... “When a role allows a user to use the application to access objects assigned to multiple organizations and to create a logical object, the application allows the user to select and assign one of the organizations to be the owner of the new logical object”); identifying, from a workload database, a subset of workloads of the plurality of workloads relevant to the user group, the subset of workloads having at least one of the group of label sets associated with the user group (Kung: paragraphs 0167-0168 and 0244-0245, “users access the contextual security platform through an API and/or a user interface and define security policies and logical groups. Users also configure the selection criteria of resource membership in each logical group).”… “When a role allows a user to use the application to access objects assigned to multiple organizations and to create a logical object, the application allows the user to select and assign one of the organizations to be the owner of the new logical object”); configuring a user interface of the administrative client to enable the administrator to provide via the administrative client, a configuration for a limited portion of the segmentation policy that comprises a set of rules for controlling communications associated with the subset of workloads relevant to the user group, and to restrict the administrator from configuring at least a second portion of the segmentation policy not applicable to the subset of workloads (Kung: paragraphs 0211 and 0212, “The computer network security management application is programmed to allow a user to configure one or more administrators--for example, persons responsible for global security policies for an enterprise--to be given access to all organizations within the enterprise”… “the computer network security application may be programmed to allow a local organization using the application to select a global policy available to the local organization, in which case the local organization cannot modify the policy and can only use policies that were previously defined and are pre-approved. Second, the computer network security application may also allow a local organization to create and deploy, using the application, its own policies, but only if the policies are allowed by constraints defined by the global organization and enforced by the application”); receiving the configuration from the administrative client (Kung: paragraphs 0167-0168, 0243 and 0247, “For example, if a security group is configured to enforce a "white list communication policy," the IP address of a resource is used to configure security group with allowed traffic based on which remote resource a given resource is allowed to communicate to and from.”); generating management instructions for enforcing the set of rules (Kung: paragraphs 0170, 0202 and 0257-0258, “the computer network security application is programmed to allow a user assigned a role to access in read-only mode (regardless of the role privileges) policies for which attributes (of the associated logical group) are public or exported to a local organization that the role can access. The attributes do not need to be approved to have read access privilege to the corresponding communication policies associated with the attributes.”); and sending the management instructions to respective enforcement modules associated with the subset of workloads, wherein the respective enforcement modules configure traffic filter to enforce the set of rules based on the management instructions (Kung: paragraphs 0205, 0243 and 0256-0258, “Security policies can be applied to security mechanisms to automatically enforce the required environmental separation.”… “generate and provision rules to one or more infrastructure network security enforcement mechanisms within the computer system's infrastructure that will allow communication between two points in the network only allowed if there is a policy rule that explicitly allows that communication and there is no rule that explicitly blocks it”).
Regarding claim 10, claim 10 discloses a medium claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 10 and rejected for the same reasons.
Regarding claim 18, claim 18 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 18 and rejected for the same reasons.
Regarding claims 2, 11 and 19, Kung discloses further comprising: monitoring traffic flows associated with the subset of workloads (Kung: paragraphs 0172 and 0199, “Data flows with context information can be graphically visualized in the UI or accessed through the API, exposing current and historical communication among any arbitrary group of resources and logical groups. This visualization exposes the required communication for the applications and services running in the environment. This is useful both for debugging applications and network connectivity, but also for defining communication policies”); generating a traffic flow graph based on the monitored traffic flows, the traffic flow graph comprising a plurality of nodes representing the subset of workloads, and a plurality of edges representing the monitored traffic flows between the subset of workloads (Kung: paragraphs 0172 and 0199); generating a graphical representation of the traffic flow graph (Kung: paragraphs 0172 and 0199, “Generating visualizations of the entire hybrid/multi-cloud environment--not just cloud resources, but virtualized and bare metal environments as well”); and outputting the graphical representation of the traffic flow graph to the administrative client (Kung: paragraphs 0172-0173 and 0207, “Based on flow information observed in a user selected time period, the contextual security platform automatically computes "white list communication policies" needed for a group of selected resources or logical groups.”… “Allowing for or supporting use of visualization/logging can include insight into real-time data flows, workloads, applications, services, containers and more. Continuous monitoring can compare workload data flows to actual policies to alert on malicious activity, and continuously watch the cloud native enforcement points to make sure they are not altered and are in compliance with intended policies”).
Regarding claims 3 and 12, Kung discloses wherein generating the set of rules comprises: generating a rule permitting any communications between workloads having a same predefined label set (Kung: paragraphs 0065 and 0066, “Both users U1 and U2 should be allowed to access a service offered by workload W1.1, and User U2 should also be allowed to access a service offered by workload W2.1.”… “an application level security policy specification defines a set of rules, R1 to R6, that specify which workloads and users may communicate with each other and the type of service that can be provided through that communication. These rules enable the communication pattern between a "client" of a given service (S1, S2, S3 and S4 are for examples that are given) and a "provider" of that service required for correct operation of the applications and also to enable users to access the workload units for which they are authorized to use”).
Regarding claims 4, 13 and 20, Kung discloses wherein generating the set of rules comprises: monitoring traffic flows associated with the subset of workloads (Kung: paragraphs 0149 and 0153, “Incoming and outgoing network traffic flows for infrastructure resources are captured and mapped to logical groups containing the monitored infrastructure information. This allows the system to identify and expose the communication requirements needed for the logical objects defined by the logical groups”); and generating the set of rules based on the monitored traffic flows, the set of rules permitting the monitored traffic flows (Kung: paragraphs 0128 and 0149, “The agent monitors network traffic generated by the user and intercept requests to access workload units managed by the policy manager. If the agent detects such an attempt, it forwards a request to access the workload unit to the policy manager on behalf of the user. The policy manager checks if the user is authorized to access the workload unit by checking the set of application level policy rules for that workload unit”).
Regarding claims 5 and 14, Kung discloses wherein generating the set of rules comprises: detecting traffic flow between a first workload in the subset of workloads and a second workload in the plurality of workloads (Kung: paragraphs 0065-0066, 0160 and 0272-0274, “there is no need to manually reconfigure and change security mechanisms because, for example, an IP address changes. A process within the contextual security platform will automatically detect and update the configuration automatically based on higher level policies.”); determining a first label set associated with the first workload and a second label set associated with the second workload (Kung: paragraphs 0065 and 0066, “an application level security policy specification defines a set of rules, R1 to R6, that specify which workloads and users may communicate with each other and the type of service that can be provided through that communication. These rules enable the communication pattern between a "client" of a given service (S1, S2, S3 and S4 are for examples that are given) and a "provider" of that service required for correct operation of the applications and also to enable users to access the workload units for which they are authorized to use”); and generating a rule permitting communications between workloads having the first label set and workloads having the second label set (Kung: paragraphs 0065 and 0066, “Both users U1 and U2 should be allowed to access a service offered by workload W1.1, and User U2 should also be allowed to access a service offered by workload W2.1.”… “an application level security policy specification defines a set of rules, R1 to R6, that specify which workloads and users may communicate with each other and the type of service that can be provided through that communication. These rules enable the communication pattern between a "client" of a given service (S1, S2, S3 and S4 are for examples that are given) and a "provider" of that service required for correct operation of the applications and also to enable users to access the workload units for which they are authorized to use”).
Regarding claims 6 and 15, Kung discloses wherein generating the set of rules comprises: detecting traffic flow between a first workload in the subset of workloads and a second workload in the plurality of workloads (Kung: paragraphs 0069, 0076 and 0116, “The policy will specify, in addition to the logical groups, a network protocol (TCP, UDP, ICMP are well known examples of network protocols, but there are many others) and port number (for protocols that support port number) that is allowed between the two groups. Only explicitly defined communication is allowed. If a communication is not defined in the policy, then it is not allowed. White list communication policies (those including a rule with an "allow" action) are used by certain of the processes described herein to configure and check security groups and/or host firewall mechanisms”); detecting one or more ports and one or more protocols over which the traffic flow is communicated (Kung: paragraphs 0116-0117, “To generate the egress rules in step 604, the service is mapped to the following possible parameters: 1) a protocol (such as TCP, UDP, ICMP, or any other IP protocol), 2) the IP protocol version (IPV4 or IPV6), and 3) a port number used by the service (if supported by the protocol). The workload unit provider is mapped to an additional set of parameters that can be used by each selected network enforcement mechanism to identify the destination of the network traffic at the enforcement point”); determining a first label set associated with the first workload and a second label set associated with the second workload (Kung: paragraphs 0076, 0122 and 0128-0129); and generating a rule permitting communications using the one or more ports and the one or more protocols between workloads having the first label set and workloads having the second label set (Kung: paragraphs 0076, 0122 and 0128-0129, “The mechanism described above may allow access from non-authorized users that share the same IP address with the authorized user for a short period of time. After the temporary ingress security rule is added, all users with that IP address are able to send packets to the workload unit, until the rule is replaced with the rule that include the correct source port of the authorized user. This can avoided by having the agent running on the same node as the workload unit to block all traffic from the user IP address (except maybe for traffic from other users already authorized) until the final ingress rule is created”).
Regarding claims 7 and 16, Kung discloses wherein generating the set of rules comprises: determining that the user group has limited ruleset creation privileges (Kung: paragraphs 0211-0212, “limiting the policies that can be created by the local organizations assigned to a specific line of business or department; and define attribute constraint rules for global and exported attributes.”); and generating the set of rules to only include rules permitting communications between pairs workloads in the subset of workloads that both have at least one of the group of label sets associated with the user group (Kung: paragraphs 0212-0213, “The computer network security application thus addresses technical problems of securing a large computer network against unauthorized access while allowing multiple groups or local organizations within the enterprise to define security policies for computing network resources that each group or local organization uses”).
Regarding claims 8 and 17, Kung discloses wherein generating the set of rules comprises: determining that the user group has expanded ruleset creation privileges (Kung: paragraph 0257, “For those communication policies the role can permit the user to read and/or modify using the computer network security application the communication policies based on the privileges assigned to the role”); and generating the set of rules to include rules permitting communications in which a workload in the subset of workloads having at least one of the group of label sets associated with the user group provides a service to a workload outside the subset of workloads (Kung: paragraphs 0257 and 0258-0259, “In addition, the computer network security application is programmed to allow a user assigned a role to access in read-only mode (regardless of the role privileges) policies for which attributes (of the associated logical group) are public or exported to a local organization that the role can access. The attributes do not need to be approved to have read access privilege to the corresponding communication policies associated with the attributes.”).
Regarding claim 9, Kung discloses wherein generating the management instructions comprises: storing the rules to a rules database (Kung: paragraphs 0050 and 0211-0212, “Data used by the processes of the contextual security platform is written to, and read from, one or more databases, represented by generic database 204, which store the information. The information being stored includes application level security policies 206, a listing of logical groups (explained below) 208, a system model comprising a database 210 of information on resources within the infrastructure of the computer network being secured, and a collection of information on contextual network flows”); identifying access of the segmentation server by a provisioner associated with a provisioner user group (Kung: paragraphs 0163 and 0211-0212, “a user configures the contextual security platform to access an infrastructure service provider account by entering account credentials to allow access to the application programming interface of the infrastructure provider API.”); generating a provisioner user interface presenting the rules for review (Kung: paragraphs 0172 and 0211-0212, “Data flows with context information can be graphically visualized in the UI or accessed through the API, exposing current and historical communication among any arbitrary group of resources and logical groups”); and generating the management instructions responsive to receiving confirmation from the provisioner via the provisioner user interface to implement the rules (Kung: paragraphs 0172-0173 and 0211-0212, “Based on flow information observed in a user selected time period, the contextual security platform automatically computes "white list communication policies" needed for a group of selected resources or logical groups. Policies that allow only the communication defined by the observed flows are created but no other one. Optionally the user has the option to extend the policy to include additional protocols, ports, resources or logical groups.”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431