DETAILED ACTION

This communication is in response to Application No. 16/257,878 filed on 1/25/2019. The amendment presented on 9/1/2021, which amends claims 1-19, is hereby acknowledged.  Claims 1-20 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The amendment to the Title "Requester/Service Combined Permission Functional Interface Access System” has been considered and is acceptable.

Claim Objections
Claims 1, 7, and 13 are objected to because of the following informalities:
In claim 1, line 5, “requestor” should be corrected as –requester-- . Similar correction should be made for claims 7 and 13.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 1, 2, 6-8, 12-14, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gottumukkala et al. (hereinafter Gottumukkala)(US 2011/0162057) in view of Haserodt et al. (hereinafter Haserodt)(US 2016/0112539).
Regarding claims 1, 7, and 13, Gottumukkala teaches as follows:
an electronic device (interpreted as computer device 302 in figure 3) for service access (Computing device 302 includes a resource access module 306 (see, paragraph [0029]). Resource access module 306 communicates a request to access a resource 320 (see, paragraph [0032] and figure 3)), comprising: 
a processor (602 in figure 6); and 
a memory (606 in figure 6) having computer program instructions stored thereon, the processor executing the computer program instructions in the memory to control the electronic device to perform acts (an example computing device 600 that can be configured to implement the access control based on user and service in accordance with one or more embodiments.  Computing device 600 can be, for example, a computing device 302 of FIG. 3, see, paragraph [0058] and figure 6) comprising: 
receiving, from a requester, a request for accessing a first functional interface of a first service of a plurality of services (a request for a particular type of access to a resource is received (act 502), see, paragraph [0051] and figure 5);  
determining, in response to the request, a first combined permission of the requester to access a plurality of functional interfaces of the plurality of services (if the 
determining a second combined permission (interpreted as service token) of the first service to access the plurality of functional interfaces of the plurality of services (the particular service 312 that receives the request also provides a service token to access control module 314.  This user token and service token together are referred to as the service and user token 110 of FIG. 1, see, paragraph [0039]); and 
controlling, based on the first combined permission and the second combined permission, access of the requester to the first functional interface (service 104 combines this identifier of the user with an identifier of service 104 to generate a service and user token 110 that is provided to access control module 108.  Service and user token 110 thus identifies to access control module 108 both the user associated with the request to access resource 106 and the service 104 through which the access is requested, see, paragraph [0020]).
Gottumukkala does not teach of identifying the access available for the requester or identifying the access available for the first service.
Haserodt teaches as follows:
a template (700 in figure 7) can be used to control per-user access to a service or per-customer access to a shared service 512 (see, paragraph [0092] and figure 5); 
a template 700 may comprise a number of data fields that can be provisioned by an end-user of a service and/or by a system administrator.  The types of data fields that user identifier field 704 and a plurality of service identifier fields 708, 712, 716 (see, paragraph [0093]-[0094] and figure 7);
a user identifier field identifying a subset of the plurality of users and a plurality of service identifier fields, each of the plurality of service identifier fields corresponding to a different service that is available to the identified subset of the plurality of users, wherein the one or more templates define access permissions for the identified subset of the plurality of users has with respect to each of the different services corresponding to the plurality of service identifier fields (see, claim 26 and figure 7)(equivalent to applicant’s identifying the access available for the requester);
the data structure 800 comprises hierarchically structured rules that enable a user to define any type of operating parameter, rule, or permission with respect to a particular service as long as it is within a permissible set of rules defined hierarchically by the provider of the service and the network 304 administrator (see, paragraph [0102] and figure 8); and
if the provider defines that a particular service can have one of three types of user interfaces, then the administrator, users, and groups may be allowed to pick which of the three interfaces are to be used by a particular user when accessing the service (see, paragraph [0103])(equivalent to applicant’s identifying the access available for the first service).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gottumukkala with Haserodt 
Regarding claims 2, 8, and 14, Gottumukkala teaches as follows:
determining, based on the first combined permission and the second combined permission, a third combined permission of the requester and the first service to access the plurality of services; and controlling, based on the third combined permission, the access of the requester to the first functional interface (the user token and service token are combined together into a single token by service 312. These tokens can be combined in a variety of different manners.  For example, a hash value can be generated by applying a hash algorithm to the identifiers from the user token and the service token, see, paragraph [0039]).
Regarding claims 6, 12, and 18, Gottumukkala teaches as follows:
wherein the requester comprises identification information of the requester, and wherein determining the first combined permission comprises: sending the identification information to a management device; and receiving, from the management device based on the identification information, the first combined permission (the access control module determines whether the requested access to the resource is permitted based on the identifier of the user and the service through which the resource is requested, and returns an indication of whether the requested access to the resource is permitted, see, paragraph [0012] and figure 5).


Claims 4, 5, 10, 11, 16, 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gottumukkala et al. (hereinafter Gottumukkala)(US 2011/0162057) in .
Regarding claims 4, 10, and 16, Gottumukkala teaches as follows:
a request to access a resource on a computing device is received through a particular service. The resource can potentially be accessed through multiple different services (see, paragraph [0012]); and
whether the requested access is permitted through a different service 312 can be readily determined by access control module 314 based on the access control entries of the access control list 316 of the corresponding resource 320.  This indication of one or more other services 312 through which the requested access is permitted can be returned to access control module 306, and can be displayed or otherwise presented to a user (see, paragraph [0041]).
Gottumukkala in view of Haserodt does not teach the calling from a service to another service (authorizing two different services each other).
Yabe teaches as follows:
the access management service system includes an approval screen transmission unit configured to confirm whether the user has an authority to use the second online service and, if it is confirmed that the user has the authority, configured to transmit an approval screen to the client to enable the user to confirm whether to approve that the first service system uses the second online service (see, paragraph [0008]).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gottumukkala in view of Haserodt with 
Regarding claims 5, 11, and 17, Gottumukkala teaches as follows:
sending, to the second service in response to determining that the second functional interface is accessible to the requester, an indication associated with the first combined permission and the second combined permission (whether the requested access is permitted through a different service 312 can be readily determined by access control module 314 based on the access control entries of the access control list 316 of the corresponding resource 320.  This indication of one or more other services 312 through which the requested access is permitted can be returned to access control module 306, and can be displayed or otherwise presented to a user, see, paragraph [0041]).
Regarding claim 19, Gottumukkala in view of Haserodt teaches all limitations except for the well-known API.
Yabe teaches as follows:
a service cooperation table 400, which includes a service name column 401, an Application Program Interface column (hereinafter, referred to as "API column") 402, and a scope ID column 403, is stored in the service cooperation data management unit 303 (see, paragraph [0051]).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gottumukkala in view of Haserodt with Yabe to include the well-known Application Program Interface as taught by Yabe in order to efficiently interface the service.

Claims 3, 9, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Gottumukkala et al. (hereinafter Gottumukkala)(US 2011/0162057) in view of Haserodt et al. (hereinafter Haserodt)(US 2016/0112539), and further in view of Chidlovskii (US 6,347,314).
Regarding claims 3, 9, and 15, Gottumukkala teaches as follows:
the user token and service token are combined together into a single token by service 312. These tokens can be combined in a variety of different manners.  For example, a hash value can be generated by applying a hash algorithm to the identifiers from the user token and the service token (see, paragraph [0039]).
Gottumukkala teaches all limitations as presented above except for the logical AND operation to combine two binary strings.
Chidlovskii teaches as follows:
an operation "combines" items of data of the same length such as equal length signatures if the operation uses the items of data to obtain a combined item of data of the same length that includes information from the items of data that were combined.  For example, a logical operation such as AND-ing or OR-ing can be performed to combine binary strings (see, col. 5, lines 12-18).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gottumukkala in view of Haserodt with Chidlovskii to include the logical operation AND as taught by Chidlovskii in order to efficiently combine two binary strings. 

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Gottumukkala et al. (hereinafter Gottumukkala)(US 2011/0162057) in view of Haserodt et al. (hereinafter Haserodt)(US 2016/0112539), and further in view of Liu et al. (hereinafter Liu)(US 9,807,094).
Regarding claim 20, Gottumukkala teaches as follows:
service 330 also verifies the user token (equivalent to applicant’s permission) to computing device 304.  This verification of the user token can take different forms, such as including a statement (e.g., including a digital certificate) in the token that the user token is verified by service 330, and digitally signing the user token with a private key of service 330 (see, paragraph [0034]).
Gottumukkala in view of Haserodt does not teach the well-known form of Boolean value presenting the permission.  
Liu teaches as follows:
the systems described herein may perform step 312 in a variety of ways.  In some examples, access-control module 108 may determine whether to grant the user access to resource 208 based at least in part on an access-control condition involving the overall risk level for the attempt by the user.  For example, access-control module 108 may set and/or apply an access-control condition such that (1) in the event that the access-control condition is satisfied (or true), access to resource 208 is granted and (2) in the event that the access-control condition is not satisfied (or false), access to 
resource 208 is denied (see, col. 12, lines 28-54).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gottumukkala in view of Haserodt with Liu .

Response to Arguments
Applicant's arguments filed 10/2/2020 have been fully considered but they are not persuasive. 
Summary of Applicant’s Arguments
In the remarks the applicant argues as follows:
Regarding original claims 1, 7, and 13, Gottumukkala cannot support a rejection of the original independent claims, because the user token described in that reference is not a first combined permission of a requester to access a plurality of functional interfaces of a plurality of services, and the service token described in that reference is not a second combined permission of a first service to access the plurality of functional interfaces of the plurality of services

Response to Arguments:
	In response to applicant's argument on original claims 1, 7, and 13, Gottumukkala teaches the user token is a combined permission (a user token that has been authenticated by service 104 and/or another service that is trusted by service 104.  Service 104 combines this identifier of the user with an identifier of service 104 to generate a service and user token 110 that is provided to access control module 108 (see, paragraph [0020]). 

	Therefore the user token is a combined permission to access plurality of resources (the examiner interpreted the applicant’s service as providing access to resource).

Applicant’s arguments with respect to amended claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeong S Park whose telephone number is (571)270-1597.  The examiner can normally be reached on Monday through Friday 8:00-4:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 






/JEONG S PARK/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        
September 17, 2021