DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to application 16/848,265 filed on 4/14/2020.
Claims 1-15 have been examined and are pending in this application.
The examiner notes the IDS filed 4/14/2020 has been considered.

Claim Objections
Claims 1, 7 and 15 objected to because of the following informalities:  
Regarding Claims 1, 7 and 15; claims 1, 7 and 15 recite “user’s identification information”. The examiner notes for better clarity to remove the possession “user’s” by further amending the limitation to “identification information of a user”.   Appropriate correction is required.









Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-14 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding Claim 1; the claim calls for an apparatus. However, the claimed apparatus does not include any hardware embodiments.  As recited in the body of the claim, the claimed apparatus contains: “a processor”.  One of ordinary skill in the art would understand that “processor” could be implemented in software (see the Authoritative Dictionary of IEEE, Seventh Edition, published in Dec. 2000). The nominal recitation to an "apparatus" in the preamble does not limit the body of the claim as it only states the invention' s purpose or intended use; see Catalina Marketing Int'l, Inc., v. Coolsavings.com Inc., 289 F.3d 801,808 (Fed. Cir. 2002).   The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101.  

Regarding claims 2-6; Claims 2-6 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons.


Regarding Claim 7; the claim calls for an apparatus. However, the claimed apparatus does not include any hardware embodiments.  As recited in the body of the claim, the claimed apparatus contains: “a processor”.  One of ordinary skill in the art would understand that “processor” could be implemented in software (see the Authoritative Dictionary of IEEE, Seventh Edition, published in Dec. 2000). The nominal recitation to an "apparatus" in the preamble does not limit the body of the claim as it only states the invention' s purpose or intended use; see Catalina Marketing Int'l, Inc., v. Coolsavings.com Inc., 289 F.3d 801,808 (Fed. Cir. 2002).   The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101.  
Regarding claims 8-14; Claims 8-14 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons.











Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 12-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Regarding Claim 12; Claim 12 recites the limitation "the authority" in line 4.  The examiner notes which authority is the service usable (i.e. “first authority” or “second authority”). There is insufficient antecedent basis for this limitation in the claim.

Regarding claims 13 and 14; Claims 13 and 14 dependent on claim 12 and therefore inherit 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph issues.






Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Dayan (US 2021/0136084 A1).

Regarding Claim 1;
Dayan discloses an information processing apparatus (FIG. 1) comprising: 
a processor (FIG. 1) configured to: 
obtain first authority information indicating possession of authority over a server, the first authority information being associated with user's identification information, and second authority information indicating possession of authority over the server that is different from authority indicated by the first authority information ([0006] and [0039] - As disclosed herein, an identity may be a user account, machine account, application account, or any other type of account that can be established and associated with a particular user, machine, or application in a computer network... Identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights and [0040] and [0044] - In some embodiments, proxy server 106 may be configured to authenticate an identity associated with client device 104 before initiating and executing the second agent on target network resource 108 and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0056]);
accept a request for the server ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106);
([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206); I.E. As constructed the least-privileged security level needed for a given request (i.e., write, see [0056]); and
in a case where the request is not executable with authority based on the first authority information and is executable with authority based on the second authority information, add the second authority information to the request and send the request with the second authority information to the server ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206) I.E. As constructed the least-privileged security level needed for a given request (i.e., read, see [0056]).










Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1).

Regarding Claim 2;
Dayan discloses the apparatus to Claim 1.
Dayan further teaches ...the processor adds the first authority information to the request and sends the request with the first authority information to the server ([0035] - In the disclosed embodiments, systems for implementing least-privilege access to and control of target network resources are described. In some embodiments, systems may implement least-privilege code execution on target network resources. Disclosed embodiments enable any identity, application, service, user, etc. to access and execute functions on a remote resource securely, with least-privileges (i.e., a minimal scope of needed privileges, and/or a minimal duration of privileges) and [0039] and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0064]).
While, Dayan does not explicitly disclose wherein, in a case where the request is executable - 25 -with both authority based on the first authority information and authority based on the second authority information.
	The examiner notes it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention from the teachings of Dayan to render obvious wherein, in a case where the request is executable - 25 -with both authority based on the first authority information and authority based on the second authority information as Dayan teaches from [0039] - identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights] and from [0055] – For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206.; thus as reasonably constructed defined levels of least privilege could range from Level 1 – read, Level 2 – write, and as constructed Level 3 - read/write, to Level N root access, etc. thus having levels that can contain the features from a different level.  
 (Dayan, [0004])

Regarding Claim 3;
Dayan and Dayan’s obviousness discloses the apparatus to Claim 2.
	Dayan further teaches concepts of second authority information ([0039] and [0055]).
While, Dayan does not explicitly disclose wherein authority based on the second authority information is authority that includes a range of authority based on the first authority information and that further extends beyond the range toward a predetermined range
The examiner notes it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention from the teachings of Dayan to render obvious wherein authority based on the second authority information is authority that includes a range of authority based on the first authority information and that further extends beyond the range toward a predetermined range as Dayan teaches from [0039]- identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights] and from [0055] – For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206.; thus as reasonably constructed defined levels of least privilege could range from Level 1 – read, Level 2 – write, and as constructed Level 3 - read/write, to Level N root access, etc. thus having levels that can contain the features from a different level.  
One would have been motivated by Dayan to propose such a combination as provides / allows enable access and enable certain functions, without providing the remote resource with more privileges than necessary to complete its functions (Dayan, [0004])

Regarding Claim 4;
Dayan and Dayan’s obviousness discloses the apparatus to Claim 3.
Dayan further teaches wherein, in a case where a restriction is individually set to authority based on the first authority information associated with the identification information ([0055] – least-privileged [0056]-[0057] – write and read), the processor does not accept a request affected by the restriction even in a case where the request is executable with authority based on the second authority information ([0057] – full administrator privileges).







Claim 5 and 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Uchikawa (US 2012/0260333 A1).

Regarding Claim 5;
Dayan discloses the apparatus to Claim 1
	Dayan further discloses... the server (FIG. 2A- Target Network Resource and [0043]).
Dayan fails to explicitly disclose wherein the processor inquires of the whether, out of the obtained first authority information and second authority information, at least the second authority information is valid for the server.
However, in an analogous art, Uchikawa wherein the processor inquires of the [device] whether, out of the obtained first authority information and second authority information, at least the second authority information is valid for the [device] (Uchikawa, FIG. 11 and FIG. 14 and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Uchikawa to the apparatus and server of Dayan to include wherein the processor inquires of the [device] whether, out of the obtained first authority 
One would have been motivated to combine the teachings of Uchikawa to Dayan to do so as it provides / allows easily determine which user’s profile... an operation for executing  a function is performed (Uchikawa, [0023]).

Regarding Claim 6;
Dayan and Uchikawa disclose the apparatus to Claim 5.
Dayan further discloses... the server (FIG. 2A- Target Network Resource and [0043]).
Uchikawa further teaches wherein the processor inquires of the [device] before accepting the request, and, in accordance with a result of the inquiry, does not accept the request that is not executable with authority based on the second authority information (Uchikawa, FIG. 11 and FIG. 14 – User B Cannot execute this Function... and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).



Claims 7-9, 10 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Agarwal et al. (US 10,783,235 B1).

Regarding Claim 7;
Dayan discloses an information processing apparatus (FIG. 1) comprising: 
a processor (FIG. 1) configured to: 
	obtain user’s identification information ([0044] - In some embodiments, proxy server 106 may be configured to authenticate an identity associated with client device 104 before initiating and executing the second agent on target network resource 108 and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106);
...a service usable based on first authority over a server, the first authority being associated with the identification information, and a service usable based on second authority over the server different from the first authority ([0006] and [0039] - As disclosed herein, an identity may be a user account, machine account, application account, or any other type of account that can be established and associated with a particular user, machine, or application in a computer network... Identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights and [0040] and [0044] - In some embodiments, proxy server 106 may be configured to authenticate an identity associated with client device 104 before initiating and executing the second agent on target network resource 108 and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0056]);
	accept an operation performed by the user... ([0056] – write... read);
in a case where the selected service is a service usable based on the first authority, output an execution request for the service based on the first authority ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206); I.E. As constructed the least-privileged security level needed for a given request (i.e., write, see [0056]); and
and in a case where the selected service is a service that is unusable based on the first authority and that is usable based on the second authority, output an execution request for the service based on the second authority ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206) I.E. As constructed the least-privileged security level needed for a given request (i.e., read, see [0056]);
Dayan fails to explicitly disclose display, on a display device, a service usable based on first authority over a server, the first authority being associated with the identification information, and a service usable based on second authority over the server different from the first authority; accept an operation performed by the user to select a service.
However, in an analogous art, Agarwal teaches similar concepts of 
obtain user’s identification information (Agarwal, col. 3, lines 64-col. 4, lines 9 - In some examples, prior to requesting access to the computing resource, the user may first be required to log-on or connect to a computing service that provides the computing resource. In some cases, certain security information, such as a username, account, password and/or other identifiers, may be required in order to connect to the computing service. In some cases, the security information that is required to connect to the computing service may be referred to as service-level security information, while the security information that is required to access the computing resource may be referred to as resource-level security information);
display, on a display device, a service usable based on first authority over a server, the first authority being associated with the identification information, and a service usable based on second authority over the server different from the first authority (Agarwal FIG. 4 – Administrative Mode and Test Mode and FIG. 11 and col. 6, lines 24-34 and col. 10, lines - At operation 1116, a first instance of the resource-level security information is generated for accessing the computing resource. The first instance of the resource-level security information may be generated based, at least in part, on the request received at operation 1114. As set forth above, in some examples, the resource-level security information may include a password or other identifier. Also, in some examples, the first instance of the resource-level security information may include a particular value for the password or other identifier. The first instance of the resource-level security information may be for accessing the computing resource in, for example, an administrative mode and/or a test mode);
 accept an operation performed by the user to select a service (Agarwal FIG. 4);
in a case where the selected service is a service usable based on the first authority, output an execution request for the service based on the first authority; (Agarwal FIG. 4 and FIG. 11); and 
in a case where the selected service is a service that is unusable based on the first authority and that is usable based on the second authority, output an execution request for the service based on the second authority. (Agarwal FIG. 4 and FIG. 11).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Agarwal to the apparatus and server of Dayan to include display, on a display device, a service usable based on first authority over a server, the first authority being associated with the identification information, and a service usable based on second authority over the server different from the first authority; accept an operation performed by the user to select a service.
One would have been motivated to combine the teachings of Agarwal to Dayan to do so as it provides / allows security information to assist in limiting access to the computing resources to authorized or other appropriate users (Agarwal, 2, lines 19-21). 



Regarding Claim 8;
Dayan and Agarwal disclose the apparatus to Claim 7.
Agarwal further teaches wherein the processor displays, on the display device, a service usable based on the first authority and a service usable based on the second authority without distinction (Agarwal, FIG. 4).

Regarding Claim 9;
Dayan and Agarwal disclose the apparatus to Claim 8.
Dayan further teaches ... the processor outputs an execution request for the service based on the first authority ([0035] - In the disclosed embodiments, systems for implementing least-privilege access to and control of target network resources are described. In some embodiments, systems may implement least-privilege code execution on target network resources. Disclosed embodiments enable any identity, application, service, user, etc. to access and execute functions on a remote resource securely, with least-privileges (i.e., a minimal scope of needed privileges, and/or a minimal duration of privileges) and [0039] and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0064]).
While, Dayan and Agarwal do not explicitly disclose wherein, in a case where the selected service is usable based on both the first authority and the second authority, the processor outputs an execution request for the service based on the first authority.
[0039] - identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights] and from [0055] – For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206.; thus as reasonably constructed defined levels of least privilege could range from Level 1 – read, Level 2 – write, and as constructed Level 3 - read/write, to Level N root access, etc. thus having levels that can contain the features from a different level.  
One would have been motivated by Dayan to propose such a combination as provides / allows enable access and enable certain functions, without providing the remote resource with more privileges than necessary to complete its functions (Dayan, [0004]).


Regarding Claim 10;
Dayan and Agarwal disclose the apparatus to Claim 8
Dayan further teaches wherein, in a case where an unusable service is individually set to the first authority associated with the identification information ([0055] – least-privileged [0056]-[0057] – write and read), the processor does not accept selection of the service even in a case where the service is usable based on the second authority ([0057] – full administrator privileges).

Regarding Claim(s) 15; claim(s) 15 is/are directed to a/an a medium associated with the apparatus claimed in claim(s) 7. Claim(s) 15 is/are similar in scope to claim(s) 7, and is/are therefore rejected under similar rationale.











Claims 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Agarwal et al. (US 10,783,235 B1) and further in view of Lloyd et al. (US 2017/0126689 A1).

Regarding Claim 11.
Dayan and Agarwal disclose the apparatus to Claim 10.
Dayan further teaches ... an unusable service individually set to the first authority even in a case where the service is usable based on the second authority ([0055] – least-privileged [0056]-[0057] – write and read... ([0057] – full administrator privileges).
	Agarwal further wherein the processer, [displays] on the display device, a... service ... set to the first authority [and] a service is usable based on the second authority (Agarwal, FIG. 5).
Dayan and Agarwal fail to explicitly disclose wherein the processor does not display, on the display device, an unusable service individually set to the first authority....
However, in an analogous art, Lloyd teaches wherein the processor does not display, on the display device, an unusable service individually set to the first authority... (Lloyd, [0168]).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Lloyd to the unusable service individually set to the first authority even in a case where the service is usable based on the second authority server of Dayan and Agarwal to include wherein the processor does not display, on the display device, an unusable service individually set to the first authority....
One would have been motivated to combine the teachings of Lloyd to Dayan and Agarwal to do so as it provides / allows independent control access to each of the interactive user components... (Lloyd, [0002]).
Claims 12-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Agarwal et al. (US 10,783,235 B1) and further in view of Uchikawa (US 2012/0260333 A1).

Regarding Claim 12.
Dayan and Agarwal disclose the apparatus to Claim 7.
Dayan further discloses... the server (FIG. 2A- Target Network Resource and [0043]).
Dayan and Agarwal fail to explicitly disclose wherein, when the processor obtains the identification information, the processor inquires of the server, regarding at least the second authority, whether each service is usable based on the authority.
However, in an analogous art, Uchikawa teaches wherein, when the processor obtains the identification information, the processor inquires of the [device], regarding at least the second authority, whether each service is usable based on the authority. (Uchikawa, FIG. 11 – User Authority of User A, B, and Anonymous User and FIG. 14 and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Uchikawa to the apparatus and server of Dayan and Agarwal to include wherein, when the processor obtains the identification information, the 
One would have been motivated to combine the teachings of Uchikawa to Dayan and Agarwal to do so as it provides / allows easily determine which user’s profile... an operation for executing  a function is performed (Uchikawa, [0023]).

Regarding Claim 13.
Dayan and Agarwal and Uchikawa disclose the apparatus to Claim 12.
Uchikawa further teaches wherein the processor does not accept selection of an unusable service on a basis of a result of the inquiry to the server (Uchikawa, FIG. 11 – User Authority of User A, B, and Anonymous User and FIG. 14 – User B Cannot execute this Function... and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).





Regarding Claim 14.
Dayan and Agarwal and Uchikawa disclose the apparatus to Claim 12.
Agarwal further teaches wherein the processor displays, on the display device, a service usable based on the first authority and a service usable based on the second authority on a basis of a result of the inquiry to the server (Agarwal, FIG. 5).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385.  The examiner can normally be reached on Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 






/KARI L SCHMIDT/Primary Examiner, Art Unit 2439