Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to application 16/458,173 filed on 06/30/2019. Claims 1, 8, and 15 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made non-FINAL. 

Examiner note
A computer readable storage includes, but not limited to RAM, ROM, EEPROM… Computer storage media excludes signals per se (See paragraph 0071 of the original specification).
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 09/18/2020 is being considered by the examiner.
	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.
Claims 1, 7-8, 14-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Prasad et al. (“Prasad,” US 2017/0244723, published Aug. 24, 2017) in view of Geiger et al. (“Geiger,” US 2020/0004589, filed Jun. 27, 2018).
Regarding claim 1, Prasad teaches an access management system for providing access to computing environments based on a multi-environment policy, the system comprising:
one or more processors (Prasad: fig. 9, par. 0052, processors); and 
one or more computer storage media storing computer-useable instructions (Prasad: fig. 9, par. 0053, computer-readable media) that, when used by the one or more processors, cause the one or more processors to execute: 
an access control manager configure for: 
receiving request values of a request associated with a computing environment, wherein the computing environment is associated with a multi-environment policy, wherein the multi-environment policy is configurable to define rules for approving access to, wherein the rules are defined based on access vectors having grouped computing environment aspects for control and visibility associated with accessing selected computing environments (Prasad: fig. 6, step 606; par. 0040, JIT access request from the DevOps personnel is received, as shown at block 606.  For instance, the JIT access request may be communicated from the portal on the DevOps device and received …  The JIT access request can specify a variety of information regarding the request, such as, for instance, information regarding the resource to be accessed, the requesting DevOps personnel (e.g., user identifier, team, role, etc.), whether an incident is identified, a type of incident, and the level/type of access requested; par. 0039, the system can be configured with any number of DevOps devices accessing any number of cloud computing environments.  For instance, the portal 116 on the DevOps device 102 can be configured to access other cloud computing environments in addition to the cloud computing environment 106.  Each cloud computing environment can have its own JIT policies for accessing resources within its production environment.  As such, different cloud computing environments can have different JIT policies); 
based on the request values, determining whether the request is computing environment, wherein the request values correspond to policy parameters of the multi-environment policy (Prasad: fig. 6. step 808; par. 0041, Based on the resource identified by the JIT access request, a JIT policy for the resource is retrieved from a database of JIT policies for resources within the production environment of the cloud computing environment, as shown at block 608); 
based on the multi-environment policy, communicating approval-request parameters of an approval-request to receive approval-request response values, wherein the approval-request parameters are associated with computing environment, wherein the approval-request parameters are defined based on the access vectors (Prasad: fig. 6, step 614; par. 0048, the JIT access request is sent to the operating personnel, as shown at block 614.  The operating personnel reviews details of the JIT access request and determines whether to approve the request); 
receiving the approval-request response values for the approval-request (Prasad: fig. 6, step 616; par. 0048; a determination is made at block 616 regarding whether approval is received.); and
(Prasad: fig. 6, step 616 & 620; par. 0048, If the JIT access is denied, a notice is sent to the DevOps device regarding the denial, as shown at block 618; par. 0049, if the JIT access is … approved by the operating personnel, the JIT access to the resource is provisioned for the DevOps personnel, as shown at block 620).
Prasad discloses each cloud computing environment can have its own JIT policies but does not explicitly discloses the different computing environments being provider-controlled and customer-controlled.
However, in an analogous art, Geiger teaches policy based requesting/approval system across multiple hybrid clouds, wherein cloud management employing a policy based system to process scaling requests from workloads operating in hybrid cloud environment (Geiger: pars. 0036, 0040, hybrid cloud environment).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Geiger with the method and system of Prasad, wherein the different computing environments being provider-controlled and customer-controlled to provide users with means for providing ubiquitous access to shared pools of configurable system resources and higher-level services with minimal management effort, and allowing companies to avoid or minimize up-front IT infrastructure cost (Geiger: abstract, par. 0005).
Regarding claim 7, the combination of Prasad and Geiger teaches the system of claim 1.  The combination of Prasad and Geiger further discloses approval-request parameters of an approval-request comprising an approval manager configured for: based on the approval-request parameters, receiving approval-request response values, where the approval response values include one or more of the following: 3a first value to approve or deny the approval-request (Prasad: fig. 6, step 616 & 620; par. 0048, If the JIT access is denied, a notice is sent to the DevOps device regarding the denial, as shown at block 618; par. 0049, if the JIT access is … approved by the operating personnel, the JIT access to the resource is provisioned for the DevOps personnel, as shown at block 620); a second value to selectively reduce or expand the scope of the approval request; and a third value to indicate a request for human intervention for identifying additional values for one or more approval-request parameters. 
Regarding claim 8, claim 8 is directed to one or more computer storage media (Prasad: par. 0053) having computer-executable instructions embodied thereon that, when executed, by one or more processors, cause the one or more processors to perform a method for providing access to computing environments based on a multi-environment policy associated with the method claimed in claim 1; claim 8 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 14, claim 14 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 is directed to a computer-implemented method for providing access to computing environments based on a multi-environment policy 
Regarding claim 20, claim 20 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Prasad et al. (“Prasad,” US 2017/0244723, published Aug. 24, 2017 in view of Geiger et al. (“Geiger,” US 2020/0004589, filed Jun. 27, 2018), further in view Thampy (“Thampy,” US 2019/0068627, published Feb. 28, 2019).
Regarding claim 2, the combination of Prasad and Geiger teaches the system of claim 1. The combination of combination of Prasad and Geiger further discloses comprising an access management interface configured for: 
 receiving policy values of the policy parameters of multi-environment policy, wherein the policy parameters are based on the rules that are configured based on the access vectors (Prasad: fig. 6, step 606; par. 0040, JIT access request from the DevOps personnel is received, as shown at block 606.  For instance, the JIT access request may be communicated from the portal on the DevOps device and received …  The JIT access request can specify a variety of information regarding the request, such as, for instance, information regarding the resource to be accessed, the requesting DevOps personnel (e.g., user identifier, team, role, etc.), whether an incident is identified, a type of incident, and the level/type of access requested; par. 0039, the system can be configured with any number of DevOps devices accessing any number of cloud computing environments.  For instance, the portal 116 on the DevOps device 102 can be configured to access other cloud computing environments in addition to the cloud computing environment 106.  Each cloud computing environment can have its own JIT policies for accessing resources within its production environment.  As such, different cloud computing environments can have different JIT policies); 
Communicating the policy values to cause generation of the multi-environment policy, wherein the multi-environment policy is implemented based on submitted request values of requests for access to computing environments (Prasad: fig. 6, step 606; par. 0040, JIT access request from the DevOps personnel is received, as shown at block 606.  For instance, the JIT access request may be communicated from the portal on the DevOps device and received ...  The JIT access request can specify a variety of information  regarding the request, such as, for instance, information regarding the resource to be accessed, the requesting DevOps personnel (e.g., user identifier, team, role, etc.), whether an incident is identified, a type of incident, and the level/type of access requested; par. 0039, the system can be configured with any number of DevOps devices accessing any number of cloud computing environments.  For instance, the portal 116 on the DevOps device 102 can be configured to access other cloud computing environments in addition to the cloud computing environment 106.  Each cloud computing environment can have its own JIT policies for accessing resources within its production environment.  As such, different cloud computing environments can have different JIT policies); 
receiving the request for access to the computing environment based on request parameters, wherein the request parameters are based on the rules associated with the multi-environment policy (Prasad: fig. 6, step 606; par. 0040, par. 0039); 
(Prasad: fig. 6, step 606; par. 0040, par. 0039); and 
receiving the request response comprising one or more approval-request response values, wherein the request response indicates approval or denial of access to the provider-controlled computing environment or the customer-controlled computing environment (Prasad: fig. 6, step 616 & 620; par. 0048, If the JIT access is denied, a notice is sent to the DevOps device regarding the denial, as shown at block 618; par. 0049, if the JIT access is … approved by the operating personnel, the JIT access to the resource is provisioned for the DevOps personnel, as shown at block 620; Geiger: pars. 0036, 0040).
Prasad does not explicitly disclose wherein the access management interface includes graphical user interface elements associated with the access vectors.
However, in an analogous art, Thampy discloses cloud based security monitoring using unsupervised pattern recognition and deep learning, wherein the access management interface includes graphical user interface elements associated with the access vectors. (Thampy: par. 0311, a security monitoring and control system can provide interfaces, such as graphical interfaces, for monitoring patterns in usage of services in a computing environment.).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Thampy with the method and system of Prasad and Geiger, wherein the access management interface includes graphical user interface elements associated with the access vectors to provide users with a means for collecting data from sources to provide a greater depth of visibility (Thampy: abstract, par. 0066).
Claims 3, 10, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Prasad et al. (“Prasad,” US 2017/0244723, published Aug. 24, 2017) in view of Geiger et al. (“Geiger,” US 2020/0004589, filed Jun. 27, 2018), further in view Bermudez et al. (“Bermudez,” US 2020/0074520, published Mar. 5, 2020).
Regarding claim 3, the combination of Prasad and Geiger teaches the system of claim 1. Prasad and Geiger do not disclose, wherein the access control manager comprises programmed instructions that define integrated access provisioning operations for combined provisioning of access to provider-controlled computing environments and customer-controlled computing environment, wherein the integrated access provisioning operations are based on a subscription classification that identifies a controlling subscriber of an identified computing environment. 
However, in an analogous art, Bermudez discloses subscription management platforms for automated group-based subscriptions, wherein operations are based on a subscription classification that identifies a controlling subscriber of an identified computing environment (Bermudez: par. 0031, the different groups of customers include different group identifiers, where each group identifier may be associated with customer identifiers that identify the customers in the group, third-party provider identifiers that identify the third-party providers offering the subscription, and/or subscription identifiers that identify the group-based subscriptions).
(Bermudez: abstract, par.0001, 0014, 0048).
Regarding claim 10, claim 10 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 16, claim 19 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Claims 4, 11, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Prasad et al. (“Prasad,” US 2017/0244723, published Aug. 24, 2017) in view of Geiger et al. (“Geiger,” US 2020/0004589, filed Jun. 27, 2018), further in view Buchholz et al. (“Buchholz,” US 2014/0181448, published Jun. 26, 2014).
Regarding claim 4, the combination of Prasad and Geiger teaches the system of claim 1. The combination of Prasad and Geiger Prasad discloses an access vector but does 
However, in an analogous art, Buchholz discloses tagging in a storage device, wherein an access vector includes a tag indicating a type of access to customer data associated with the access vector (Buchholz: par. 00981, In another example, information contained in a tag may be used to establish access rights associated with a logical block that is written.  For example, suppose in the above example that the logical block is being written for the first time after being erased.  The tag may contain access rights information that may identify one or more entities that may access the block after the block is written.  Moreover, the tag may include information that may indicate a type of access (e.g., read, write, delete) that may be permitted).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Buchholz with the method and system of Prasad and Geiger, wherein an access vector includes a tag indicating a type of access to customer data associated with the access vector to provide users with means for acquiring the command issued by the entity to access the block in the storage device, associating the entity with the tag e.g. default tag, and storing the information associating the tag with the block in the storage device, thus performing tagging in an efficient manner (Buchholz: abstract).
Regarding claim 11, claim 11 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Regarding claim 17.
Claims 5, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Prasad et al. (“Prasad,” US 2017/0244723, published Aug. 24, 2017) in view of Geiger et al. (“Geiger,” US 2020/0004589, filed Jun. 27, 2018), further in view Ducray et al. (“Ducray,” US 2018/0227369, published Aug. 9, 2018).
Regarding claim 5, the combination of Prasad and Geiger teaches the system of claim 1.  Prasad and Geiger do not explicitly disclose wherein the grouped computing environment aspects explicitly expose a security boundary construct based on enumerated values of the grouped computing environment aspects to support informed and isolated access approval. 
However, in an analogous art, Chakra discloses converged service computing platform, wherein the grouped computing environment aspects explicitly expose a security boundary construct based on enumerated values of the grouped computing environment aspects to support informed and isolated access approval (Ducray: par. 0080, The cloud services infrastructure may include public, private, managed or hybrid cloud offerings and would include implementation of the appropriate network connectivity, including cloud provider firewall 436A, to support the traffic generated throughout the platform).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Ducray with the method and system of Prasad and Geiger, wherein the grouped computing environment aspects explicitly expose a security boundary construct based on enumerated values of the grouped computing environment aspects to support informed and isolated access approval to provide users with means for utilizing an operational decision management (ODM) module to permit automation of business decisions without compromising accuracy and  (Ducray: abstract, pars. 0081).
Regarding claim 12, claim 12 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Claims 6, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Prasad et al. (“Prasad,” US 2017/0244723, published Aug. 24, 2017) in view of Geiger et al. (“Geiger,” US 2020/0004589, filed Jun. 27, 2018), further in view Thampy (“Thampy,” US 2019/0068627, published Feb. 28, 2019).
Regarding claim 6, the combination of Prasad and Miriyala teaches the system of claim 1.  Prasad and Geiger do not explicitly disclose generating a graphical user interface for monitoring access provisioning operations based on the grouped computing environment aspects for control and visibility associated with accessing the computing environments. 
However, in an analogous art, Thampy discloses cloud based security monitoring using unsupervised pattern recognition and deep learning, generating a graphical user interface for monitoring access provisioning operations based on the grouped computing environment aspects for control and visibility associated with accessing the computing environments (Thampy: par. 0311, a security monitoring and control system can provide interfaces, such as graphical interfaces, for monitoring patterns in usage of services in a computing environment.).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Thampy with the method and system of Prasad and Geiger, wherein generating a graphical user interface for monitoring access provisioning operations based on the grouped computing environment aspects for control and visibility associated with accessing the computing environments to provide users with a means for collecting data from sources to provide a greater depth of visibility and better compliance coverage compared to conducing discovery operations using data from network devices (Thampy: abstract, par. 0066).
Regarding claim 13, claim 13 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Regarding claim 19, claim 19 is similar in scope to claim 6, and is therefore rejected under similar rationale.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
November 1st, 2021


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439