DETAILED ACTION
This Office Action is in response to the application 16/784,802 filed on 02/07/2020.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending in this application. Claims 1, 13, and 20 are independent.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 06/24/2021, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
The information disclosure statement (IDS), submitted on 02/07/2020, Patent Application has been considered. However, Applicant did not submit any copy of The Non-Patent Literatures (NPL) that been included, and therefore, the Examiner was not able to consider them.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 20 is rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
As to claim 1, the claim calls for a system.  However, there is no hardware element found within the claimed system.  As recited in the body of the claim, the claimed system contains a metadata management commuting system consisting of (1) an authentication server and (2) n authorization serves the only system components.  The specification does not explicitly define any of the claimed servers to be implemented in at least partially in hardware.  One of ordinary skill in the art would understand that a server could be a server computer or a server software component (see The Authoritative Dictionary of IEEE Standards Terms, 7th Edition, published in 2000); See also Ex Parte Samayamantry (Appeal No. 2011-009967). 
 As the claimed system contains only software component, without any hardware element, the claim is directed to non-statutory subject matter.  The mere recitation of the machine, system or device in the preamble with an absence of a machine/hardware in the body of the claim fails to make the claim statutory under 35 USC 101. The nominal recitation to a "system" in the preamble does not limit the body of the claim as it only states the invention' s purpose or intended use; see Catalina Marketing Int'l, Inc., v. Coolsavings.com Inc., 289 F.3d 801,808 (Fed. Cir. 2002).   The Examiner respectfully suggests that the claim be further amended to positively recites at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Coffing (“Coffing,” US 2019/0273746, filed on 09/05/2019), in view of Jain et al (“Jain,” US 2018/0300471, published on 10/18/2018).
As to claim 1, Coffing teaches a computer implemented method (Coffing: pars 0009-0010, teach of a microservices-based architecture for identity and access management functions), comprising: 
receiving an access request made to a microservice from a requesting entity (Coffing: pars 0009-0011; Fig 1, a request is received from a user dive [i.e. requesting entity]at a microservices and a microgateway sidecar associated with each of the microservices for accessing service), requesting access to the microservice, along with an access token (Coffing: pars 0009-0011; Fig 1, the request for microservice includes a token associated with the request is enriched based on the context data and sent to at least one other microservice);
obtaining an identity [ ] from the access token (Coffing: pars 0009-0011, 0021-0024, end-user identity context passed to microservices. Applying token signing & verification, end-to-end identity and security functionality is provided via a variety of different microservices relating to identity and access management); 
identifying an access pattern used by the requesting entity to obtain the access token and request access to the microservice (Coffing: pars 0024, 0048, 0054, microservices is used with an intelligent authorization engine that uses behavioral machine learning/artificial intelligence to deliver continuous adaptive authentication, authorization, and relationship management between users/services/things. Such an intelligent authorization engine may employs a unique adaptive risk-based transaction authorization approach to dynamically assess and score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors. User access history logs is used to determine access patterns to protected resources by particular users and/or particular devices, as well as to identify resource access permissions previously granted to users along with relevant contextual factors based upon which such resource access permissions were granted. The user behavior information may include data representing a plurality of different user behavior metrics, including access patterns);
identifying permissions in an access policy, corresponding to the microservice, based on the identity of the requesting entity and the identified access pattern (Coffing: pars 0009, 0022-0024,  end-to-end identity and security functionality is provided  based on user identity , behavior metrics, including access patterns, and a risk profile for the request based on the context data of the request); and
generating an authorization output indicative of an authorization determination with respect to the access request (Coffing: pars 0045, 0052-0053, allow or deny access based on the authentication and access policy associated with the requested service).
Coffing does not explicitly teach an identity of the requesting entity from the access token.
However, in an analogous art, Jain teaches an identity of the requesting entity from the access token (Jain: pars 0009, 0058-0060, an access token is used by access authorization system that identifies the device identifiers associated with the device that has provided the access token) .
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jain with the method/system of Coffing for the benefit of providing a user with a means for using a token to identify a user device associated with user to control access policy and reduce risk and manage access system in a secure and efficient manner (Jain: pars 0009, 0058-0060). 
As to claim 2, the combination of Coffing and Jain teaches the computer implemented method of claim 1 and 
Coffing and Jain further teaches further comprising: before identifying permissions, validating the access token (Jain: pars 0066, 0093, 0133 token data is validated).
As to claim 3, the combination of Coffing and Jain teaches the computer implemented method of claim 2 
Coffing and Jain further teaches wherein validating the access token comprises: identifying access permissions corresponding to the access token; and validating that the requested access is included in the access permissions (Jain: pars 0066, 0093, 0133 determines if the access token data is still valid and if the subsequent access request data satisfies the rules of an access policy associated with the access token data. An access policy compliance analysis module configured to compare the access request data and the access token data to the access policy rules to determine if the access token data is valid and if the access request data satisfies the access policy rules).
As to claim 4, the combination of Coffing and Jain teaches the computer implemented method of claim 1 
Coffing and Jain further teaches wherein generating the authorization determination comprises: if the permissions identified from the access policy include the requested access, then generating the authorization output authorizing the access request (Coffing: pars 0045, 0052-0053, allow or deny access based on the authentication and access policy associated with the requested service. Jain: pars 0006, 0009, 0066, 0093, 0133, the access authorization system controls access to protected data and services of a data management system using token and access token policy that defines access rules for accepting the access token. The access policy compliance analysis module configured to compare the access request data and the access token data to the access policy rules to determine if the access token data is valid and if the access request data satisfies the access policy rules).
As to claim 5, the combination of Coffing and Jain teaches the computer implemented method of claim 4 
Coffing and Jain further teaches wherein generating the authorization determination comprises: if the permissions identified from the access policy do not include the requested access, then generating the authorization output denying the access request (Coffing: pars 0045, 0052-0053, allow or deny access based on the authentication and access policy associated with the requested service. Jain: pars 0006, 009, 0096, deny the access token based on access policy rules related to the access token).
As to claim 6, the combination of Coffing and Jain teaches the computer implemented method of claim 1 and 
Coffing and Jain further teaches further comprising: registering authentication metadata for the requesting entity and for the microservice with an authentication server; receiving, at the authentication server, an access token request from the requesting entity, requesting the access token; and issuing the access token from the authentication server to the requesting entity based on the authentication metadata (Jain: pars 0058, 0084, access token generation module generates access token after validating and authenticating user provided data. Then, provides the access token to the computing device of the user).
As to claim 7, the combination of Coffing and Jain teaches the computer implemented method of claim 1 
Coffing and Jain further teaches wherein identifying the access pattern comprises: identifying that the requesting entity to which the access token is issued is an application that directly sent the access token to the microservice; and identifying the access pattern as a direct access pattern, and wherein identifying permissions in the access policy, corresponding to the application, comprises identifying the permissions in the access policy based on the identity of the application and the access pattern being a direct access pattern (Coffing: pars 0022-0023, 0027, 0045, 0052-0053, allow or deny access based on the authentication and access policy associated with the requested service. Each security sidecar that are installed automatically with each application microservice container, manage identity and access management functions as signing/verification).
As to claim 8, the combination of Coffing and Jain teaches the computer implemented method of claim 1 
Coffing and Jain further teaches wherein identifying the access pattern comprises: identifying that the requesting entity to which the access token is issued is an application that sends the access token to an intermediate microservice that forwards the access token to the microservice; and identifying the access pattern as a protected forwarded access pattern, and wherein identifying permissions in the access policy, corresponding to the application, comprises identifying the permissions in the access policy based on the identity of the application and the access pattern being a protected forwarded access pattern (Coffing: pars 0022-0023, 0027, each security sidecar that are installed automatically with each application microservice container, manage identity and access management functions as signing/verification).
As to claim 9, the combination of Coffing and Jain teaches the computer implemented method of claim 1 
Coffing and Jain further teaches wherein identifying the access pattern comprises: identifying that the requesting entity to which the access token is issued is a service or microservice that obtains the access token without providing authentication for a specific set of permissions; and identifying the access pattern as a high privileged access pattern, and wherein identifying permissions in the access policy, corresponding to the application, comprises identifying the permissions in the access policy based on the identity of the service or microservice which comprises the requesting entity and the access pattern being a high privileged access pattern (Coffing: pars 0009, 0022-0024, each security sidecar that are installed automatically with each application microservice container, manage identity and access management functions as signing/verification. End-to-end identity and security functionality is provided based on user identity, behavior metrics, including access patterns, and a risk profile for the request based on the context data of the request).
As to claim 10, the combination of Coffing and Jain teaches the computer implemented method of claim 1 and 
Coffing and Jain further teaches further comprising: logging interaction information, including the access request, an identity of the microservice, the identity of the requesting entity, an indicator of the access pattern, the permissions, an access policy identifier, and the authorization output indicative of the authorization determination, in an interaction processing system (Coffing: pars 0009, 0022-0024, end-to-end identity and security functionality is  provided  based on user identity, behavior metrics, including access patterns, and a risk profile for the request based on the context data of the request).
As to claim 11, the combination of Coffing and Jain teaches the computer implemented method of claim 10 and 
Coffing and Jain further teaches further comprising: generating a risk assessment model based on the logged interaction information, the risk assessment model being configured to identify a risk assessment level based on interaction information provided to the risk assessment model during a runtime operation (Coffing: pars 0009, 0022-0024,0048,  end-to-end identity and security functionality is  provided  based on user identity, behavior metrics, including access patterns, and a risk profile for the request based on the context data of the request. Contextual information that may be used to further identify the user, the accessing device, and/or assess a risk level for a request to access a particular resource submitted from the user).
As to claim 12, the combination of Coffing and Jain teaches the computer implemented method of claim 11 and 
Coffing and Jain further teaches further comprising: generating a runtime risk assessment level with the risk assessment model, corresponding to the interaction information provided to the risk assessment model during the runtime operation; and returning risk assessment model with the authorization determination (Coffing: pars 0045,0048, 0052-0054, microservices is used with an intelligent authorization engine that uses behavioral machine learning/artificial intelligence to deliver continuous adaptive authentication, authorization, and relationship management between users/services/things. Such an intelligent authorization engine may employs a unique adaptive risk-based transaction authorization approach to dynamically assess and score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors. Risk profile includes dynamic risk value/level based various. Allows the system to make appropriate actions and/or mitigation process based on the value/level of the risk).
As to claim 13, Coffing teaches a computer system, comprising: one or more processors; and memory storing instructions which, when executed by the one or more processors causes the one or more processors to perform steps (Coffing: pars 0009-0010, 0056, teach of a microservices-based architecture for identity and access management functions) comprising: 
receiving an access request made to a microservice from a requesting entity (Coffing: pars 0009-0011; Fig 1, a request is received from a user dive [i.e. requesting entity]at a microservices and a microgateway sidecar associated with each of the microservices for accessing service), requesting access to the microservice, along with an access token (Coffing: pars 0009-0011; Fig 1, the request for microservice includes a token associated with the request is enriched based on the context data and sent to at least one other microservice); 
obtaining an identity [ ] from the access token (Coffing: pars 0009-0011, 0021-0024, end-user identity context passed to microservices. Applying token signing & verification, end-to-end identity and security functionality is provided via a variety of different microservices relating to identity and access management);
 identifying an access pattern used by the requesting entity to obtain the access token and request access to the microservice (Coffing: pars 0024, 0048, 0054, microservices is used with an intelligent authorization engine that uses behavioral machine learning/artificial intelligence to deliver continuous adaptive authentication, authorization, and relationship management between users/services/things. Such an intelligent authorization engine may employs a unique adaptive risk-based transaction authorization approach to dynamically assess and score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors. User access history logs is used to determine access patterns to protected resources by particular users and/or particular devices, as well as to identify resource access permissions previously granted to users along with relevant contextual factors based upon which such resource access permissions were granted. The user behavior information may include data representing a plurality of different user behavior metrics, including access patterns); 
identifying permissions in an access policy, corresponding to the microservice, based on the identity of the requesting entity and the identified access pattern (Coffing: pars 0009, 0022-0024,  end-to-end identity and security functionality is provided  based on user identity , behavior metrics, including access patterns, and a risk profile for the request based on the context data of the request); and 
generating an authorization output indicative of an authorization determination with respect to the access request (Coffing: pars 0045, 0052-0053, allow or deny access based on the authentication and access policy associated with the requested service).
Coffing does not explicitly teach an identity of the requesting entity from the access token.
However, in an analogous art, Jain teaches an identity of the requesting entity from the access token (Jain: pars 0009, 0058-0060, an access token is used by access authorization system that identifies the device identifiers associated with the device that has provided the access token) .
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jain with the method/system of Coffing for the benefit of providing a user with a means for using a token to identify a user device associated with user to control access policy and reduce risk and manage access system in a secure and efficient manner (Jain: pars 0009, 0058-0060). 
As to claim 14, the combination of Coffing and Jain teaches the computer system of claim 13 
Coffing and Jain further teaches wherein the instructions cause the one or more processors to perform steps further comprising: before identifying permissions, validating the access token (Jain: pars 0066, 0093, 0133 token data is validated).
As to claim 15, the combination of Coffing and Jain teaches the computer system of claim 14 
Coffing and Jain further teaches wherein validating the access token comprises: identifying access permissions corresponding to the access token; and validating that the requested access is included in the access permissions (Jain: pars 0066, 0093, 0133 determines if the access token data is still valid and if the subsequent access request data satisfies the rules of an access policy associated with the access token data. An access policy compliance analysis module configured to compare the access request data and the access token data to the access policy rules to determine if the access token data is valid and if the access request data satisfies the access policy rules).
As to claim 16, the combination of Coffing and Jain teaches the computer system of claim 13 
Coffing and Jain further teaches wherein generating the authorization determination comprises: if the permissions identified from the access policy include the requested access, then generating the authorization output authorizing the access request; and if the permissions identified from the access policy do not include the requested access, then generating the authorization output denying the access request (Coffing: pars 0045, 0052-0053, allow or deny access based on the authentication and access policy associated with the requested service. Jain: pars 0006, 0009, 0066, 0093, 0133, the access authorization system controls access to protected data and services of a data management system using token and access token policy that defines access rules for accepting the access token. The access policy compliance analysis module configured to compare the access request data and the access token data to the access policy rules to determine if the access token data is valid and if the access request data satisfies the access policy rules).
As to claim 17, the combination of Coffing and Jain teaches the computer system of claim 13 
Coffing and Jain further teaches wherein identifying the access pattern comprises: identifying that the requesting entity to which the access token is issued is an application that directly sent the access token to the microservice; and 
identifying the access pattern as a direct access pattern, and wherein identifying permissions in the access policy, corresponding to the application, comprises identifying the permissions in the access policy based on the identity of the application and the access pattern being a direct access pattern (Coffing: pars 0022-0023, 0027, 0045, 0052-0053, allow or deny access based on the authentication and access policy associated with the requested service. Each security sidecar that are installed automatically with each application microservice container, manage identity and access management functions as signing/verification).
As to claim 18, the combination of Coffing and Jain teaches the computer system of claim 13 
Coffing and Jain further teaches wherein identifying the access pattern comprises: identifying that the requesting entity to which the access token is issued is an application that sends the access token to an intermediate microservice that forwards the access token to the microservice; and identifying the access pattern as a protected forwarded access pattern, and wherein identifying permissions in the access policy, corresponding to the application, comprises identifying the permissions in the access policy based on the identity of the application and the access pattern being a protected forwarded access pattern (Coffing: pars 0022-0023, 0027, each security sidecar that are installed automatically with each application microservice container, manage identity and access management functions as signing/verification).
As to claim 19, the combination of Coffing and Jain teaches the computer system of claim 13 
Coffing and Jain further teaches wherein identifying the access pattern comprises: identifying that the requesting entity to which the access token is issued is a service or microservice that obtains the access token without providing authentication for a specific set of permissions; and identifying the access pattern as a high privileged access pattern, and wherein identifying permissions in the access policy, corresponding to the application, comprises identifying the permissions in the access policy based on the identity of the service or microservice which comprises the requesting entity and the access pattern being a high privileged access pattern (Coffing: pars 0009, 0022-0024, each security sidecar that are installed automatically with each application microservice container, manage identity and access management functions as signing/verification. End-to-end identity and security functionality is provided based on user identity, behavior metrics, including access patterns, and a risk profile for the request based on the context data of the request).
As to claim 20, Coffing teaches a computing system, comprising: a metadata management computing system (Coffing: pars 0009-0010, teach of a microservices-based architecture for identity and access management functions);
an authentication server, disposed in the metadata management computing system, that serves a plurality of different sets of authentication metadata to a plurality of different microservices, each set of authentication metadata corresponding to a different microservice (Coffing: pars 0009-0011; Fig 1, a request is received from a user dive [i.e. requesting entity] at a microservices and a microgateway sidecar associated with each of the microservices for accessing service. The request for microservice includes a token associated with the request is enriched based on the context data and sent to at least one other microservice) and identifying [ ] corresponding microservice is permitted to authenticate, partitioned based on logical or physical partitions Coffing: pars 0024, 0048, 0054, microservices is used with an intelligent authorization engine that uses behavioral machine learning/artificial intelligence to deliver continuous adaptive authentication, authorization, and relationship management between users/services/things. Such an intelligent authorization engine may employs a unique adaptive risk-based transaction authorization approach to dynamically assess and score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors. User access history logs is used to determine access patterns to protected resources by particular users and/or particular devices, as well as to identify resource access permissions previously granted to users along with relevant contextual factors based upon which such resource[i.e. physical partition] access permissions were granted); and
an authorization server, disposed in the metadata management computing system, that serves a plurality of different sets of authorization policy metadata to a plurality of different microservices, each set of authorization policy metadata corresponding to a different microservice and identifying access permitted by the corresponding microservice by identifying permitted access in terms of permissions and access patterns and being partitioned based on logical or physical partitions Coffing: pars 0024, 0045, 0048, 0052-0054, the score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors. User access history logs is used to determine access patterns to protected resources by particular users and/or particular devices, as well as to identify resource access permissions previously granted to users along with relevant contextual factors based upon which such resource access permissions were granted. Allow or deny access based on the authentication and access policy associated with the requested service).
Coffing does not explicitly teach a context in which the corresponding microservice is permitted.
However, in an analogous art, Jain teaches a context in which the corresponding microservice is permitted (Jain: pars 0009, 0058-0060, an access token is used by access authorization system that identifies the device identifiers associated with the device that has provided the access token) .
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jain with the method/system of Coffing for the benefit of providing a user with a means for using a token to identify a user device associated with user to control access policy and reduce risk and manage access system in a secure and efficient manner (Jain: pars 0009, 0058-0060). 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355.  The examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application is obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications is obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAHANGIR KABIR/             Primary Examiner, Art Unit 2439