DETAILED ACTION
This Office Action is in response to the amendment filed 9/23/2021 to the application 16/286,240.
Claims 1-26 have been examined and are pending.  Claims 1, 13, and 20 are independent claims.  Claims 1, 13, and 20 have been amended.
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Action is made FINAL.

Response to Arguments
Applicants’ arguments, see Applicant Arguments/Remarks Made in an Amendment, filed 11/02/2015, with respect to the rejections of claims 1-26 have been fully considered but are not persuasive.
Applicant argues as follows:  The action relies on paragraph 21 of Gilpin as teaching the claimed adjusting. The applicant respectfully disagrees.  In particular, paragraph 21 of Gilpin discloses spawning child resources from parent resources. In particular, paragraph 21 discloses that in such instances the “child resource receive, inherit and/or are subject to the same (or more restrictive sets of permissions).” For example, if the parent resource is “only allowed to communicate with particular IP addresses, then each spawned offspring resource 120-122 is similarly allowed to communicate only with the same or fewer defined IP addresses.”  By contrast, in amended claim 1, although the 
Examiner respectfully disagrees.  The independent claims remain rejected by Roche in view of Gilpin and Gavrila.  Gilpin discloses, in paragraph 0021, determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted and in accordance with a determination that the first user’s role-based access settings propagated to the second sub-system are to be adjusted, adjusting the first user’s role-based access settings propagated to the second sub-system where user group domain and user group membership encompass  user-credential-based permissions comprising permissions that limit a computing resource's operation and first user’s role-based access settings encompasses the child resources receive, inherit and/or are subject to the same (or more restrictive) sets of permissions, designated as permission set(s) 140' in FIG. 1.  Restricting permissions utilized by a spawned resource (e.g., a child resource) to the same or narrower permissions possessed by the spawning resource (here, a based on the user group domains being different between the first sub-system and the second sub-system.  Gavrila, in paragraphs 0078, 0123, and 0187, discloses such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system.
The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272 5368 to schedule an interview.






Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 
Claims 1-4, 6, 11-13, 18-20, 25, and 26  are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Roche (US9774586), filed August 31, 2015, in view of Gavrila (US20020026592), filed June 14, 2001, and Gilpin (US20170272449), filed March 21, 2017.
Regarding claim 1, Roche discloses a method for providing hybrid access control in a cloud-services computing environment, the method comprising:
at one or more computing systems operating in the cloud-services computing environment having one or more processors and memory (Roche, col. 1, lines 1-10, “In one embodiment, storage service module 140 may be part of an application or program that provides cloud storage services to a variety of clients, such as, for example, database software or content provider software.  Also note that cloud storage server 160 may host multiple applications or software that provide a variety of different services to clients.  The applications or software may be provided by a variety of application or software providers.  The applications or software may be configured based on their respective configurations or settings (e.g., access control settings).”);
obtaining access control settings associated with a hierarchical computing-resource system, wherein the access control settings include at least a first user’s role-based access settings with respect to a first sub-system of the hierarchical computing-resource system (Roche, col. 3, line 45, through col. 4, line 22, “Similarly, according to one embodiment, an application through which a user attempts to access a resource (i.e., first sub-system) may be associated with an application authorization profile (AAP).  An application authorization profile stores dynamic access control settings that are associated with that particular application.  The application authorization profile stores application roles and application privileges with which a user is entitled to access resources provided via the corresponding application.  When an AUTH token is generated, the user roles and user privileges defined therein are compared with the application roles and application privies defined in the corresponding application authorization profile (i.e., access control settings).  dynamic access control configurations that can be used to supersede or override the static access control settings, for example, temporarily for a period of time.  An application authorization profile, a tenant authorization profile, or a combination of both can be utilized for the purpose of dynamic configuration of access control.     A tenant also acts as the highest abstraction for allocating and tracking resource utilization by the tenant.  As used herein, a "resource" may refer to data such as a file, an object, a workflow, or a directory (i.e., example of a sub-system) of one or more files, objects, etc. As used herein, a tenant can be a business unit or a group of one or more users (e.g., a human resource department, a finance department, an information technology department, etc.) within an enterprise or corporation (e.g., Tenant A, Tenant B, Tenant C, etc.). (i.e., role)  A tenant can also refer to an enterprise (e.g., when a storage system/appliance is deployed by a service provider).  Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
propagating the access control settings from the first sub-system to a second subsystem of the hierarchical computing-resource system (Roche, col. 3, lines 16-38, “In addition, according to one embodiment, for each of the tenant, a corresponding tenant authorization profile (TAP, also referred to as a tenant policy profile or TPP) is accessed, where the tenant authorization profile stores a set of access control rules or settings that have been dynamically configured by an administrator associated with the corresponding tenant (i.e., propagating access control).  Such settings may be referred to as dynamic settings or temporary settings intended to be valid for a relatively short period of time.  The dynamic settings in a tenant authorization profile are dynamically configured at a point in time after the corresponding static settings have been configured.  The dynamic settings may be used to substitute or override the static settings temporarily.  In one embodiment, for a static setting that matches a dynamic setting, the corresponding attributes or properties of the dynamic settings are used in lieu of the static counterparts.”);
wherein the second sub-system is a child sub-system of the first sub-system (Roche, col. 4, lines 1-22, “Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
(Roche, col. 4, lines 1-22, “Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
wherein the user group domains include a first user group domain assigned to the first sub-system and a second user group domain assigned to the second sub-system (Roche, col. 16, line 62, through col. 17, line 28, “If there is at least one that does not match, authentication module 184 then denies access to the requesting user. In alternative embodiment, identity provider server 170 verifies the credentials of the user and forwards an external authentication of the user to authentication module 184.”);
based on the user group domains being different between the first sub-system and the second sub-system (Roche, col. 12, lines 20-27, “The credentials further contain a tenant identifier (ID) such as a tenant name (e.g., Tenant C), on which the requested access is to be performed. The credentials further include a domain ID such as a domain name (e.g. @DomainA, @DomainC, or @DomainIT) which identifies an identity source or identity provider (e.g., identity provider server 170 or local identity provider) associated with a particular tenant”; col. 30, lines 49-63, “For example, if a first user is associated with “Admin@TenantA” role 602, the first user is allowed to perform all the privileges in blocks 611-612 at “Tenant A” and “Tenant B” tenants (i.e., “Tenant B” is a child-tenant of “Tenant A”), while the first user is denied the privilege of {“privilege”:“Reseller’} in block 610 at “Tenant A” tenant.”).
based on the user group domains being different between the first sub-system and the second sub-system, but does not explicitly disclose obtaining user group domains assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system; obtaining a group membership associated with the first user; such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system.
However, in an analogous art, Gavrila discloses obtaining user group domains assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system (Gavrila, paragraph 0098, “Assumption 1.  A selected group of host computers compose a domain, controlled by one of the member hosts, called the domain controller.”);
 obtaining a group membership associated with the first user (Gavrila, paragraph 0099, “Assumption 2.  One can define a user or group global with respect to a domain, in the sense that the group is recognized by each of the domain's member hosts.”; paragraph 0021, “defining and managing the abstract permissions further comprise creating, finding, retrieving, displaying, and deleting instances of a role on a host computer or set of host computers, using group nesting and a directed acyclic graph of role-membership inheritance; creating finding, retrieving, displaying, and deleting object instances of abstract objects on a host computer or set of host computers; paragraph 0197, “(2) establishing a membership-inheritance relationship whereby the second role inherits the membership of the first”; paragraph 0075, “Rule 2.  If the role graph is based on membership-inheritance, u is a user assigned to role r, and r has an instance (group) on host system h, then u's instance (a user account) must be a member of r's instance.”);
such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system (Gavrila, paragraph 0078, “The present invention provides, in one aspect, automatic distribution and revocation of permissions in RBAC systems that support selective and multiple instantiations of roles.” Role-based access setting no longer allow access to the second subsystem encompasses automatic revocation in RBAC systems that support selective instantiations of roles; paragraph 0123, “The object pointer lists (oidlist) of the roles specified in the default ACL entries must be updated to reflect the new access rights of those roles.”; paragraph 0187, “the remaining operating system and application groups are assigned different role identifiers”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gavrila with the method/ host computing device/ non-transitory computer-readable storage medium of Roche to include obtaining user group domains assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system; obtaining a group membership associated with such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system.
One would have been motivated to provide users with the benefits of a method for the automatic distribution, review, and revocation of user and group permissions to objects through management of role permissions (Gavrila: paragraph 0019).
Roche and Gavrila disclose group domains and group membership and role based access settings, but do not explicitly disclose determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted; and in accordance with a determination that the first user’s role-based access settings propagated to the second sub-system are to be adjusted, adjusting the first user’s role-based access settings propagated to the second sub-system.
However, in an analogous art, Gilpin discloses determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted (Gilpin, paragraph 0021, “In the present example, parent resource 110 may obtain (or otherwise be subject to) a set of permissions 140 based on the credentials of user 130 (e.g., based on a user's designated role in a role-based access control system, based on a user's credentials (e.g., a user identification and password combination), as well as other user-credential-based permissions sets (i.e. user group domain and user group membership) comprising permissions that limit a computing resource's operation, defining a given user's permitted access to and interaction with a given computing resource, wherein some user-based permissions are based on a user's role designation and/or identity, as established through user credentials).”);
in accordance with a determination that the first user’s role-based access settings propagated to the second sub-system are to be adjusted, adjusting the first user’s role-based access settings propagated to the second sub-system (Gilpin, paragraph 0021, “During operation of parent resource 110, child resources 120-122 may be spawned by parent resource 110 to provide desired or required operations within processing environment 105.  Permissions 140' are provided to each newly-spawned resource and are based on and are no broader than the permissions 140 initially obtained by the parent computing resource 110.  Accordingly, when parent resource 110 spawns new child resources 120-122, the child resources receive, inherit and/or are subject to the same (or more restrictive) sets of permissions, designated as permission set(s) 140' in FIG. 1.  Restricting permissions utilized by a spawned resource (e.g., a child resource) to the same or narrower permissions possessed by the spawning resource (here, a parent resource) prevents spawned resources from improperly accessing, creating, modifying, deleting and/or otherwise interacting with other resources on the same network and/or other resources external to the network.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gilpin with the method/ host computing device/ non-transitory computer-readable storage medium of Roche and Gavrila to include determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted; and in 
One would have been motivated to provide users with the benefits of providing permissions to spawned computing resources (Gilpin: paragraph 0005).
Regarding claim 2, Roche, Gavrila, and Gilpin disclose the method of claim 1.  Gilpin discloses wherein the first user’s role-based access settings with respect to the first sub-system comprises: a system administrator’s access settings; or a restricted user’s access settings (Gilpin, paragraph 0013, “Authorization controls access to resources in a given setting and permissions (e.g., rules and the like) governing such access can be created and applied by administrators and/or others.  Every user and host can possess specific permissions based on his/her/its role(s) and the permissions granted to such role(s).  Admins and/or the like can set up permissions models (e.g., creating user and host identities, organizing users into groups, organizing hosts into layers, granting permissions between users, hosts and resources).”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 3, Roche, Gavrila, and Gilpin disclose the method of claim 1.  Gilpin discloses wherein the first sub-system is associated with a first hierarchy of the hierarchical computing-resource system; and wherein the second sub-system is associated with a second hierarchy of the hierarchical computing-resource system, the first hierarchy being a parent hierarchy of the second hierarchy (Gilpin, paragraph 0024, “Although only three generations of resource levels are illustrated in FIG. 1, it should be understood that any number of levels, generations, etc. of resources may spring from a parent resource.  For example, in some implementations, if a user initiates an application within a first virtual machine, the application may generate a second virtual machine (a "child resource"), which in turn then generates a third virtual machine (a "grandchild resource").  In such a situation the parent resource is a spawning resource, the child resource is both a spawned resource and a spawning resource, and the grandchild resource is a spawned resource.”). The motivation is the same as that of the claim from which this claim depends.
Regarding claim 4, Roche, Gavrila, and Gilpin disclose the method of claim 3.  Gilpin discloses wherein propagating the access control settings from the first sub-system to the second sub-system comprises: determining a relation between the first sub-system and the second sub-system; and assigning, based on the determined relation between the first sub-system and the second sub-system, the first user’s role-based access settings with respect to the second sub-system (Gilpin, paragraph 0021, “During operation of parent resource 110, child resources 120-122 may be spawned by parent resource 110 [i.e., determining a relation between first sub-system and second sub-system encompasses a parent resource spawning child resources] to provide desired or required operations within processing environment 105.  In the present example, parent resource 110 may obtain (or otherwise be subject to) a set of permissions 140 based on the credentials of user 130 (e.g., based on a user's designated role in a role-based access control system, based on a user's credentials (e.g., a user identification and password combination), as well as other user-credential-based permissions sets comprising permissions that limit a computing resource's operation, defining a given user's permitted access to and interaction with a given computing resource, wherein some user-based permissions are based on a user's role designation and/or identity, as established through user credentials).”). The motivation is the same as that of the claim from which this claim depends.
Regarding claim 6, Roche, Gavrila, and Gilpin disclose the method of claim 1.  Gilpin discloses wherein at least one sub-system of the plurality of sub-systems includes one or more of file systems, applications, and computing resources provided by one or more virtual machines (Gilpin, paragraph 0027, “As described in FIG. 1, a processing environment may include host computing systems with other switches, network access nodes, and routers to provide processing resources for end users who interact with the processing environment.  Processing resources can include one or more physical computing systems, one or more full operating system virtual machines, one or more containers, or some other physical or virtual resource.  These resources provide a platform for one or more user applications, systems, networks, or other operations.”). The motivation is the same as that of the claim from which this claim depends.
Regarding claim 11, Roche, Gavrila, and Gilpin disclose the method of claim 1.  Gilpin discloses wherein adjusting the first user’s role-based access settings propagated to the second sub-system comprises: revoking at least one of the first user’s access privileges with respect to the second subsystem (Gilpin, paragraph 0021, “Accordingly, when parent resource 110 spawns new child resources 120-122, the child resources receive, inherit and/or are subject to the same (or more restrictive) sets of permissions, designated as permission set(s) 140' in FIG. 1.  Restricting permissions utilized by a spawned resource (e.g., a child resource) to the same or narrower permissions [i.e., revoking] possessed by the spawning resource (here, a parent resource) prevents spawned resources from improperly accessing, creating, modifying, deleting and/or otherwise interacting with other resources on the same network and/or other resources external to the network”; paragraph 0017, “As computing resources are initiated within a computing environment, permissions are provided to the initiated resources (e.g., to limit a given user's actions in connection with the initiated computing resource).  These permissions may include read, write, edit, run, revoke, create and delete actions with regard to disks, databases, applications, code and other computing resources, or any other similar permissions that might be associated with an initiating computing resource.”). The motivation is the same as that of the claim from which this claim depends.
Regarding claim 12, Roche, Gavrila, and Gilpin disclose the method of claim 1.  Gilpin discloses further comprising: receiving, from the first user, a request to access the second sub-system of the hierarchical computing-resource system (Gilpin, paragraph 0028, “To implement provision of permissions to spawned resources [i.e., second sub-system], method 200 includes initiating a first computing resource in connection with a first set of user permissions (202), for example a user-credential-based permissions set.  As part of initiating the first computing resource, user 130 may provide credentials and/or secret information (e.g., a username and password) associated with user 130, and responsively be provided with access to the desired computing resource [i.e., request to access second sub-system].”); determining, based on the adjusted first user’s role-based access settings with respect to the second sub-system, whether the first user’s access privileges with respect to the second subsystem are revoked (Gavrila, paragraph 0005, “RBAC (Role-Based Access Control) is intended to facilitate the management of permissions in large centralized and distributed operating systems, by distributing, reviewing, and revoking permissions for objects to roles rather than directly to individual users, and controlling users' permissions by granting or revoking them membership to appropriate roles.”); in accordance with a determination that the first user’s access privileges are revoked, denying the first user’s request to access the second sub-system (Gavrila, paragraph 0157, “Revoking all or some permissions on an abstract object ao from a user/role r is simple if one can get the current permissions of r on ao.  Indeed, all one has to do is to "and" the current permissions with the negation of permissions to be revoked, and then grant r the new permissions on ao.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 13, Roche discloses a host computing device operating in the cloud-services computing environment, the host computing device comprising: one or more processors; and memory storing one or more programs configured to be executed by the one or more processors, the one or more programs including instructions for (Roche, col. 34, lines 45-59, “Storage device 1908 may include computer-accessible storage medium 1909 (also known as a machine-readable storage medium or a computer-readable medium) on which is stored one or more sets of instructions or software (e.g., authorization/authentication module, module, unit, and/or logic 1928) embodying any one or more of the methodologies or functions described herein.  Authentication and authorization module/unit/logic 1928 may also reside, completely or at least partially, within memory 1903 and/or within processor 1901 during execution thereof by data processing system 1900, memory 1903 and processor 1901 also constituting machine-accessible storage media.”);
obtaining access control settings associated with a hierarchical computing-resource system, wherein the access control settings include at least a first user’s role-based (Roche, col. 3, line 45, through col. 4, line 22, “Similarly, according to one embodiment, an application through which a user attempts to access a resource (i.e., first sub-system) may be associated with an application authorization profile (AAP).  An application authorization profile stores dynamic access control settings that are associated with that particular application.  The application authorization profile stores application roles and application privileges with which a user is entitled to access resources provided via the corresponding application.  When an AUTH token is generated, the user roles and user privileges defined therein are compared with the application roles and application privies defined in the corresponding application authorization profile (i.e., access control settings).  dynamic access control configurations that can be used to supersede or override the static access control settings, for example, temporarily for a period of time.  An application authorization profile, a tenant authorization profile, or a combination of both can be utilized for the purpose of dynamic configuration of access control.     A tenant also acts as the highest abstraction for allocating and tracking resource utilization by the tenant.  As used herein, a "resource" may refer to data such as a file, an object, a workflow, or a directory (i.e., example of a sub-system) of one or more files, objects, etc. As used herein, a tenant can be a business unit or a group of one or more users (e.g., a human resource department, a finance department, an information technology department, etc.) within an enterprise or corporation (e.g., Tenant A, Tenant B, Tenant C, etc.). (i.e., role)  A tenant can also refer to an enterprise (e.g., when a storage system/appliance is deployed by a service provider).  Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
propagating the access control settings from the first sub-system to a second subsystem of the hierarchical computing-resource system (Roche, col. 3, lines 16-38, “In addition, according to one embodiment, for each of the tenant, a corresponding tenant authorization profile (TAP, also referred to as a tenant policy profile or TPP) is accessed, where the tenant authorization profile stores a set of access control rules or settings that have been dynamically configured by an administrator associated with the corresponding tenant (i.e., propagating access control).  Such settings may be referred to as dynamic settings or temporary settings intended to be valid for a relatively short period of time.  The dynamic settings in a tenant authorization profile are dynamically configured at a point in time after the corresponding static settings have been configured.  The dynamic settings may be used to substitute or override the static settings temporarily.  In one embodiment, for a static setting that matches a dynamic setting, the corresponding attributes or properties of the dynamic settings are used in lieu of the static counterparts.”);
wherein the second sub-system is a child sub-system of the first sub-system (Roche, col. 4, lines 1-22, “Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system (Roche, col. 4, lines 1-22, “Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
wherein the user group domains include a first user group domain assigned to the first sub-system and a second user group domain assigned to the second sub-system (Roche, col. 16, line 62, through col. 17, line 28, “If there is at least one that does not match, authentication module 184 then denies access to the requesting user. In alternative embodiment, identity provider server 170 verifies the credentials of the user and forwards an external authentication of the user to authentication module 184.”) ;
based on the user group domains being different between the first sub-system and the second sub-system (Roche, col. 12, lines 20-27, “The credentials further contain a tenant identifier (ID) such as a tenant name (e.g., Tenant C), on which the requested access is to be performed. The credentials further include a domain ID such as a domain name (e.g. @DomainA, @DomainC, or @DomainIT) which identifies an identity source or identity provider (e.g., identity provider server 170 or local identity provider) associated with a particular tenant”; col. 30, lines 49-63, “For example, if a first user is associated with “Admin@TenantA” role 602, the first user is allowed to perform all the privileges in blocks 611-612 at “Tenant A” and “Tenant B” tenants (i.e., “Tenant B” is a child-tenant of “Tenant A”), while the first user is denied the privilege of {“privilege”:“Reseller’} in block 610 at “Tenant A” tenant.”).
Roche discloses assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system; based on the user group domains being different between the first sub-system and the second sub-system, but does not explicitly disclose obtaining user such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system.
However, in an analogous art, Gavrila discloses obtaining user group domains assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system (Gavrila, paragraph 0098, “Assumption 1.  A selected group of host computers compose a domain, controlled by one of the member hosts, called the domain controller.”);
obtaining a group membership associated with the first user (Gavrila, paragraph 0099, “Assumption 2.  One can define a user or group global with respect to a domain, in the sense that the group is recognized by each of the domain's member hosts.”; paragraph 0021, “defining and managing the abstract permissions further comprise creating, finding, retrieving, displaying, and deleting instances of a role on a host computer or set of host computers, using group nesting and a directed acyclic graph of role-membership inheritance; creating finding, retrieving, displaying, and deleting object instances of abstract objects on a host computer or set of host computers; paragraph 0197, “(2) establishing a membership-inheritance relationship whereby the second role inherits the membership of the first”; paragraph 0075, “Rule 2.  If the role graph is based on membership-inheritance, u is a user assigned to role r, and r has an instance (group) on host system h, then u's instance (a user account) must be a member of r's instance.”);
such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system (Gavrila, paragraph 0078, “The present invention provides, in one aspect, automatic distribution and revocation of permissions in RBAC systems that support selective and multiple instantiations of roles.” Role-based access setting no longer allow access to the second subsystem encompasses automatic revocation in RBAC systems that support selective instantiations of roles; paragraph 0123, “The object pointer lists (oidlist) of the roles specified in the default ACL entries must be updated to reflect the new access rights of those roles.”; paragraph 0187, “the remaining operating system and application groups are assigned different role identifiers”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gavrila with the method/ host computing device/ non-transitory computer-readable storage medium of Roche to include obtaining user group domains assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system; such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system.
(Gavrila: paragraph 0019).
Roche and Gavrila disclose group domains and group membership and role based access settings, but do not explicitly disclose determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted; and in accordance with a determination that the first user’s role-based access settings propagated to the second sub-system are to be adjusted, adjusting the first user’s role-based access settings propagated to the second sub-system.
However, in an analogous art, Gilpin discloses determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted (Gilpin, paragraph 0021, “In the present example, parent resource 110 may obtain (or otherwise be subject to) a set of permissions 140 based on the credentials of user 130 (e.g., based on a user's designated role in a role-based access control system, based on a user's credentials (e.g., a user identification and password combination), as well as other user-credential-based permissions sets (i.e. user group domain and user group membership) comprising permissions that limit a computing resource's operation, defining a given user's permitted access to and interaction with a given computing resource, wherein some user-based permissions are based on a user's role designation and/or identity, as established through user credentials).”);
(Gilpin, paragraph 0021, “During operation of parent resource 110, child resources 120-122 may be spawned by parent resource 110 to provide desired or required operations within processing environment 105.  Permissions 140' are provided to each newly-spawned resource and are based on and are no broader than the permissions 140 initially obtained by the parent computing resource 110.  Accordingly, when parent resource 110 spawns new child resources 120-122, the child resources receive, inherit and/or are subject to the same (or more restrictive) sets of permissions, designated as permission set(s) 140' in FIG. 1.  Restricting permissions utilized by a spawned resource (e.g., a child resource) to the same or narrower permissions possessed by the spawning resource (here, a parent resource) prevents spawned resources from improperly accessing, creating, modifying, deleting and/or otherwise interacting with other resources on the same network and/or other resources external to the network.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gilpin with the method/ host computing device/ non-transitory computer-readable storage medium of Roche and Gavrila to include determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted; and in accordance with a determination that the first user’s role-based access settings propagated 
One would have been motivated to provide users with the benefits of providing permissions to spawned computing resources (Gilpin: paragraph 0005).
Regarding claim 18, Roche, Gavrila, and Gilpin disclose the host computing device of claim 13.  Gilpin discloses wherein adjusting the first user’s role-based access settings propagated to the second sub-system comprises: revoking at least one of the first user’s access privileges with respect to the second subsystem (Gilpin, paragraph 0021, “Accordingly, when parent resource 110 spawns new child resources 120-122, the child resources receive, inherit and/or are subject to the same (or more restrictive) sets of permissions, designated as permission set(s) 140' in FIG. 1.  Restricting permissions utilized by a spawned resource (e.g., a child resource) to the same or narrower permissions [i.e., revoking] possessed by the spawning resource (here, a parent resource) prevents spawned resources from improperly accessing, creating, modifying, deleting and/or otherwise interacting with other resources on the same network and/or other resources external to the network”; paragraph 0017, “As computing resources are initiated within a computing environment, permissions are provided to the initiated resources (e.g., to limit a given user's actions in connection with the initiated computing resource).  These permissions may include read, write, edit, run, revoke, create and delete actions with regard to disks, databases, applications, code and other computing resources, or any other similar permissions that might be associated with an initiating computing resource.”). The motivation is the same as that of the claim from which this claim depends.
Regarding claim 19, Roche, Gavrila, and Gilpin disclose the host computing device of claim 13.  Gilpin discloses wherein the one or more programs include further instructions for: receiving, from the first user, a request to access the second sub-system of the hierarchical computing-resource system (Gilpin, paragraph 0028, “To implement provision of permissions to spawned resources [i.e., second sub-system], method 200 includes initiating a first computing resource in connection with a first set of user permissions (202), for example a user-credential-based permissions set.  As part of initiating the first computing resource, user 130 may provide credentials and/or secret information (e.g., a username and password) associated with user 130, and responsively be provided with access to the desired computing resource [i.e., request to access second sub-system].”).  Gilpin discloses determining, based on the adjusted first user’s role-based access settings with respect to the second sub-system, whether the first user’s access privileges with respect to the second subsystem are revoked (Gavrila, paragraph 0005, “RBAC (Role-Based Access Control) is intended to facilitate the management of permissions in large centralized and distributed operating systems, by distributing, reviewing, and revoking permissions for objects to roles rather than directly to individual users, and controlling users' permissions by granting or revoking them membership to appropriate roles.”; paragraph 0157, “Revoking all or some permissions on an abstract object ao from a user/role r is simple if one can get the current permissions of r on ao.  Indeed, all one has to do is to "and" the current permissions with the negation of permissions to be revoked, and then grant r the new permissions on ao.”); in accordance with a determination that the first user’s access privileges are revoked, denying the first user’s request to access the second sub-system (Gavrila, paragraph 0005, “RBAC (Role-Based Access Control) is intended to facilitate the management of permissions in large centralized and distributed operating systems, by distributing, reviewing, and revoking permissions for objects to roles rather than directly to individual users, and controlling users' permissions by granting or revoking them membership to appropriate roles.”; paragraph 0157, “Revoking all or some permissions on an abstract object ao from a user/role r is simple if one can get the current permissions of r on ao.  Indeed, all one has to do is to "and" the current permissions with the negation of permissions to be revoked, and then grant r the new permissions on ao.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 20, Roche discloses a non-transitory computer-readable storage medium storing one or more programs configured to be executed by a host computing device operating in a cloud-services computing environment having one or more processors and memory, the one or more programs including instructions for (Roche, col. 34, lines 45-59, “Storage device 1908 may include computer-accessible storage medium 1909 (also known as a machine-readable storage medium or a computer-readable medium) on which is stored one or more sets of instructions or software (e.g., authorization/authentication module, module, unit, and/or logic 1928) embodying any one or more of the methodologies or functions described herein.  Authentication and authorization module/unit/logic 1928 may also reside, completely or at least partially, within memory 1903 and/or within processor 1901 during execution thereof by data processing system 1900, memory 1903 and processor 1901 also constituting machine-accessible storage media.”);
(Roche, col. 3, line 45, through col. 4, line 22, “Similarly, according to one embodiment, an application through which a user attempts to access a resource (i.e., first sub-system) may be associated with an application authorization profile (AAP).  An application authorization profile stores dynamic access control settings that are associated with that particular application.  The application authorization profile stores application roles and application privileges with which a user is entitled to access resources provided via the corresponding application.  When an AUTH token is generated, the user roles and user privileges defined therein are compared with the application roles and application privies defined in the corresponding application authorization profile (i.e., access control settings).  dynamic access control configurations that can be used to supersede or override the static access control settings, for example, temporarily for a period of time.  An application authorization profile, a tenant authorization profile, or a combination of both can be utilized for the purpose of dynamic configuration of access control.     A tenant also acts as the highest abstraction for allocating and tracking resource utilization by the tenant.  As used herein, a "resource" may refer to data such as a file, an object, a workflow, or a directory (i.e., example of a sub-system) of one or more files, objects, etc. As used herein, a tenant can be a business unit or a group of one or more users (e.g., a human resource department, a finance department, an information technology department, etc.) within an enterprise or corporation (e.g., Tenant A, Tenant B, Tenant C, etc.). (i.e., role)  A tenant can also refer to an enterprise (e.g., when a storage system/appliance is deployed by a service provider).  Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”); 
propagating the access control settings from the first sub-system to a second subsystem of the hierarchical computing-resource system (Roche, col. 3, lines 16-38, “In addition, according to one embodiment, for each of the tenant, a corresponding tenant authorization profile (TAP, also referred to as a tenant policy profile or TPP) is accessed, where the tenant authorization profile stores a set of access control rules or settings that have been dynamically configured by an administrator associated with the corresponding tenant (i.e., propagating access control).  Such settings may be referred to as dynamic settings or temporary settings intended to be valid for a relatively short period of time.  The dynamic settings in a tenant authorization profile are dynamically configured at a point in time after the corresponding static settings have been configured.  The dynamic settings may be used to substitute or override the static settings temporarily.  In one embodiment, for a static setting that matches a dynamic setting, the corresponding attributes or properties of the dynamic settings are used in lieu of the static counterparts.”);
wherein the second sub-system is a child sub-system of the first sub-system (Roche, col. 4, lines 1-22, “Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system (Roche, col. 4, lines 1-22, “Note that these tenants may also have parent and/or child tenants, which create/define "tree" hierarchies for the tenants in the multi-tenant environment.”);
wherein the user group domains include a first user group domain assigned to the first sub-system and a second user group domain assigned to the second sub-system (Roche, col. 16, line 62, through col. 17, line 28, “If there is at least one that does not match, authentication module 184 then denies access to the requesting user. In alternative embodiment, identity provider server 170 verifies the credentials of the user and forwards an external authentication of the user to authentication module 184.”) ;
based on the user group domains being different between the first sub-system and the second sub-system (Roche, col. 12, lines 20-27, “The credentials further contain a tenant identifier (ID) such as a tenant name (e.g., Tenant C), on which the requested access is to be performed. The credentials further include a domain ID such as a domain name (e.g. @DomainA, @DomainC, or @DomainIT) which identifies an identity source or identity provider (e.g., identity provider server 170 or local identity provider) associated with a particular tenant”; col. 30, lines 49-63, “For example, if a first user is associated with “Admin@TenantA” role 602, the first user is allowed to perform all the privileges in blocks 611-612 at “Tenant A” and “Tenant B” tenants (i.e., “Tenant B” is a child-tenant of “Tenant A”), while the first user is denied the privilege of {“privilege”:“Reseller’} in block 610 at “Tenant A” tenant.”).
Roche discloses assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system; based on the user group domains being different between the first sub-system and the second sub-system, but does not explicitly disclose obtaining user such that first user’s role-based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system.
However, in an analogous art, Gavrila discloses obtaining user group domains assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system (Gavrila, paragraph 0098, “Assumption 1.  A selected group of host computers compose a domain, controlled by one of the member hosts, called the domain controller.”);
obtaining a group membership associated with the first user (Gavrila, paragraph 0099, “Assumption 2.  One can define a user or group global with respect to a domain, in the sense that the group is recognized by each of the domain's member hosts.”; paragraph 0021, “defining and managing the abstract permissions further comprise creating, finding, retrieving, displaying, and deleting instances of a role on a host computer or set of host computers, using group nesting and a directed acyclic graph of role-membership inheritance; creating finding, retrieving, displaying, and deleting object instances of abstract objects on a host computer or set of host computers; paragraph 0197, “(2) establishing a membership-inheritance relationship whereby the second role inherits the membership of the first”; paragraph 0075, “Rule 2.  If the role graph is based on membership-inheritance, u is a user assigned to role r, and r has an instance (group) on host system h, then u's instance (a user account) must be a member of r's instance.”);
such that first user’s role-based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system such that first user’s role- based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system (Gavrila, paragraph 0078, “The present invention provides, in one aspect, automatic distribution and revocation of permissions in RBAC systems that support selective and multiple instantiations of roles.” Role-based access setting no longer allow access to the second subsystem encompasses automatic revocation in RBAC systems that support selective instantiations of roles; paragraph 0123, “The object pointer lists (oidlist) of the roles specified in the default ACL entries must be updated to reflect the new access rights of those roles.”; paragraph 0187, “the remaining operating system and application groups are assigned different role identifiers”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gavrila with the method/ host computing device/ non-transitory computer-readable storage medium of Roche to include obtaining user group domains assigned to a plurality of sub-systems of the hierarchical computing-resource system, the plurality of sub-systems including the first sub-system and the second sub-system; obtaining a group membership associated with the first user; such that first user’s role-based access settings no longer allow access to the second sub-system based on the user group domains being different between the first sub-system and the second sub-system .
(Gavrila: paragraph 0019).
Roche and Gavrila disclose group domains and group membership and role based access settings, but do not explicitly disclose determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted; and in accordance with a determination that the first user’s role-based access settings propagated to the second sub-system are to be adjusted, adjusting the first user’s role-based access settings propagated to the second sub-system.
However, in an analogous art, Gilpin discloses determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted (Gilpin, paragraph 0021, “In the present example, parent resource 110 may obtain (or otherwise be subject to) a set of permissions 140 based on the credentials of user 130 (e.g., based on a user's designated role in a role-based access control system, based on a user's credentials (e.g., a user identification and password combination), as well as other user-credential-based permissions sets (i.e. user group domain and user group membership) comprising permissions that limit a computing resource's operation, defining a given user's permitted access to and interaction with a given computing resource, wherein some user-based permissions are based on a user's role designation and/or identity, as established through user credentials).”);
(Gilpin, paragraph 0021, “During operation of parent resource 110, child resources 120-122 may be spawned by parent resource 110 to provide desired or required operations within processing environment 105.  Permissions 140' are provided to each newly-spawned resource and are based on and are no broader than the permissions 140 initially obtained by the parent computing resource 110.  Accordingly, when parent resource 110 spawns new child resources 120-122, the child resources receive, inherit and/or are subject to the same (or more restrictive) sets of permissions, designated as permission set(s) 140' in FIG. 1.  Restricting permissions utilized by a spawned resource (e.g., a child resource) to the same or narrower permissions possessed by the spawning resource (here, a parent resource) prevents spawned resources from improperly accessing, creating, modifying, deleting and/or otherwise interacting with other resources on the same network and/or other resources external to the network.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gilpin with the method/ host computing device/ non-transitory computer-readable storage medium of Roche and Gavrila to include determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted; and in accordance with a determination that the first user’s role-based access settings propagated 
One would have been motivated to provide users with the benefits of providing permissions to spawned computing resources (Gilpin: paragraph 0005).
Regarding claim 25, Roche, Gavrila, and Gilpin disclose the computer-readable storage medium of claim 20.  Gilpin discloses wherein adjusting the first user’s role-based access settings propagated to the second sub-system comprises: revoking at least one of the first user’s access privileges with respect to the second subsystem (Gilpin, paragraph 0021, “Accordingly, when parent resource 110 spawns new child resources 120-122, the child resources receive, inherit and/or are subject to the same (or more restrictive) sets of permissions, designated as permission set(s) 140' in FIG. 1.  Restricting permissions utilized by a spawned resource (e.g., a child resource) to the same or narrower permissions [i.e., revoking] possessed by the spawning resource (here, a parent resource) prevents spawned resources from improperly accessing, creating, modifying, deleting and/or otherwise interacting with other resources on the same network and/or other resources external to the network”; paragraph 0017, “As computing resources are initiated within a computing environment, permissions are provided to the initiated resources (e.g., to limit a given user's actions in connection with the initiated computing resource).  These permissions may include read, write, edit, run, revoke, create and delete actions with regard to disks, databases, applications, code and other computing resources, or any other similar permissions that might be associated with an initiating computing resource.”). The motivation is the same as that of the claim from which this claim depends.
Regarding claim 26, Roche, Gavrila, and Gilpin disclose the computer-readable storage medium of claim 20.  Gilpin discloses wherein the one or more programs include further instructions for: receiving, from the first user, a request to access the second sub-system of the hierarchical computing-resource system (Gilpin, paragraph 0028, “To implement provision of permissions to spawned resources [i.e., second sub-system], method 200 includes initiating a first computing resource in connection with a first set of user permissions (202), for example a user-credential-based permissions set.  As part of initiating the first computing resource, user 130 may provide credentials and/or secret information (e.g., a username and password) associated with user 130, and responsively be provided with access to the desired computing resource [i.e., request to access second sub-system].”).  Gavrila discloses determining, based on the adjusted first user’s role-based access settings with respect to the second sub-system, whether the first user’s access privileges with respect to the second subsystem are revoked (Gavrila, paragraph 0005, “RBAC (Role-Based Access Control) is intended to facilitate the management of permissions in large centralized and distributed operating systems, by distributing, reviewing, and revoking permissions for objects to roles rather than directly to individual users, and controlling users' permissions by granting or revoking them membership to appropriate roles.”; paragraph 0157, “Revoking all or some permissions on an abstract object ao from a user/role r is simple if one can get the current permissions of r on ao.  Indeed, all one has to do is to "and" the current permissions with the negation of permissions to be revoked, and then grant r the new permissions on ao.”); in accordance with a determination that the first user’s access privileges are revoked, denying the first user’s request to access the second sub-system (Gavrila, paragraph 0005, “RBAC (Role-Based Access Control) is intended to facilitate the management of permissions in large centralized and distributed operating systems, by distributing, reviewing, and revoking permissions for objects to roles rather than directly to individual users, and controlling users' permissions by granting or revoking them membership to appropriate roles.”; paragraph 0157, “Revoking all or some permissions on an abstract object ao from a user/role r is simple if one can get the current permissions of r on ao.  Indeed, all one has to do is to "and" the current permissions with the negation of permissions to be revoked, and then grant r the new permissions on ao.”). The motivation is the same as that of the claim from which this claim depends.
Claim 5 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Roche (US9774586), filed August 31, 2015, in view of Gavrila (US20020026592), filed June 14, 2001, and Gilpin (US20170272449), filed March 21, 2017, and further in view of Chao (US6330567), filed August 13, 1998.
Regarding claim 5, Roche, Gavrila, and Gilpin disclose the method of claim 1.
Roche, Gavrila, and Gilpin do not explicitly disclose wherein the first sub-system is a root sub-system associated with a hierarchy that has no parent hierarchy.
However, in an analogous art, Chao discloses wherein the first sub-system is a root sub-system associated with a hierarchy that has no parent hierarchy (Chao, col. 3, lines 10-27, “The root directory "ROOT" is at the top of the hierarchy of directories and therefore does not have a parent directory.  Its parent directory pointer 60 is thus zero.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chao with the 
One would have been motivated to provide users with the benefits of rapidly locating files or their file paths (Chao: col. 1, lines 44-47).
Claims 7-9, 14-16, and 21-23 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Roche (US9774586), filed August 31, 2015, in view of Gavrila (US20020026592), filed June 14, 2001, and Gilpin (US20170272449), filed March 21, 2017, and further in view of Wright (US20050177377), filed July 19, 2004.
Regarding claim 7, Roche, Gavrila, and Gilpin disclose the method of claim 1.  Roche discloses wherein obtaining user group domains assigned to the plurality of sub-systems of the hierarchical computing-resource system comprises: receiving domain data representing the user group domains associated with the hierarchical computing-resource system (Roche, col. 26, lines 38-58, “Token 510 represents an AUTH token associated with a specific user, where token 510 may be a root parent object or a placeholder linking with other objects that define the attributes or parameters of the token.  For example, tenant 520 includes information defining a particular tenant, which is defined by a specific tenant ID.  Role 530 includes information defining a specific role.  User 550 includes information defining a specific user.  Domain 580 includes information defining a particular domain.  User group 560 includes information defining a particular user group.”).  The motivation is the same as that of the claim from which this claim depends.

However, in an analogous art, Wright discloses annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright with the method/ host computing device/ non-transitory computer-readable storage medium of Roche, Gavrila, and Gilpin to include annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data.
One would have been motivated to provide users with the benefits of additional enforcement of design rules within the data tables, e.g. inheritance (Wright: paragraph 0091).
Regarding claim 8, Roche, Gavrila, Gilpin, and Wright disclose the method of claim 7.  Wright discloses wherein annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data comprises (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”);  annotating the first sub-system of the hierarchical computing-resource system with a first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”);  annotating the second sub-system of the hierarchical computing-resource system with a second user group domain, the second user group domain being different from the first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 9, Roche, Gavrila, Gilpin, and Wright disclose the method of claim 8.  Roche discloses wherein the first user group domain includes a plurality of subuser group domains, further comprising: propagating the access control settings from (Roche, col. 3, lines 16-38, “In addition, according to one embodiment, for each of the tenant, a corresponding tenant authorization profile (TAP, also referred to as a tenant policy profile or TPP) is accessed, where the tenant authorization profile stores a set of access control rules or settings that have been dynamically configured by an administrator associated with the corresponding tenant (i.e., propagating access control).  Such settings may be referred to as dynamic settings or temporary settings intended to be valid for a relatively short period of time.  The dynamic settings in a tenant authorization profile are dynamically configured at a point in time after the corresponding static settings have been configured.  The dynamic settings may be used to substitute or override the static settings temporarily.  In one embodiment, for a static setting that matches a dynamic setting, the corresponding attributes or properties of the dynamic settings are used in lieu of the static counterparts.”).  Gilpin discloses determining, based on the access control settings propagated to the one or more additional sub-systems, the first user’s role-based access settings with respect to the one or more additional sub-systems (Gilpin, paragraph 0033, “Although some implementations provide identical permissions to spawned resources, it should be understood that the permissions provided to spawned resources may comprise any set of permissions that doesn't exceed scope of permissions provided to the spawning parent resource.  For example, if parent resource 110 has permission to read from a particular data storage drive on a host computing system, then spawned computing resources 120-122 can be restricted via provided permissions to either no access to the same storage drive, or to read-only access the data storage drive that is equivalent to the permission held by spawning parent resource 110.  However, spawned child resources 120-122 cannot be provided with read and write access to the data storage drive via permissions that would exceed the scope of the spawning computing resource's permissions.”).  Wright discloses annotating the one or more additional sub-systems with the corresponding sub-user group domains of the first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”); determining, based on the annotations of the one or more additional sub-systems and based on the group membership associated with the first user, whether the first user’s role-based access settings with respect to the one or more additional sub-systems are to be adjusted (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 14, Roche, Gavrila, and Gilpin disclose the host computing device of claim 13.  Roche discloses wherein obtaining user group domains assigned to the plurality of sub-systems of the hierarchical computing-resource system comprises: (Roche, col. 26, lines 38-58, “Token 510 represents an AUTH token associated with a specific user, where token 510 may be a root parent object or a placeholder linking with other objects that define the attributes or parameters of the token.  For example, tenant 520 includes information defining a particular tenant, which is defined by a specific tenant ID.  Role 530 includes information defining a specific role.  User 550 includes information defining a specific user.  Domain 580 includes information defining a particular domain.  User group 560 includes information defining a particular user group.”).  The motivation is the same as that of the claim from which this claim depends.
Roche, Gavrila, and Gilpin do not explicitly disclose annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data.
However, in an analogous art, Wright discloses annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright with the method/ host computing device/ non-transitory computer-readable storage medium of 
One would have been motivated to provide users with the benefits of additional enforcement of design rules within the data tables, e.g. inheritance (Wright: paragraph 0091).
Regarding claim 15, Roche, Gavrila, Gilpin, and Wright disclose the host computing device of claim 14, wherein annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data comprises (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”); annotating the first sub-system of the hierarchical computing-resource system with a first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”); annotating the second sub-system of the hierarchical computing-resource system with a second user group domain, the second user group domain being different from the first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”).  The motivation is the same as that of the claim from which this claim depends.  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 16, Roche, Gavrila, Gilpin, and Wright disclose the host computing device of claim 15.  Roche discloses  wherein the first user group domain includes a plurality of sub-user group domains, further comprising: propagating the access control settings from the first sub-system to one or more additional sub-systems of the of the hierarchical computing-resource system (Roche, col. 3, lines 16-38, “In addition, according to one embodiment, for each of the tenant, a corresponding tenant authorization profile (TAP, also referred to as a tenant policy profile or TPP) is accessed, where the tenant authorization profile stores a set of access control rules or settings that have been dynamically configured by an administrator associated with the corresponding tenant (i.e., propagating access control).  Such settings may be referred to as dynamic settings or temporary settings intended to be valid for a relatively short period of time.  The dynamic settings in a tenant authorization profile are dynamically configured at a point in time after the corresponding static settings have been configured.  The dynamic settings may be used to substitute or override the static settings temporarily.  In one embodiment, for a static setting that matches a dynamic setting, the corresponding attributes or properties of the dynamic settings are used in lieu of the static counterparts.”).  Gilpin discloses determining, based on the access control settings propagated to the one or more additional (Gilpin, paragraph 0033, “Although some implementations provide identical permissions to spawned resources, it should be understood that the permissions provided to spawned resources may comprise any set of permissions that doesn't exceed scope of permissions provided to the spawning parent resource.  For example, if parent resource 110 has permission to read from a particular data storage drive on a host computing system, then spawned computing resources 120-122 can be restricted via provided permissions to either no access to the same storage drive, or to read-only access the data storage drive that is equivalent to the permission held by spawning parent resource 110.  However, spawned child resources 120-122 cannot be provided with read and write access to the data storage drive via permissions that would exceed the scope of the spawning computing resource's permissions.”).  Wright discloses annotating the one or more additional sub-systems with the corresponding sub-user group domains of the first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”); determining, based on the annotations of the one or more additional sub-systems and based on the group membership associated with the first user, whether the first user’s role-based access settings with respect to the one or more additional sub-systems are to be adjusted (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”).  The motivation is the same as that of the claim from which this claim depends.  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 21, Roche, Gavrila, and Gilpin disclose the computer-readable storage medium of claim 14.  Roche discloses wherein obtaining user group domains assigned to the plurality of sub-systems of the hierarchical computing-resource system comprises: receiving domain data representing the user group domains associated with the hierarchical computing-resource system (Roche, col. 26, lines 38-58, “Token 510 represents an AUTH token associated with a specific user, where token 510 may be a root parent object or a placeholder linking with other objects that define the attributes or parameters of the token.  For example, tenant 520 includes information defining a particular tenant, which is defined by a specific tenant ID.  Role 530 includes information defining a specific role.  User 550 includes information defining a specific user.  Domain 580 includes information defining a particular domain.  User group 560 includes information defining a particular user group.”).  The motivation is the same as that of the claim from which this claim depends.
Roche, Gavrila, and Gilpin do not explicitly disclose annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data.
However, in an analogous art, Wright discloses annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright with the method/ host computing device/ non-transitory computer-readable storage medium of Roche, Gavrila, and Gilpin to include annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data.
One would have been motivated to provide users with the benefits of additional enforcement of design rules within the data tables, e.g. inheritance (Wright: paragraph 0091).
Regarding claim 22, Roche, Gavrila, Gilpin, and Wright disclose the computer-readable storage medium of claim 21.  Wright discloses wherein annotating the plurality of sub-systems of the hierarchical computing-resource system with the domain data comprises (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”); annotating the first sub-system of the hierarchical computing-(Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”); annotating the second sub-system of the hierarchical computing-resource system with a second user group domain, the second user group domain being different from the first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 23, Roche, Gavrila, Gilpin, and Wright disclose the computer-readable storage medium of claim 22.  Roche discloses wherein the first user group domain includes a plurality of sub-user group domains, further comprising: propagating the access control settings from the first sub-system to one or more additional sub-systems of the of the hierarchical computing-resource system (Roche, col. 3, lines 16-38, “In addition, according to one embodiment, for each of the tenant, a corresponding tenant authorization profile (TAP, also referred to as a tenant policy profile or TPP) is accessed, where the tenant authorization profile stores a set of access control rules or settings that have been dynamically configured by an administrator associated with the corresponding tenant (i.e., propagating access control).  Such settings may be referred to as dynamic settings or temporary settings intended to be valid for a relatively short period of time.  The dynamic settings in a tenant authorization profile are dynamically configured at a point in time after the corresponding static settings have been configured.  The dynamic settings may be used to substitute or override the static settings temporarily.  In one embodiment, for a static setting that matches a dynamic setting, the corresponding attributes or properties of the dynamic settings are used in lieu of the static counterparts.”).  Gilpin discloses determining, based on the access control settings propagated to the one or more additional sub-systems, the first user’s role-based access settings with respect to the one or more additional sub-systems (Gilpin, paragraph 0033, “Although some implementations provide identical permissions to spawned resources, it should be understood that the permissions provided to spawned resources may comprise any set of permissions that doesn't exceed scope of permissions provided to the spawning parent resource.  For example, if parent resource 110 has permission to read from a particular data storage drive on a host computing system, then spawned computing resources 120-122 can be restricted via provided permissions to either no access to the same storage drive, or to read-only access the data storage drive that is equivalent to the permission held by spawning parent resource 110.  However, spawned child resources 120-122 cannot be provided with read and write access to the data storage drive via permissions that would exceed the scope of the spawning computing resource's permissions.”).  Wright discloses annotating the one or more additional sub-systems with the corresponding sub-user group domains of the first user group domain (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”); determining, based on the annotations of the one or more additional sub-systems and based on the group membership associated with the first user, whether the first user’s role-based access settings with respect to the one or more additional sub-systems are to be adjusted (Wright, paragraph 0091, “The USS maximises reuse across subsystems of data and functionality associated with Core and Domain layers of specialisation in IMSS.  The fields associated with classes in the subsystem definition tables may be annotated to indicate whether the field relates "Core", a particular "Domain", or "Concrete".  This is useful information and allows some additional enforcement of design rules within the data tables, e.g. inheritance.”).  The motivation is the same as that of the claim from which this claim depends.
Claims 10, 17, and 24 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Roche (US9774586), filed August 31, 2015, in view of Gavrila (US20020026592), filed June 14, 2001, and Gilpin (US20170272449), filed March 21, 2017, and further in view of Horn (US20120100852), filed April 25, 2011.
Regarding claim 10, Roche, Gavrila, and Gilpin disclose the method of claim 1.  Roche discloses wherein determining whether the first user’s role-based access settings (Roche, col. 22, lines 47-59, “The membership of a user in one or more LDAP groups may reflect certain queries and other operations that the user has performed and which are therefore indicative of the need of that user to have access to one or more particular applications.  LDAP group information is also useful as LDAP can be used to assign a privilege, such as application access, to a group of users.  Finally, LDAP can be used to store user credentials in a network security system, and the credentials can be retrieved with a password and decrypted key, thus enabling the user to various services.  The use of LDAP groups as a user characteristic is not required however and additional, or alternative, information can be used as well.”).  Gavrila discloses determining, based on the group membership associated with the first user, whether the first user is a member of a user group corresponding to the user group domain of the second subsystem (Gavrila, paragraph 0106, “For example, assume that r.sub.1.fwdarw.r, r.sub.2.fwdarw.r, r.sub.3.fwdarw.r, and each of r.sub.1, r.sub.2, and r.sub.3 has 1,000 users, with no common users.  Also assume that we need to instantiate r on 20 hosts in a domain in order to grant those 3,000 users access to some resources.  The old instantiation method applied to r on a host would create 3,000 new local accounts and four local groups on each host.  Applying the new method to instantiate r.sub.1, r.sub.2, r.sub.3 on the domain controller, then to instantiate r on each host, would create once 3000 global accounts and three global groups for r.sub.1, r.sub.2 and r.sub.3, and then a local group for r on each of the 20 hosts, and would include the global groups for r.sub.1, r.sub.2, r.sub.3 as members of the local group r on each host.”).  The motivation is the same as that of the claim from which this claim depends.
Roche, Gavrila, and Gilpin do not explicitly disclose in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-system, determining that the first user’s access settings with respect to the second sub-system are to be adjusted.
However, in an analogous art, Horn discloses in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-system, determining that the first user’s access settings with respect to the second sub-system are to be adjusted (Horn, paragraph 0042, “a restricted group access point can provide access to devices that are members of the restricted group, while denying access to non-member devices,  In another example, restricted group access points can operate in a hybrid access mode additionally providing a limited level of access to non-members, to which aspects described herein can apply as well.”).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright with the method/ host computing device/ non-transitory computer-readable storage medium of Roche, Gavrila, and Gilpin to include in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-system, determining that the first user’s access settings with respect to the second sub-system are to be adjusted.
(Horn: paragraph 0042).
Regarding claim 17, Roche, Gavrila, and Gilpin disclose the host computing device of claim 13, wherein determining whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted comprises: determining, based on the user group domains assigned to the plurality of sub-systems of the hierarchical computing-resource system, a user group domain of the second sub-system (Roche, col. 22, lines 47-59, “The membership of a user in one or more LDAP groups may reflect certain queries and other operations that the user has performed and which are therefore indicative of the need of that user to have access to one or more particular applications.  LDAP group information is also useful as LDAP can be used to assign a privilege, such as application access, to a group of users.  Finally, LDAP can be used to store user credentials in a network security system, and the credentials can be retrieved with a password and decrypted key, thus enabling the user to various services.  The use of LDAP groups as a user characteristic is not required however and additional, or alternative, information can be used as well.”).  Gavrila discloses determining, based on the group membership associated with the first user, whether the first user is a member of a user group corresponding to the user group domain of the second subsystem (Gavrila, paragraph 0106, “For example, assume that r.sub.1.fwdarw.r, r.sub.2.fwdarw.r, r.sub.3.fwdarw.r, and each of r.sub.1, r.sub.2, and r.sub.3 has 1,000 users, with no common users.  Also assume that we need to instantiate r on 20 hosts in a domain in order to grant those 3,000 users access to some resources.  The old instantiation method applied to r on a host would create 3,000 new local accounts and four local groups on each host.  Applying the new method to instantiate r.sub.1, r.sub.2, r.sub.3 on the domain controller, then to instantiate r on each host, would create once 3000 global accounts and three global groups for r.sub.1, r.sub.2 and r.sub.3, and then a local group for r on each of the 20 hosts, and would include the global groups for r.sub.1, r.sub.2, r.sub.3 as members of the local group r on each host.”).  The motivation is the same as that of the claim from which this claim depends.
Roche, Gavrila, and Gilpin do not explicitly disclose in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-system, determining that the first user’s access settings with respect to the second sub-system are to be adjusted.
However, in an analogous art, Horn discloses in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-system, determining that the first user’s access settings with respect to the second sub-system are to be adjusted (Horn, paragraph 0042, “a restricted group access point can provide access to devices that are members of the restricted group, while denying access to non-member devices,  In another example, restricted group access points can operate in a hybrid access mode additionally providing a limited level of access to non-members, to which aspects described herein can apply as well.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright with the method/ host computing device/ non-transitory computer-readable storage medium of Roche, Gavrila, and Gilpin to include in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-
One would have been motivated to provide users with the benefits of a limited level of access to non-members (Horn: paragraph 0042).
Regarding claim 24, Roche, Gavrila, and Gilpin disclose the computer-readable storage medium of claim 20.  Roche discloses wherein determining whether the first user’s role-based access settings propagated to the second sub-system are to be adjusted comprises: determining, based on the user group domains assigned to the plurality of sub-systems of the hierarchical computing-resource system, a user group domain of the second sub-system (Roche, col. 22, lines 47-59, “The membership of a user in one or more LDAP groups may reflect certain queries and other operations that the user has performed and which are therefore indicative of the need of that user to have access to one or more particular applications.  LDAP group information is also useful as LDAP can be used to assign a privilege, such as application access, to a group of users.  Finally, LDAP can be used to store user credentials in a network security system, and the credentials can be retrieved with a password and decrypted key, thus enabling the user to various services.  The use of LDAP groups as a user characteristic is not required however and additional, or alternative, information can be used as well.”).  Gilpin discloses determining, based on the group membership associated with the first user, whether the first user is a member of a user group corresponding to the user group domain of the second subsystem (Gavrila, paragraph 0106, “For example, assume that r.sub.1.fwdarw.r, r.sub.2.fwdarw.r, r.sub.3.fwdarw.r, and each of r.sub.1, r.sub.2, and r.sub.3 has 1,000 users, with no common users.  Also assume that we need to instantiate r on 20 hosts in a domain in order to grant those 3,000 users access to some resources.  The old instantiation method applied to r on a host would create 3,000 new local accounts and four local groups on each host.  Applying the new method to instantiate r.sub.1, r.sub.2, r.sub.3 on the domain controller, then to instantiate r on each host, would create once 3000 global accounts and three global groups for r.sub.1, r.sub.2 and r.sub.3, and then a local group for r on each of the 20 hosts, and would include the global groups for r.sub.1, r.sub.2, r.sub.3 as members of the local group r on each host.”).    The motivation is the same as that of the claim from which this claim depends.
Roche, Gavrila, and Gilpin do not explicitly disclose in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-system, determining that the first user’s access settings with respect to the second sub-system are to be adjusted.
However, in an analogous art, Horn discloses in accordance with a determination that first user is not a member of the user group corresponding to the user group domain of the second sub-system, determining that the first user’s access settings with respect to the second sub-system are to be adjusted (Horn, paragraph 0042, “a restricted group access point can provide access to devices that are members of the restricted group, while denying access to non-member devices,  In another example, restricted group access points can operate in a hybrid access mode additionally providing a limited level of access to non-members, to which aspects described herein can apply as well.”).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright with the 
One would have been motivated to provide users with the benefits of a limited level of access to non-members (Horn: paragraph 0042).


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368. The examiner can normally be reached 8-6:30 MTWH.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.J.M/Examiner, Art Unit 2439                                                                                                                                                                                                        

/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439