Remarks
Claims 1, 2, 7, 9-14, 17, and 18 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 9/27/2021 have been fully considered but they are not persuasive.
Applicant explains Applicant’s understanding of portions of the Villavicencio references, including describing that the references disclose users impersonating other users and the like.  Applicant then alleges “as discussed during the examiner interview, Villavicencio and Villavicencio ‘298 fails to disclose a specific impersonation plugin and plugin processing in which impersonation is enabled without requiring an access manager controlling access to a computing resource to have direct access to user information, as recited in independent Claims 1, 13, and 18.  Specifically, Villavicencio and Villavicencio ‘298 fail to disclose” and copies in over a dozen lines of claim 1.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Villavicencio certainly discloses the argued subject matter as follows:

Obtaining, by the access manager, an impersonation plugin based on a policy mapping, the policy mapping comprising information associating the impersonation start URL to an impersonation policy, which is associated with the impersonation plugin (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; plugin acquired that is used for authentication for impersonation, where this plugin is based on a policy (e.g., the entire system of Villavicencio, policy on the specific device on which the plugin is being executed, or the like, as examples), which indicates that the plugin should be used based on the URL being accessed, for example);
Invoking, by the access manager, the impersonation plugin, wherein the invoking comprises instantiating the impersonation plugin and allocating a set of computing resources used by the plugin during execution of plugin processing (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; in order for the plugin to run, it is instantiated with the necessary resources to run, for example.  Also please see the appendix on pages 12-21, which includes source code for a sample plugin that allocates various computing resources upon instantiation);
Executing, by the access manager, the impersonation plugin to initiate the plugin processing using the allocated set of computing resources, wherein the plugin processing comprises (Exemplary Citations: 
Requesting impersonation attributes from a particular identity provider identified by the impersonation policy, wherein the impersonation attributes are stored in a location inaccessible to the access manager, and the impersonation attributes indicate whether the first user has been granted permission to impersonate the second user (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; requesting attributes of the proper user (e.g., the impersonatee), for example);
Determining, based on the impersonation attributes obtained from the identity provider, that the first user has been granted permission to impersonate the second user (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; checking attributes to see if user A can impersonate user B, for example); and
In response to determining the first user has been granted permission to impersonate the second user, re-authenticating the first user for the first session (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; verifying that user A can impersonate user B, re-authentication, or the like, as examples); and
.  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 2, 7, 9-14, 17, and 18 are rejected under 35 U.S.C. 102(a)(1) and/or 102(a)(2) as being anticipated by Villavicencio (U.S. Patent Application Publication 2003/0105862).
Regarding Claim 1,
Villavicencio discloses a computer implemented method comprising:

Obtaining, by the access manager, an impersonation plugin based on a policy mapping, the policy mapping comprising information associating the impersonation start URL to an impersonation policy, which is associated with the impersonation plugin (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; plugin acquired that is used for authentication for impersonation, where this plugin is based on a policy (e.g., the entire system of Villavicencio, policy on the specific device on which the plugin is being executed, or the like, as examples), which indicates that the plugin should be used based on the URL being accessed, for example);
Invoking, by the access manager, the impersonation plugin, wherein the invoking comprises instantiating the impersonation plugin and allocating a set of computing resources used by the plugin during execution of plugin processing (Exemplary Citations: for example, 
Executing, by the access manager, the impersonation plugin to initiate the plugin processing using the allocated set of computing resources, wherein the plugin processing comprises (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; plugin executes, for example):
Requesting impersonation attributes from a particular identity provider identified by the impersonation policy, wherein the impersonation attributes are stored in a location inaccessible to the access manager, and the impersonation attributes indicate whether the first user has been granted permission to impersonate the second user (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; requesting attributes of the proper user (e.g., the impersonatee), for example);
Determining, based on the impersonation attributes obtained from the identity provider, that the first user has been granted permission to impersonate the second user (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 
In response to determining the first user has been granted permission to impersonate the second user, re-authenticating the first user for the first session (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; verifying that user A can impersonate user B, re-authentication, or the like, as examples); and
Upon valid re-authentication of the first user for the first session, initiating, by the access manager, an impersonation session, wherein the initiating the impersonation session comprises switching a user associated with the first session from the first user to the second user thereby converting the first user session to the impersonation session (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; user A impersonates user B, for example).  
Regarding Claim 13,
Claim 13 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 18,
Claim 18 is a system claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 2,

Regarding Claim 14,
Claim 14 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 7,
Villavicencio discloses causing, by the access manager, a consent page to be presented to the first user, the consent page requesting a confirmation of the first user’s intent to initiate the impersonation session (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; authentication form, challenge, or the like, for example).  
Regarding Claim 9,
Villavicencio discloses receiving, by the access manager during the impersonation session, a request from the first user for access to the computing resource (Exemplary Citations: for example, Abstract, 
Providing, by the access manager, access to the computing resource in response to the request from the first user (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; accessing resource, for example).  
Regarding Claim 10,
Villavicencio discloses that the access manager directs requests for authenticating the first user to the identity provider, the identity provider performing authentication of the first user on behalf of the access manager (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; redirect to authentication form, for example).  
Regarding Claim 11,
Villavicencio discloses that switching the user associated with the first session from the first user to the second user comprises updating a cookie to replace information about the first user with information about the second user (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures; cookie has both user IDs in it once impersonating, for example).  
Regarding Claim 12,
Villavicencio discloses that the first user does not have an access privilege for accessing the computing resource (Exemplary Citations: for 
Regarding Claim 17,
Villavicencio discloses that the instructions further cause the one or more processors to:
Receive, by the access manager during the impersonation session, a request from the first user for access to the computing resource (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures); and
Provide, by the access manager, access to the computing resource in response to the request from the first user, wherein the first user does not have an access privilege for accessing the computing resource (Exemplary Citations: for example, Abstract, Paragraphs 11-16, 82, 85-87, 98-105, 107, 108, and associated figures).  

Claims 1, 2, 7, 9-14, 17, and 18 are rejected under 35 U.S.C. 102(a)(1) and/or 102(a)(2) as being anticipated by Villavicencio2 (U.S. Patent 7,765,298).  
The rejections are the same as above with the same citations in patent form, where the paragraphs include the same subject matter and are present at the same spots as in Villavicencio.  

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/Jeffrey D. Popham/Primary Examiner, Art Unit 2432