DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
	Applicant’s arguments have been carefully considered, and are not deemed persuasive.
	Applicant argues, regarding the 103 rejection, that the cited references fail to teach or suggest “accessing a policy object including an effective policy for the data resource, the effective policy including at least one statement and at least one access permission inherited from a parent data resource from which the data resource depends”.   
Applicant argues that Lortz teaches a naming convention that allows for inheritance of access permissions from parent resources.  However, merely allowing inheritance of access permission from parent nodes does not teach accessing and evaluating a single policy object that includes the inherited access permissions.  To the contrary, Lortz explains:
For example, first and second resource can be identified by resource name attributes 42 of “PC” and “PC/media” respectively. The ACE attribute 43 associated with the first resource “PC” is evaluated if the ACE attribute associated with the second resource “PC/Media” does not grant the requested permission.  Processing of an ACL attribute 41 can proceed in a bottom-up fashion. 
Thus, in Lortz, although the resource naming convention allows for inheritance of access permissions, evaluation of access permissions for a first resource still requires processing of permissions associated with a second resource (e.g., a parent resource). Hence, it appears that Lortz fails to even contemplate the inherited access permissions for the first resource being included in a single policy object associated with the first resource.



The examiner respectfully disagrees.  Having an inheritance attribute set within a policy, reads on the policy including at least one access permission inherited from a data resource.  The claim does not specify that the inherited access permission itself is a statement that is evaluated.  The claim requires that the policy includes a) a statement including an operation performable with respect to the data resource based on one or more conditions, and b) at least one access permission inherited from a parent data resource.  Lortz clearly teaches the inheritance of an access permission level from a parent node in a hierarchy by using an inheritance attribute - see [0022] and [0023].  The inheritance attribute is part of the policy itself - see figure 3A #46.  Therefore, Lortz clearly teaches that the policy includes an access permission inherited from a parent data resource.  

The 101 rejections have been overcome by applicant’s arguments.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 and 1-20 of U.S. Patent Nos. 10,362,064 and 9,888,039, respectively. Although the claims at issue are not identical, they are not patentably distinct from each other because they are each drawn to creating policy objects including statements and an access permission inherited from at least one parent data resource.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 11, 12, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2004/0010607) in view of Lortz (US 2003/0018786).
Regarding claims 1, 11, and 20, Lee teaches a method (and corresponding system and medium), comprising:
Receiving an access request for a data resource stored in a first network database (A system accessed through the portal receives requests for accessing network resources associated with the systems applications and resources") - see abstract.
Based on receiving the access request, accessing, from a second network database, a policy object linked to the data resource, the policy object including an effective policy for the data resource, the effective policy including at least one statement, the at least one statement includes an operation performable with respect to the data resource based on one or more conditions (Policy includes rules (statements), URL (resource id), rules specify conditions. Policy object is therefore linked to the data resource) - see [0051]-[0052].
Evaluating, using a hardware processor, the at least one access permissions of the data resource with respect to a user associated with the access request (Rules specify the conditions in which access to requested resources is allowed or denied and to which end users these conditions 
Communicating a response to the access request based on a result (Rules are evaluated to determine whether the request should be allowed or denied) -see [0051], [0052], and [0055].
Lee does not teach, but Lortz teaches: the effective policy includes at least one access permission inherited for the data resource, the effective policy including at least one access permission inherited from a parent data resource from which the data resource depends (Resource names can be hierarchically structured to allow inheritance of an access permission level from a parent node in the hierarchy.  Inheritance attribute is part of policy) - see [0022] - [0023] and figure 3A #46.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Lee by using hierarchical access permissions/inheritance of access permissions, for the purpose of efficiency, based upon the beneficial teachings provided by Lortz.

Regarding claims 2 and 12, Lee teaches that evaluating of the at least one access permission comprises determining whether the one or more conditions included in the at least one access permission are satisfied - see [0051], [0052], and [0055].

Regarding claim 19, Lee teaches that the access permission includes an operation the user is authorized to perform on the data resource using a network application - see [0052].  (Also see Hjelm [0037] and [0041].

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2004/0010607) in view of Lortz (US 2003/0018786), and further in view of Bar-El (US 2006/0232826).
The teachings of Lee and Lortz are relied upon for the reasons set forth above.
Regarding claims 3 and 13, Lee and Lortz do not teach that the one or more conditions include an allowed identifier and the satisfaction of the one or more conditions is based on a user identifier included in the access request matching the allowed user identifier.
Bar-El teaches a system wherein a controller determines whether a user is allowed to access a requested file by determining whether the user ID stored in memory matches the user ID access information corresponding to the requested filed ID - see [0085]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Lee and Lortz by using an allowed identifier and granting access based on matching identifiers, for the purpose of security, based upon the beneficial teachings provided by Bar-El.

Claims 4-7 and 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2004/0010607) in view of Lortz (US 2003/0018786), and further in view of Hjelm et al. (US 2011/0113471).
The teachings of Lee and Lortz are relied upon for the reasons set forth above.
Regarding claims 4, 7, 14, and 17, Lee and Lortz do not teach that the one or more condition includes a temporal condition specifying a time range and the satisfaction of the condition is based on the access request being received within the time range, or that the policy object includes a plurality of statements which includes at least one: a first statement granting the user permission to perform a first operation based on a satisfaction of a first condition or a second statement denying the user permission to perform a second operation based on satisfaction of a second condition.  
Hjelm teaches a system wherein statements such as context dependent parameters from a pick list or custom defined, such as permitted to access stored/streamed music only if location does not equal school and if time is between 6pm and 10pm or activity equals email then block video content and allow audio content - see [0037] and [0041], for example.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Lee and Lortz by using multiple statements and temporal conditions, for the purpose of customizable access control, based upon the beneficial teachings provided by Hjelm.
Regarding claims 5, 6, 15, and 16, Lee and Lortz do not teach that the access request is received from a network application included in a suite of network applications, the suite of network applications sharing access to the first network database, wherein the policy object includes at least one statement defining a condition for permitting or denying the user to perform an applications specific operation associated with a particular user network application from among the suite of network applications.
Hjelm teaches a system wherein video content and audio content may be allowed/disallowed separately, thus suggesting that an audio and video player (network applications (network applications) both have access to the first network.  Block video content or allow audio content (multiple statements) = play content/block content = application specific operation - see [0041].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Lee and Lortz by processing requests from network applications from a suite of network applications and wherein the policy object permits or denies the user to perform application specific operations associated with an application, for the purpose of customizable access control, based upon the beneficial teachings provided by Hjelm.

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2004/0010607) in view of Lortz (US 2003/0018786), and further in view of Clark et al. (US 2011/0029781).
The teachings of Lee and Lortz are relied upon for the reasons set forth above.
Regarding claims 8 and 18, Lee and Lortz do not teach creating a log of the access request, the log including an identifier of an application from which the access request was received, and storing the log of the access request in a third network database.
Clark teaches a system wherein Identifiers and corresponding timestamps are stored and a controller may track the history of access requests for client computers and users and use that historical data to determine whether the user at a computer might be a spambot - see [0050].  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Lee and Lortz by logging and storing access requests including identifiers, for the purpose of security, based upon the beneficial teachings provided by Clark.
 
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2004/0010607) in view of Lortz (US 2003/0018786), and further in view of Abuelsaad et al. (US 2013/0268668).
The teachings of Lee and Lortz are relied upon for the reasons set forth above.
Regarding claim 9, Lee and Lortz do not teach providing, to a client device, a user interface for registering a policy, the user interface including one or more input fields to receive a policy registration, receiving, from the client device, a policy registration including a resource identifier identifying the data resource, each of the plurality of statements including an operation performable with respect to the data resource based on a satisfaction of one or more conditions, and based on the policy registration, creating the policy object linked to the data resource, and storing the policy object in the second network database.
Abuelsaad teaches a system wherein a client system provided with interface for creating policy, the interface comprising fields for receiving rules and compliance definition - see claim 2 and [0014]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Lee and Lortz by providing a registration system for registering a policy and storing it, based upon the beneficial teachings provided by Abuelsaad, for the purpose of a customizing a policy.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2004/0010607) in view of Lortz (US 2003/0018786), and further in view of Abuelsaad et al. (US 2013/0268668) and Holdworth et al. (US 2003/0188198).
The teachings of Lee, Lortz, and Abuelsaad are relied upon for the reasons set forth above.
Regarding claim 10, Lee, Lortz, and Abuelsaad do not teach modifying an additional policy object associated with an additional data resource that depends on the data resource, the modifying of the additional policy object including adding the plurality of statements to the additional policy object.
Holdsworth teaches a system wherein policies comprising ACLs are inheritable by which resources are inherited in a hierarchy and inheritance rules are applied - see [0088] and fig 2.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Lee, Lortz, and Abuelsaad by modifying an additional policy object associated with an additional data resource that depends on the data resource, including addition the plurality of statements to the additional policy object, based upon the beneficial teachings provided by Holdsworth, for the purpose of a easily adapting a policy for inheritance.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LISA C LEWIS whose telephone number is (571)270-7724. The examiner can normally be reached Monday - Thursday 7am-2pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/LISA C LEWIS/Primary Examiner, Art Unit 2495