DETAILED ACTION
Claim 1 has been amended.
Claims 1 – 9 and 12 – 13 have been examined and are pending.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to 


Claims 1 – 9 and 12 - 13 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application Publication No. 2014/0380048 to He et al. (hereinafter He).

Claim 1, He discloses (¶31) a secure mechanism for controlling access to computer resources made available to a client entity by a cloud computer system, and it includes:
method for managing a cloud computing system, able to allocate computing and network resources to a plurality of clients, each client being associated with at least one user likely to access computing and network resources allocated to the client by the cloud computing system, said method being performed by at least one hardware element of the cloud computing system, and comprising for at least one client of the cloud computing system; He discloses (¶26) a cloud computer service supplier that provides computer resources to users, and an intermediary server S that is located within the client and manages the access of the users to the computing resources (¶109, ¶121) using the application programming interface (API). The platform of the service supplier no longer needs to manage the accounts of users associated with a client entity account, nor does it need to manage the rights associated with those user accounts; it needs only to manage the accounts of the client entity (¶39).
receiving an instance of the meta-model provided by the client, said instance defining for said client an access control model and an access control policy based on this access control model; He discloses (¶34) the access control model and access control policy is derived (i.e. obtained) from a metadata file describing the various elements that define this model and the structure thereof. This metadata file is previously supplied by the client via the administration unit (¶136, ¶141). He discloses the meta-model instance (¶Annex 1) <PolicyFormat>(Subject, Role, Action, Object … </PolicyFormat>.
applying said access control policy to control access of a user of the client to at least one resource allocated to the client by the cloud computing system; He discloses (¶143) the verification unit applies the access control model and the access policy to the resource and determines whether the user is authorized to access the resource (¶143).
He does not explicitly disclose providing, to said client, a meta-model comprising a plurality of elements allowing to define an access control model and an access control policy for the client. 
The Office notes that, however, at the time of filing it would be obvious to one of ordinary skill in the art to provide the client with an access control meta-model derived from a metadata file because the cloud server is receiving the personalized access control model back from the client (i.e. client-defined). So it is implicit that at first, the client would be provided with a generic access control model derived from a metadata file defining the model (e.g. role, action, subject, view, expected format and/or attributes), and then the client defines and personalizes the access control model accordingly, and sends it back to the cloud server.
It would have been obvious as of the effective filing date to one of ordinary skill in the art to combine a method for managing a cloud computing system, able to allocate computing and network resources to a plurality of clients, each client being associated with at least one user likely to access computing and network resources allocated to the client by the cloud computing system, said method being performed by at least one hardware element of the cloud computing system, and comprising for at least one client of the cloud computing system, receiving an instance of the meta-model provided by the client, said instance defining for said client an access control model and an access control policy based on this access control model, applying said access control policy to control access of a user of the client to at least one resource allocated to the client by the cloud computing system, as disclosed by He, and applying said access control policy to control access of a user of the client to at least one resource allocated to the client by the cloud computing system, as noted by the Office, for the purpose of implementing access control methods that are adapted to the needs of that client entity at a given instant and to the personalized access policy the client desires to implement for its resources and its users (¶35).

Claim 2, He discloses all the elements of claim 1. Further, He discloses:
wherein the plurality of elements of the meta-model comprises: a perimeter of the access control model defining a plurality of entities involved in the access control policy of the client; He discloses (¶137) metadata file describing an access control model and defining names, formats of the access control policies corresponding to the model and various entities of the model.
metadata defining, for each entity, at least one attribute category associated with that entity; He discloses (¶137) metadata file describing attribute category (e.g. Role) associated with that entity <EntityAttribute>Role<EntityAttribute>.
at least one meta-rule identifying one or several attribute categories defined by the metadata and used to provide an instruction in accordance with the access control policy of the client; He discloses (¶137) metadata file describing meta-rule and an instruction (action) in accordance with the access control policy <PolicyFormat>(Subject, Role, Action, Object … </PolicyFormat>.
at least one access control rule based on said at least one meta-rule and providing an instruction in accordance with the access control policy of the client; He discloses (¶138) a metadata file META-RBAC issued for the access control model. The processing rules defined by the access control policies applied in the context of this model. For example, for a subject, an action, an object (e.g. resource R1) and a role associated with the subject, these rules should specify the access rights that are allocated ("permission").
data defining possible values for each attribute category defined by the metadata; He discloses (¶Annex 2) that data (i.e. file structure) defines values (i.e. permission level) for each attribute category (e.g. role) defined by the metadata. <PolicyFormat>(Subject, Role, Action, Object, Role equal = “”, permission</PolicyFormat>. Further, the Office notes that additional data is typical of a model of access control policies and the inclusion thereof is considered to be a mere configuration option that a person skilled in the art would choose.
a set of values assigned by the client to each entity defined for this client in the perimeter of the access control model, for each attribute category associated with this entity and comprised in a meta-rule, said assigned values being selected from the data; He discloses (¶107-¶111) a set of values (e.g. permission authorization) selected from the data (i.e. file structure), and assigned by the client for each attribute category (e.g. ‘Role’) associated with the entity (e.g. "a developer is authorized to manage such and such a program between 8:00 AM and 4:00 PM", "a manager is authorized to administer a memory space via an IP address that is distinct from IP addresses associated with the office", etc.).

Claim 3, He discloses all the elements of claim 2. Further, He discloses:
wherein said plurality of entities comprises at least one subject, and/or at least one object, and/or at least one action; He discloses (¶137, Annex 1) metadata file with a plurality of entities describing subject, object, action as per the access control policy <PolicyFormat>(Subject, Role, Action, Object … </PolicyFormat>.

Claim 4, He discloses all the elements of claim 2. Further, He discloses:
wherein at least one attribute category defined for an entity is selected from a security level; a role; a type; and a field; He discloses (¶138) that attribute category defined for an entity is selected from a ‘role’ for a subject which might be “admin”, “manager”, “employee”, etc.

Claim 5, He discloses all the elements of claim 2. Further, He discloses:
wherein at least one instruction provided by said at least one rule comprises an authorization or a denial of access to a determined resource allocated to the client by the cloud computing system; He discloses (¶23-¶25) verifying that the user is authorized to access the computer resource via the terminal by applying to the user and to the resource an access control model and an access control policy corresponding to the model, which model and policy are obtained by the authentication and authorization module for the client entity; and if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform; or else rejecting the access request.

Claim 6, He discloses all the elements of claim 1. Further, He discloses:
wherein the instance of the meta-model is provided by said client via a configuration interface of the cloud computing system common to said plurality of clients; He discloses (¶156) that terminal 2 interface is used by the platform to inform the client(s) that the user has been authenticated successfully and the requested access to the cloud computing resource is granted.

Claim 7, He discloses all the elements of claim 1. Further, He discloses:
wherein the instance of the meta-model provided by the client defines an access control model of the RBAC, OrBAC, ACL, DTE, ABAC or MLS type.; He discloses (¶138) shows an example of a metadata file META-RBAC issued for the access control model known as RBAC.

Claim 8, do not teach or further define over the limitations in claim 1. Therefore, claim 8 is rejected for the same rationale of rejection as set forth in claim 1.

Claim 9, do not teach or further define over the limitations in claim 2. Therefore, claim 9 is rejected for the same rationale of rejection as set forth in claim 2.

Claim 12, do not teach or further define over the limitations in claim 1. Therefore, claim 12 is rejected for the same rationale of rejection as set forth in claim 1.

Claim 13, do not teach or further define over the limitations in claim 1. Therefore, claim 13 is rejected for the same rationale of rejection as set forth in claim 1.

Response to Arguments

Claim Rejections - 35 USC § 103
Applicant’s arguments, filed on 11/11/2021, with respect to Claims 1 – 11 have been fully considered and they are not persuasive. Hence the 35 USC § 103 rejection is maintained.
In respond to the argument on Pg. 8, “He does not describe providing a client with a meta-model … He neither discloses nor suggests such a meta-model … He does not disclose the cloud computing system,” the Examiner notes that He clearly discloses the platform of the cloud computing system (Fig. 1 and ¶26, ¶93, ¶98). Further, the Examiner notes that He discloses (¶34, ¶136) metadata file that contains the meta-model instance (¶Annex 1) used by the server to authenticate user by deriving the access control model and the associated access control policy that are personalized and defined specifically for the client. He discloses (¶35) the access control model and policy are easily configured using the metadata file and to be controlled in a manner that is adapted to the needs of that client entity at a given instant.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN KHAN whose telephone number is (313) 446-6574. The examiner can normally be reached on MONDAY - THURSDAY: 8AM-6PM EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571) 272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 - If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/H. A. K./
Examiner, Art Unit 2456
/RICHARD G KEEHN/Primary Examiner, Art Unit 2456