DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is a reply to the amendment filed on 09/03/2021, in which, claim(s) 1-9, 11-17, 19-22 are pending. Claim(s) 1, 3, 7, 13, 16, 19, 20 are amended. Claim(s) 10 and 18 are cancelled. Claim(s) 21, 22 are newly added.

Response to Arguments
Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant’s arguments with respect to the rejection of claim(s) 1-20 have been considered but are moot in view of the new ground(s) of rejection.

Applicant is encouraged to schedule an interview with the Examiner prior to the next communication to compact prosecution of the case.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person 

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1, 3-9, 11-13, and 15-17, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable Gibbons et al. (US 2018/0288048 A1, cited by the applicant in the 05/22/2019 IDS) in view of Lander et al. (US 2017/0331832 A1) further in view of Schincariol et al. (US 2019/0199782 A1).
Regarding claim 1, Gibbons discloses A method, comprising: 
receiving an access-request message and accounting-request messages associated with a client device and a user of the client device, the access-request message pertaining to requested access to a network resource managed, in part, by a policy management (PM) system connected to a network infrastructure and the accounting-request messages pertaining to requested access to respective subsets of the network resource (see Fig. 1, subscriber devices, [0025], “When BNG 10 receives authentication data from the subscriber in a request to access SP network 12 services, BNG 10 sends a RADIUS protocol Access-Request (message) to RADIUS server 14”, in Fig. 1 a network system “perform policy management” [0052] to a network infrastructure, [0027], “Accounting-Request and/or Access-Request messages”, [0041], “Access-Request messages sent by a RADIUS client to request authentication and authorization for a subscriber connection and Accounting-Request messages sent by a 
obtaining an attribute representing a first policy rule to be applied to resource requests from the user, the first policy rule representing an enforcement policy of the PM system ([0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”, i.e. the attribute representing a first policy rule to be applied to resource requests from the user); 
augmenting a record to each of a plurality of PM nodes collectively providing functionality of the PM system, the record to provide each of the plurality of PM nodes information about the attribute and the first policy rule ([0033], “outputting RADIUS messages 16 with attributes 18 that indicate a bulk transaction having multiple CoA requests identified by a common transaction identifier attribute”); 
propagating the record throughout the plurality of PM nodes of the PM system ([0006], “enabling bulk delivery of change of authorization (CoA) data (i.e. the record) via AAA protocols”, “send multiple RADIUS messages having portions of the CoA data”, [0033], “initiates the transaction by outputting RADIUS messages”, [0023], “The updated account information may then be shared throughout nodes of the distributed PM using an update to the MMC”); 
in a distributed data store accessible ([0207], “a distributed data grid 1200 which stores data and provides data access to clients”).
Gibbons and Lander are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record (as taught by Gibbons) in a distributed data store accessible (as taught by Lander) to each of the plurality of PM nodes. The motivation/suggestion would have been for storing cached objects to speed up performance of identity management in a cloud system (Lander, [0002], [0110]).
The combined teaching of Gibbons and Lander does not explicitly teach but Schincariol teaches
determining, based on the attribute, whether the client device is authorized to access the network resource (Figs 1 & 2, client devices 102 & 202, [0004], “a user may be permitted to access various resources”, [0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage system”, [0039], “an access control list may include a list of permissions (as attributes) attached to the object that specifies (i.e. determines) which users are granted access to the object as well as the operations that the users may perform on the object”); in response to determining that the client device is authorized to access the network resource: 
determining, based on the attribute, and using a first node of the nodes, a first level of access to which the client device is authorized with respect to a first subset of the network resource according to a first message of the messages 
determining, based on the attribute, and using a second node of the nodes, a second level of access to which the client device is authorized with respect to a second subset of the network resource according to a second message of the messages ([0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage system”, e.g. Fig. 1 Proxy Node-2 for Storage Node-2 (i.e. second subset of the network resource), claim 2, “from the requester, a second request to access second information”); and   
selectively providing, to the client device, access to the first subset and the second subset according to the first level of access and the second level of access, respectively ([0027], “upon determining that the user is authorized to access the information, proxy nodes 112 may be configured to (selectively) provide 
Gibbons, Lander and Schincariol are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record in a distributed data store accessible to each of the plurality of PM nodes (as taught by the combined teaching of Gibbons and Lander) to selectively provide different resources to the client devices (as taught by Schincariol). The motivation/suggestion would have been for managing access to information in an enterprise environment (Schincariol, [0002]).

Regarding claim 3, the combined teaching of Gibbons, Lander and Schincariol teaches wherein the access-request message is received at a PM node of the plurality of PM nodes and the attribute is obtained, prior to the determination of whether the client device is authorized to access the network resource, from a data base external to the PM node, the data base containing information about a plurality of policy rules including the first policy rule (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, “external database 24” in Fig. 1 prior to the determination).

Regarding claim 4, the combined teaching of Gibbons, Lander and Schincariol teaches sharing at least a portion of the information about the attribute and the policy rule with an infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0028], RADIUS messages 16”).

 Regarding claim 5, the combined teaching of Gibbons, Lander and Schincariol teaches wherein sharing at least the portion of the information comprises embedding the portion of information within a segment of the RADIUS protocol message in conformance with an industry standard for a RADIUS protocol (Gibbons, [0002], “An extension to the RADIUS protocol commonly used to initiate a change of authorization (CoA) is the Dynamic Authorization Extensions to RADIUS”).

Regarding claim 6, the combined teaching of Gibbons, Lander and Schincariol teaches wherein the infrastructure device of the network infrastructure determines compliance of the first policy rule based on the RADIUS protocol message (Gibbons, [0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”, “If RADIUS server 14 includes a configuration record for the subscriber and the authentication credentials are correct, RADIUS server 14 returns a RADIUS protocol Access-Accept message to BNG 10. If a match is not found or a problem is found with the authentication credentials, the server returns an Access-Reject message”).

Regarding claim 7, the combined teaching of Gibbons, Lander and Schincariol teaches
receiving the first accounting-request message at the first PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14, a device that receives and processes connection requests or receives and processes connection requests or accounting messages sent by BNG 10”); 
updating the record to reflect the first accounting-request message and create an updated record (Gibbons, [0026], “External database 24 is a backend database that RADIUS server 14 may use to store accounting information”, [0030], “RADIUS server 14 may determine an updated set of services for the subscriber of SP network 12”) in the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”); and 
propagating the updated record throughout the plurality of PM nodes of the PM system (Gibbons, [0025], “RADIUS server 14 may store or forward this information to support billing for the services provided”).  

Regarding claim 8, the combined teaching of Gibbons, Lander and Schincariol teaches sharing at least a portion of information from the updated record with an infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).

Regarding claim 9, the combined teaching of Gibbons, Lander and Schincariol teaches wherein the infrastructure device of the network infrastructure is a firewall or a network authentication server (NAS) (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers, such as (network) authentication server 22). 

Regarding claim 11, the combined teaching of Gibbons, Lander and Schincariol teaches wherein performance of the second PM node of the plurality of PM nodes is indicated by a load balancing capability of the PM system (Lander, [0258], “load balancer for load balancing”).

Regarding claim 12, the combined teaching of Gibbons, Lander and Schincariol teaches wherein each of the plurality of PM nodes of the PM system are nodes of a cluster configuration implemented to collectively provide functionality of the PM system as a high-availability (HA) PM system (Lander, [0114], “o provide high level service”, [0208], “a high-performance network””).

Regarding claim 13, Gibbons discloses A network infrastructure device to manage authentication, authorization, and accounting (AAA) activities on a first network (Abstract, “a RADIUS server (as the network infrastructure device) for a service provider network (i.e. the first network)”, [0026], “RADIUS server 14 may AAA functionality to one or more backend servers”), the network infrastructure device comprising: 
a network interface communicatively coupled to the first network ([0034], “RADIUS server 14 includes control unit 30 and network interface 32”); 
a processing device communicatively coupled to the network interface ([0034], “RADIUS server 14 includes control unit 30 and network interface 32”); and   
a non-transitory storage medium readable by the processing device and storing instructions, that when executed by the processing device ([0053], “Control unit may comprise one or more processors that execute software instructions, such as those used to define a software or computer program, stored to a computer-readable storage medium”), cause the network infrastructure device to provide functionality of a first PM node of a plurality of PM nodes ([0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”), and to: 
receive an access-request message and accounting-request messages associated with a client device and a user of the client device, the access-request message pertaining to requested access to a network resource of the first network and managed, in part, by a policy management (PM) system connected to the first network and the accounting-request messages pertaining to requested access to respective subsets of the network resource (see Fig. 1, subscriber devices, [0025], “When BNG 10 receives authentication data from the subscriber in a request to access SP network 12 services, BNG 10 sends a RADIUS protocol Access-Request (message) to RADIUS server 14”, in Fig. 1 a network system “perform policy management” [0052] to a network infrastructure, [0027], “Accounting-Request and/or Access-Request messages”, [0041], “Access-Request messages sent by a RADIUS client to request authentication and authorization for a subscriber connection and Accounting-Request messages sent by a RADIUS client to specify accounting information for a subscriber connection that has been established by the RADIUS client”); 
obtain an attribute representing a first policy rule to be applied to resource requests from the user, the first policy rule representing an enforcement policy of the PM system ([0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”, i.e. the attribute representing a first policy rule to be applied to resource requests from the user); 
augment a record to each of the plurality of PM nodes collectively providing functionality of the PM system, the record to provide each of the plurality of PM nodes information about the attribute and the first policy rule ([0033], “outputting RADIUS messages 16 with attributes 18 that indicate a bulk transaction having multiple CoA requests identified by a common transaction identifier attribute”); 
propagate the record throughout the plurality of PM nodes of the PM system ([0006], “enabling bulk delivery of change of authorization (CoA) data (i.e. the record) via AAA protocols”, “send multiple RADIUS messages having portions of the CoA data”, [0033], “initiates the transaction by outputting RADIUS messages”, [0023], 
Gibbons does not explicitly teach but Lander teaches in a distributed data store accessible ([0207], “a distributed data grid 1200 which stores data and provides data access to clients”).
Gibbons and Lander are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record (as taught by Gibbons) in a distributed data store accessible (as taught by Lander) to each of the plurality of PM nodes. The motivation/suggestion would have been for storing cached objects to speed up performance of identity management in a cloud system (Lander, [0002], [0110]).
The combined teaching of Gibbons and Lander does not explicitly teach but Schincariol teaches
determine, based on the attribute, whether the client device is authorized to access the network resource (Figs 1 & 2, client devices 102 & 202, [0004], “a user may be permitted to access various resources”, [0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage system”, [0039], “an access control list may include a list of permissions (as attributes) attached to the object that specifies (i.e. determines) which users are granted access to the object as well as the operations that the users may perform on the object”); in response to determining that the client device is authorized to access the network resource: 
determine, based on the attribute, and using a first node of the nodes, a first level of access to which the client device is authorized with respect to a first subset of the network resource according to a first message of the messages ([0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage system”, [0027], “after checking the validity of the access token…Proxy nodes 112 may then be configured to determine the appropriate storage node that has the requested information…to determine that the user is authorized to access the information based on the one or more roles associated with the access token and an access control list (ACL) associated with the requested information (object) in the storage node…upon determining that the user is authorized to access the information, proxy nodes 112 may be configured to provide the information to the user on client device 102”, e.g. Fig. 1 Proxy Node-1 for Storage Node-1 (i.e. first subset of the network resource), claim 2, “receiving the first request from the requester”); 
determine, based on the attribute, and using a second node of the nodes, a second level of access to which the client device is authorized with respect to a second subset of the network resource according to a second message of the messages ([0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage system”, e.g. Fig. 1 Proxy Node-2 for Storage Node-2 (i.e. second subset of the network resource), claim 2, “from the requester, a second request to access second information”); and   
selectively provide, to the client device, access to the first subset and the second subset according to the first level of access and the second level of access, respectively ([0027], “upon determining that the user is authorized to access the information, proxy nodes 112 may be configured to (selectively) provide the information to the user on client device 102 (User_1 to User_M)” according to “a list of permissions” (i.e. access levels) in [0039]).  
Gibbons, Lander and Schincariol are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record in a distributed data store accessible to each of the plurality of PM nodes (as taught by the combined teaching of Gibbons and Lander) to selectively provide different resources to the client devices (as taught by Schincariol). The motivation/suggestion would have been for managing access to information in an enterprise environment (Schincariol, [0002]).

Regarding claim 15, the combined teaching of Gibbons, Lander and Schincariol teaches share at least a portion of the information about the attribute and the policy rule with a different infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).

Regarding claim 16, the combined teaching of Gibbons, Lander and Schincariol teaches
receive, via data store propagation, data regarding the first accounting-request message processed at the first PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14, a device that receives and processes connection requests or receives and processes connection requests or accounting messages sent by BNG 10”); and 
update a local instance to reflect the accounting-request message and create an updated record (Gibbons, [0026], “External database 24 is a backend database that RADIUS server 14 may use to store accounting information”, [0030], “RADIUS server 14 may determine an updated set of services for the subscriber of SP network 12”) in the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”); and 
forward the data regarding the first accounting-request message to the second PM node of the plurality of PM nodes (Gibbons, [0025], “RADIUS server 14 may store or forward this information to support billing for the services provided”, [0026], “External database 24 (i.e. 3rd PM node) is a backend database that RADIUS server 14 may use to store accounting information”).  

Regarding claim 17, the combined teaching of Gibbons, Lander and Schincariol teaches share at least a portion of information from the updated record with a different infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0026], one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).

Regarding claim 19, Gibbons discloses A non-transitory computer readable medium comprising instructions stored thereon that, when executed by a processor of a first network infrastructure device (Abstract, “a RADIUS server (as the network infrastructure device) for a service provider network (i.e. the first network)”, [0053], “Control unit may comprise one or more processors that execute software instructions, such as those used to define a software or computer program, stored to a computer-readable storage medium”), cause the first network infrastructure device to: 
receive an access-request message and accounting-request messages associated with a client device and a user of the client device, the access-request message pertaining to requested access to a network resource of a first network and managed, in part, by a policy management (PM) system connected to the first network and the accounting-request messages pertaining to requested access to respective subsets of the network resource (see Fig. 1, subscriber devices, [0025], “When BNG 10 receives authentication data from the subscriber in a request to access SP network 12 services, BNG 10 sends a RADIUS protocol Access-Request (message) to RADIUS server 14”, in Fig. 1 a network system “perform policy management” [0052] to a network infrastructure, [0027], “Accounting-Request and/or Access-Request messages”, [0041], “Access-Request messages sent by a RADIUS client to request 
obtain an attribute representing a first policy rule to be applied to resource requests from the user, the first policy rule representing an enforcement policy of a distributed PM system ([0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”, i.e. the attribute representing a first policy rule to be applied to resource requests from the user); 
augment a record to each of a plurality of PM nodes collectively providing functionality of the distributed PM system, the record to provide each of the plurality of PM nodes information about the attribute and the first policy rule ([0033], “outputting RADIUS messages 16 with attributes 18 that indicate a bulk transaction having multiple CoA requests identified by a common transaction identifier attribute”); 
propagate the record throughout the plurality of PM nodes of the distributed PM system ([0006], “enabling bulk delivery of change of authorization (CoA) data (i.e. the record) via AAA protocols”, “send multiple RADIUS messages having portions of the CoA data”, [0033], “initiates the transaction by outputting RADIUS messages”, [0023], “The updated account information may then be shared throughout nodes of the distributed PM using an update to the MMC”); 
share at least a portion of the information about the attribute and the first policy rule with a second infrastructure device of the first network via a remote authentication dial-in user service (RADIUS) protocol message ([0018], “a network system having a Remote Access Dial in User Service (RADIUS) server that supports bulk delivery of change of authorization (CoA) data”, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers, such as (network) authentication server 22”, i.e. the second infrastructure device);
Gibbons does not explicitly teach but Lander teaches in a distributed data store accessible ([0207], “a distributed data grid 1200 which stores data and provides data access to clients”).
Gibbons and Lander are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record (as taught by Gibbons) in a distributed data store accessible (as taught by Lander) to each of the plurality of PM nodes. The motivation/suggestion would have been for storing cached objects to speed up performance of identity management in a cloud system (Lander, [0002], [0110]).
The combined teaching of Gibbons and Lander does not explicitly teach but Schincariol teaches
determine, based on the attribute, whether the client device is authorized to access the network resource (Figs 1 & 2, client devices 102 & 202, [0004], “a user may be permitted to access various resources”, [0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage system”, [0039], “an access control list may include a list of permissions (as attributes) attached to the object that specifies (i.e. determines) which users are granted access to the object as well as the operations that the users may perform on the object”); in response to determining that the client device is authorized to access the network resource: 
determine, based on the attribute, and using a first node of the nodes, a first level of access to which the client device is authorized with respect to a first subset of the network resource according to a first message of the messages ([0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage system”, [0027], “after checking the validity of the access token…Proxy nodes 112 may then be configured to determine the appropriate storage node that has the requested information…to determine that the user is authorized to access the information based on the one or more roles associated with the access token and an access control list (ACL) associated with the requested information (object) in the storage node…upon determining that the user is authorized to access the information, proxy nodes 112 may be configured to provide the information to the user on client device 102”, e.g. Fig. 1 Proxy Node-1 for Storage Node-1 (i.e. first subset of the network resource), claim 2, “receiving the first request from the requester”); 
determine, based on the attribute, and using a second node of the nodes, a second level of access to which the client device is authorized with respect to a second subset of the network resource according to a second message of the messages ([0022], “proxy nodes 112 may be configured to receive requests from client devices 102 to access information and/or data or objects stored in data storage and   
selectively provide, to the client device, access to the first subset and the second subset according to the first level of access and the second level of access, respectively ([0027], “upon determining that the user is authorized to access the information, proxy nodes 112 may be configured to (selectively) provide the information to the user on client device 102 (User_1 to User_M)” according to “a list of permissions” (i.e. access levels) in [0039]).  
Gibbons, Lander and Schincariol are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record in a distributed data store accessible to each of the plurality of PM nodes (as taught by the combined teaching of Gibbons and Lander) to selectively provide different resources to the client devices (as taught by Schincariol). The motivation/suggestion would have been for managing access to information in an enterprise environment (Schincariol, [0002]).

Regarding claim 20, the combined teaching of Gibbons, Lander and Schincariol teaches
wherein the access-request message is received at a first PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14”) and further comprising instructions to cause the network infrastructure device to: 
receive, via data store propagation, data regarding the second accounting-request message processed at a second PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14, a device that receives and processes connection requests or receives and processes connection requests or accounting messages sent by BNG 10”); and 
update a local instance to reflect the second accounting- request message and create an updated record (Gibbons, [0026], “External database 24 is a backend database that RADIUS server 14 may use to store accounting information”, [0030], “RADIUS server 14 may determine an updated set of services for the subscriber of SP network 12”) in the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”); 
forward the data regarding the second accounting-request to a third PM node of the plurality of PM nodes (Gibbons, [0025], “RADIUS server 14 may store or forward this information to support billing for the services provided”, [0026], “External database 24 (i.e. 3rd PM node) is a backend database that RADIUS server 14 may use to store accounting information”); and 
share at least a portion of information from the updated record with a different infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message, wherein the different infrastructure device lacks direct access to the distributed data store (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).  

Claims 2 and 14 are rejected under 35 U.S.C. 103 as being unpatentable Gibbons et al. (US 2018/0288048 A1, cited by the applicant in the 05/22/2019 IDS) in view of Lander et al. (US 2017/0331832 A1) further in view of Schincariol et al. (US 2019/0199782 A1) and further in view of Chirca et al. (US 2014/0115279 A1).
Regarding claims 2 and 14, the combined teaching of Gibbons, Lander and Schincariol teaches wherein the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”) having a locally accessible data store for each of the plurality of PM nodes of the PM system to maintain shared information about states of client devices and a plurality of policy rules including the first policy rule, each of the plurality of policy rules enforced by the PM system (Gibbons, Abstract, “a RADIUS server for a service provider network”, [0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”).  
The combined teaching of Gibbons, Lander and Schincariol does not explicitly teach but Chirca teaches a multi-master cache (title, “Multi-Master Cache”).
Gibbons, Lander, Schincariol and Chirca are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record in a distributed data store accessible to each of the plurality of PM nodes (as taught by the combined teaching of Gibbons, Lander and Schincariol) wherein the distributed data store 

Claims 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable Gibbons et al. (US 2018/0288048 A1, cited by the applicant in the 05/22/2019 IDS) in view of Lander et al. (US 2017/0331832 A1) further in view of Schincariol et al. (US 2019/0199782 A1) and further in view of Jonathan Egan Salcedo (US 2016/0006693 A1).
Regarding claim 21, the combined teaching of Gibbons, Lander and Schincariol does not explicitly teach but Salcedo teaches 
wherein the second level of access is determined without waiting for a response from a firewall ([0078], “when the response 316 to the HTTP GET request 314 fails to resolve to a unique domain to be used as the second domain name 320 will the SSL handshake 322 be attempted by the firewall”).
Gibbons, Lander, Schincariol and Salcedo are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record in a distributed data store accessible to each of the plurality of PM nodes (as taught by the combined teaching of Gibbons, Lander and Schincariol) without waiting for a response from a firewall (as taught by Salcedo). The motivation/suggestion would have been for deploying a security policy (Salcedo, [0002]).

Regarding claim 22, the combined teaching of Gibbons, Lander and Schincariol does not explicitly teach but Salcedo teaches 
receiving a retrieval request to retrieve a particular Universal Resource Locator (URL); determining, based on feedback from a firewall, whether the client device is properly authenticated to access the particular URL; and transmitting the feedback to the client device ([0078], “the SSL handshake 322 be attempted by the firewall”, [0089], “the response may include a URL redirection containing a location header and a status code. The status code may, for example, include an HTTP status code of 301 indicating that the requested resource”).
Gibbons, Lander, Schincariol and Salcedo are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record in a distributed data store accessible to each of the plurality of PM nodes (as taught by the combined teaching of Gibbons, Lander and Schincariol) without waiting for a response from a firewall (as taught by Salcedo). The motivation/suggestion would have been for deploying a security policy (Salcedo, [0002]).

Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under .
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497