Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detail Action
This office action is response to the application 16/906,755 filed on 06/19/2020. Claims 1-27 are pending in this communication.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/19/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner. 

Examiner’s Note
The examiner is requesting the applicant’s representative to provide direct phone number and email address in next communication, which will be very helpful to advance the prosecution.
The Examiner used figures, paragraph and line numbers from the instant application’s pre-grant publication or pdf copy of allowance. In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be 
Generally the text that are italicized are claims; the text that are in bold are reference citations (with some obvious exception); the text which is neither italicized nor bolded are by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b) or second paragraph:

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 14 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. There is a lack of antecedent basis for this limitation in the claims.
Claim 14 recites the limitation “the Kubernetes cluster” in line 2. There is no antecedent of the limitation “Kubernetes cluster”.



Claim Rejections - 35 USC § 103
The following is a quotation of AIA  35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8, 11-13, 15-18 and 21-27 are rejected under AIA  35 U.S.C. 103 as being unpatentable over DANNER; Tim L. et al., Pub. No.: US 2007/0157292 A1 in view of JANARTHANAM; Baskaran et al., Pub. No.: US 2017/0185640 A1 and further in view of VEPA; Sirish V. et al., Pat. No. US 10,878,079 B2.

Regarding Claim 1, DANNER discloses an apparatus, comprising:
a processing device; and a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device {Fig. 2 & [0035], “implemented as computer-executable instructions tangibly embodied on a computer-readable medium, such as local memory 210 or hard disk 232, that are run in conjunction with an operating system, such as a Unix operating system implemented as computer executable instructions executed by an instruction execution device, such as one or more of processors 202 and 204”}, cause the processing device to:
… a just in time (JIT) grant, the JIT grant defining a request for a user to be authorized to access a … [group of computing resource] according to a JIT policy {[0024], “Network system 100 may include various other entities, such as a reporting services console 116 that interfaces with database 104. Reporting services console 116 may be configured to perform auditing services on granted access permissions. … Operator objects may be dynamically added and removed from authentication directory 118 to provide for dynamic account enablement that allows for granting access requests on demand from operators in accordance with pre-defined conditional entitlements”};
determine if access to the … [group of computing resource]  by the user is authorized according to the JIT policy {[0024], “The dynamically enabled accounts may be enabled contingent on an access request conforming to an entitlement, and are thus enabled just in time to satisfy the access request”};
grant access to the user to the … [group of computing resource]  when access is authorized according to the JIT policy {[0027], “Change administrator server 102 may be configured to report various events, including, for example, configuration changes, entitlement grants, license issues, etc., to an event log or entity, such as reporting services console 116”}; and
DANNER, however, does not explicitly disclose
… cluster … [of computing resource] …
receive a notification from an application programming interface (API) of creation of … send a notification to the API that access by the user to the … [group of computing resource]  is granted.
In an analogous reference JANARTHANAM discloses
receive a notification from an application programming interface (API) of creation of … send a notification to the API that access by the user to the … [group of computing resource] is granted {Fig. 3 & [0059], “the transmission module 350 is configured to transmit the generated event notifications to at least one Web service 370. In some example embodiments, the transmission module 350 is configured to transmit the generated event notifications to at least one API 375.” … [0061], “the API 370 is configured to automatically generate and transmit the request in response to receiving the event notification. For example the API 370 can received the event notification, automatically generate a request based on OData key(s) included in the received event notification, and automatically transmit the generated request to the retrieval module 360”}.
In another analogous reference VEPA discloses
… cluster … [of computing resource] {col. 31 lines 5-9, “A distributed data grid is a system in which a collection of computer servers work together in one or more clusters to manage information and related operations, such as computations, within a distributed or clustered environment”} …
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify DANNER’s technique of ‘just-in-time i.e. on-demand computing resource access permissions for users’ for ‘computing event change notifications to motivation is - Just-in-Time (JIT) access is a fundamental security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis. This helps to minimize the risk of standing privileges that attackers or malicious insiders can readily exploit. JIT technique also optimize computing resource utilization and saves money for an enterprise.
All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. 

Regarding Claim 2, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claim 1. The combination further discloses
instructions to subscribe to the notification of creation of the JIT grant prior with the API prior to receiving the notification of creation of the JIT grant {VEPA: Fig. 6 & col. A, “The events in queue 628 are processed by event subscribers 630 such as audit, user notification, application subscriptions, data analytics, etc. Depending on the task indicated by an event, event subscribers 630 may communicate with, for example, audit schema 624, a user notification service 634, an identity event subscriber 632, etc. … col. B, “IDCS infrastructure libraries 680b include data manager APIs 682b, event APIs 684b, storage APIs 686b, authentication APIs 688b, authorization APIs 690b, cookie APIs 692b, keys APIs 694b, and credentials APIs 696b”}.

Regarding Claim 3, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claim 1. The combination further discloses
wherein instructions to grant access to the user to the cluster comprises instructions to create a role binding for the user, create a service account for the user, and create a role for the user {VEPA: ABS., “The system evaluates the access token request by computing dynamic roles and corresponding dynamic scopes.” … col. C, “embodiments include a two-step process. For the first step, the user is provided a token (as illustrated in FIG. 13). When the user requests a token, the user may not know what resources they want to access, but the user's role is known and, based on the known role, embodiments can determine access to certain scopes. An API (i.e., PEP API 1360 of FIG. 13) computes the scopes available to the user. For the second step, embodiments determine if the current user is allowed to perform the requested operation (as illustrated in FIG. 14). In general, the answer is based on the subject, resource and action. However, sometimes it is necessary to determine what is in the payload or query the backend”}.

Regarding Claim 4, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claim 1. The combination further discloses
wherein instructions to grant access to the user to the cluster comprises instructions to create a cluster role binding for the user, create a service account for the user, and create a cluster role for the user {VEPA: col. 40 lines 47-57, “FIG. 16A illustrates functionality for computing a dynamic role-scope (i.e., a combination of dynamic roles and dynamic scopes) token. In general, for an embodiment using the dynamic role functionality of FIG. 16A (as opposed to static roles), conditions are evaluated at runtime, and a role policy is used to determine if privileges should be assigned for the IDCS-Oracle tenancy or for one of the other tenancies. Multiple copies of policies are not required to be stored. Instead, the dynamic role policies are encoded in the access token”}.

Regarding Claim 5, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claim 1. The combination further discloses
wherein the JIT grant defines a specific period of time for authorized access by the user to the cluster, and comprising instructions to authorize access by the user to the cluster when the specified period of time has not expired {DANNER: Fig. 5 & [0052], “The range start and range end values of respective fields 530f and 530g indicate the access permission defined by record 520c is to be active beginning at a time of 20:00 through a time of 05:00. Fields 530h and 530i indicate the entitlement defined by record 520c is activated on May 1, 2006 and is set to expire on Dec. 2, 2006”}.

Regarding Claim 6, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claims 5 & 1. The combination further discloses
instructions to revoke access by the user to the cluster when the specified period of time is expired and send a notification to the API that the user is no longer authorized to access the cluster and that the access is revoked {DANNER: [0028], “granting and revoking permissions to an operator may be made based on an entitlement schedule thereby reducing errors while maintaining tight privilege controls”}.

Regarding Claim 7, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claims 6, 5 & 1. The combination further discloses
wherein instructions to revoke access to the user comprise instructions to delete a role binding for the user, delete a service account for the user, and delete a role for the user {DANNER: Fig. 10 & [0073], “the modify command executed on authentication directory 118 may null or otherwise delete the operator's user account password. A modify command may then be generated to disable the operator's user account at step 1010, and the modify command may then be executed, at step 1012, on authentication directory 118 thereby disabling the operator's user account. The account disablement routine may then exit according to step 1014”. Examiner’s note: as cited in previous claim rejection the role creation is dynamic based on instructions for dynamic role management and instruction ends by exiting the deletion function}.

Regarding Claim 8, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claim 1. The combination further discloses
receive a notification from the API of deletion of the JIT grant; revoke access by the user to the cluster {DANNER: [0045], “Authorization application 458 may then evaluate the result set and determine whether to grant or deny access to the operator, and a suitable notification may be generated and conveyed.” … [0073], “A modify command may then be generated to disable the operator's user account at step 1010, and the modify command may then be executed, at step 1012, on authentication directory 118 thereby disabling the operator's user account. The account disablement routine may then exit according to step 1014”};
send a notification to the API that the user is no longer authorized to access the cluster and that access is revoked {DANNER: [0045], “Authorization application 458 may then evaluate the result set and determine whether to grant or deny access to the operator, and a suitable notification may be generated and conveyed”}.

Regarding claim 11, claim 11 is claim to a method using the apparatus of claim 1. Therefore, claim 11 is rejected for the reasons set forth for claim 1.

Regarding claim 12, claim 12 is a dependent claim of claim 11, claim 12 is claim to method using the apparatus of claim 2. Therefore, claim 12 is rejected for the reasons set forth for claim 2.

Regarding claim 13, claim 13 is a dependent claim of claim 11, claim 13 is claim to method using the apparatus of claim 3. Therefore, claim 13 is rejected for the reasons set forth for claim 3.

Regarding claim 15, claim 15 is a dependent claim of claim 11, claim 15 is claim to method using the apparatus of claim 5. Therefore, claim 15 is rejected for the reasons set forth for claim 5.

Regarding claim 16, claim 16 is a dependent claim of claims 15 & 11, claim 16 is claim to method using the apparatus of claim 6. Therefore, claim 16 is rejected for the reasons set forth for claim 6.

Regarding claim 17, claim 17 is a dependent claim of claims 16, 15 & 11, claim 17 is claim to method using the apparatus of claim 7. Therefore, claim 17 is rejected for the reasons set forth for claim 7.

Regarding claim 18, claim 18 is a dependent claim of claim 11, claim 18 is claim to method using the apparatus of claim 8. Therefore, claim 18 is rejected for the reasons set forth for claim 8.

Regarding claim 21, claim 21 is claim to a non-transitory machine-readable medium using the apparatus of claim 1. Therefore, claim 21 is rejected for the reasons set forth for claim 1. 

Regarding claim 22, claim 22 is a dependent claim of claim 21, claim 22 is claim to non-transitory machine-readable medium using the apparatus of claim 2. Therefore, claim 22 is 

Regarding claim 23, claim 23 is a dependent claim of claim 21, claim 23 is claim to non-transitory machine-readable medium using the apparatus of claim 3. Therefore, claim 23 is rejected for the reasons set forth for claim 3.

Regarding claim 24, claim 24 is a dependent claim of claim 21, claim 24 is claim to non-transitory machine-readable medium using the apparatus of claim 5. Therefore, claim 24 is rejected for the reasons set forth for claim 5.

Regarding claim 25, claim 25 is a dependent claim of claims 24 & 21, claim 25 is claim to non-transitory machine-readable medium using the apparatus of claim 6. Therefore, claim 25 is rejected for the reasons set forth for claim 6.

Regarding claim 26, claim 26 is a dependent claim of claims 25, 24 & 21, claim 26 is claim to non-transitory machine-readable medium using the apparatus of claim 7. Therefore, claim 26 is rejected for the reasons set forth for claim 7.

Regarding claim 27, claim 27 is a dependent claim of claim 21, claim 27 is claim to non-transitory machine-readable medium using the apparatus of claim 8. Therefore, claim 27 is rejected for the reasons set forth for claim 8.

DANNER; Tim L. et al., Pub. No.: US 2007/0157292 A1 in view of JANARTHANAM; Baskaran et al., Pub. No.: US 2017/0185640 A1 and further in view of VEPA; Sirish V. et al., Pat. No. US 10,878,079 B2 and LEVIN; Liron et al., Pub. No.: US 2020/0213320 A1.

Regarding Claim 14, DANNER as modified by JANARTHANAM and further modified by VEPA discloses all the features of claim 1. The combination further discloses
wherein granting access to the user to the … cluster comprises creating a cluster role binding for the user, creating a service account for the user, and creating a cluster role for the user {VEPA: col. 40 lines 47-57, “FIG. 16A illustrates functionality for computing a dynamic role-scope (i.e., a combination of dynamic roles and dynamic scopes) token. In general, for an embodiment using the dynamic role functionality of FIG. 16A (as opposed to static roles), conditions are evaluated at runtime, and a role policy is used to determine if privileges should be assigned for the IDCS-Oracle tenancy or for one of the other tenancies. Multiple copies of policies are not required to be stored. Instead, the dynamic role policies are encoded in the access token”}.
However, the combination does not explicitly disclose
… Kubernetes cluster …
 In an analogous reference LEVIN discloses
… Kubernetes cluster {[0025], “The cloud assets 110 are associated with respective metadata indicating identifying or configuration information such as, but not limited to, an identifier … for a Kubernetes cluster, a host region, a current software version, a combination thereof, and the like. Each of the cloud assets 110 may be configured to require authenticating credentials (e.g., username and password) before granting access. Different cloud assets 110 may require different sets of credentials”} …
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to further modify DANNER’s technique as modified by JANARTHANAM and VEPA of ‘just-in-time i.e. on-demand computing resource access permissions for users’ for ‘using Kubernetes cluster for a set of nodes’ by LEVIN, in order to containerizing applications across a set of nodes. The motivation is - a Kubernetes cluster is a set of nodes that run containerized applications. Containerizing applications packages an app with its dependences and some necessary services. Kubernetes clusters allow containers to run across multiple machines and environments: virtual, physical, cloud-based, and on-premises.

Allowable subject matter
Claims 9 and 10 will be allowable if written in independent form with base apparatus claim 1, and Claims 19 and 20 will be allowable if written in independent form with base method claim 11. For allowability, the independent non-transitory machine-readable medium claim 21 is required to be in same scope with equivalent limitations of claims 9 and 10 as proposed for amended apparatus claim 1. The dependent claims which further limit independent claims 1, 11 and 21 also are allowable by virtue of their dependency.
Reasons of allowance: what is missing from the prior arts is: … sending JIT computing resource access permission message with following five elements: (a) a name of the JIT grant, (b) a namespace, (c) a name of the user, (d) a specified period of time, and (e) a role.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to QUAZI FAROOQUI whose telephone number is (571) 270-1034. The examiner can normally be reached on M-F 8:30AM-5:00PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B. Patel can be reached on 571-272-3972. The fax phone number for Examiner Farooqui assigned is 571-270-2034.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-flee). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/QUAZI FAROOQUI/
Primary Examiner, Art Unit 2491