DETAILED ACTION

This communication is in response to Application No. 16/457,178 filed on 6/28/2019.  The amendment presented on 10/18/2021, which amends claims 1, 12, and 20, is hereby acknowledged. Claims 1-20 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
The Remarks presented on 10/18/2021 presenting the computer readable storage medium comprising the memory section as a non-transitory computer readable storage medium (see, Specification [0085]) obviates the outstanding 35 USC 101 rejections, and they are hereby withdrawn. 

Response to Arguments
Applicant’s arguments with respect to claims 1, 12, and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 9, 11-13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Blum et al. (hereinafter Blum)(US 2009/0217354) in view of Bengtson (US 2019/0349405), and further in view of Grube et al. (hereinafter Grube)(US 2014/0351891).
Regarding claims 1, 12, and 20, Blum teaches as follows:
A processing system of an access layer of an object storage system (portal applications 2 as used in one embodiment of the present invention implements the standard functionality such as security, authorization 13, authentication 11, aggregation 15, caching, user management, enrolment, rendering, and rewriter proxy functionality for granting access to access protected remote resources 3, see, paragraph [0031] and figure 4) comprises: at least one processor; a memory that stores operational instructions, that when executed by the at least one processor cause the processing system to: 
receive a first request message from a first requesting entity via a network, wherein the first request message includes a first pre-signed Uniform Resource Locator (URL)(the user's client activates the rewritten URL pointing to the access protected remote resource, see, paragraph [0050] and 450 in figure 5);  

generate first policy verification data by comparing (the same method for computing the authentication identifier as described above has to be repeated and the result is compared with authentication identifier contained in the rewritten URL.  If they match, the URL utility module reconstructs the complete original resource URL from the base part and the resource part, see, paragraph [0054] and 700 in figure 5); and 
execute a first access indicated in the first request message in response to the first policy verification data (it then provides the original URL to the rewriter proxy that grants access to the access protected remote resource, see, paragraph [0054] and 750 in figure 5).
Blum does not teach of comparing each attribute of the first set of attributes to a corresponding custom policy parameter of the first set of custom policy parameters to generate the verification data to execute the requested access.
Bengtson teaches as follows:
Upon receiving a metadata service request 115, the policy accessing module 111 may access the appropriate header policy (depending on which entity or which location, etc. the request was received from)(equivalent to applicant’s first set of custom policy parameters) and may implement the request verifier 113 of computer system 101 to verify that the request has the appropriate header information 110 (equivalent to applicant’s first set of attributes of the first request message). If the metadata service 
the header policy may indicate that specified header information is to be included in each metadata service request sent to a metadata service (see, paragraph [0013]).
Therefore, Bengtson teaches of executing the service request (equivalent to applicant’s requested access) by comparing the established header policy (including required specified header information) to the header information required in the service request.
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum with Bengtson to include the request verifier as taught by Bengtson in order to grant access the protected remote resources by verifying that the access request has the appropriate header information. 
	Blum in view of Bengtson does not teach of accessing a data object stored as a plurality of encoded data slices nor generating the plurality of encoded data slices using an information dispersal algorithm.
	Grube teaches as follows:
receives a retrieve data object message and continues with step 314 where the processing module requests retrieval of encoded data slices associated with the retrieve data object message. The method continues at step 316 where the processing module receives at least some encoded data slices of a set of encoded data slices of a plurality of sets of encoded data slices (see, paragraph [0178] and figure 7 and 20);
the DS processing unit 16 dispersed storage error encodes each data segment to produce a plurality of sets of encoded data slices 355 (e.g., a plurality of slice sets). The encoding may include utilizing unique dispersal parameters for each portion of the data. The dispersal parameters includes one or more of an information dispersal algorithm (IDA) width=n, a decode threshold number=k, and an encoding matrix (see, paragraph [0184]); and
the slicer 79 transforms the encoded data segment 94 into EC data slices in accordance with the slicing parameter from the vault for this user and/or data segment 90-92. For example, if the slicing parameter is X=16, then the slicer 79 slices each encoded data segment 94 into 16 encoded slices (see, paragraph [0089] and figure 4).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum in view of Bengtson with Grube to include accessing a data object stored as a plurality of encoded data slices and generating the plurality of encoded data slices using an information dispersal algorithm as taught by Grube in order to produce a plurality of sets of encoded data slices from each data segment.
Regarding claims 2 and 13, Blum in view of Bengtson teaches similar limitations as presented above.  Bengtson also teaches as follows:
Upon receiving a metadata service request 115, the policy accessing module 111 may access the appropriate header policy (depending on which entity or which location, etc. the request was received from)(equivalent to applicant’s first set of custom policy parameters) and may implement the request verifier 113 of computer system 101 to verify that the request has the appropriate header information 110 (equivalent to applicant’s first set of attributes of the first request message).  If the metadata service request 115 lacks a header 116 or does not include the proper header information 110, the request response module 114 may deny the request and may prevent the request from reaching the metadata service (equivalent to applicant’s transmitting an access denial response message)(see, paragraph [0031] and figure 1).
Therefore, they are rejected for similar reason as presented above.
Regarding claim 9, Blum teaches as follows:
Wherein the first pre-signed URL further indicates expiration data, and wherein the method further includes determining whether a timestamp associated with the first request message compares favorably to the expiration data, wherein the first access is executed in further response to determining the timestamp associated with the first request message compares favorably to the expiration data (if an incoming request is validated, the current timestamp is used for validation.  If the current system time has been progressing over the chosen period of a timestamp, the validation fails and the request is rejected.  This allows creating rewriter proxy URLs that are only valid for a particular timeframe (e.g., an hour or a day), see, paragraph [0064]).

The policy establishing module 108 of metadata proxy 107 may identify 
one or more portions of header information 110 (equivalent to applicant’s custom policy parameters) that are to be included when making metadata service requests. The header policy 109 may apply to specific nodes within a network, nodes from certain locations, nodes associated with certain users, nodes associated with certain organizations, or may apply to any nodes sending metadata service requests.  In some cases, the policy establishing module 108 may establish different header policies for different types of devices or for different times of day or for devices from certain locations or organizations, etc. Thus, administrators may have full control over when certain policies apply, or which policies are used when requests are received from certain devices or certain locations (see, paragraph [0030]).
	Therefore, different header policies are created based on different users.
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum with Bengtson to include creating different header policies based on each user as taught by Bengtson in order to efficiently control users from different location and different device type.

Claims 3, 5, 6, 8, 14, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Blum et al. (hereinafter Blum)(US 2009/0217354) in view of Bengtson (US 2019/0349405) and Grube et al. (hereinafter Grube)(US 2014/0351891), and further in view of Blass et al. (hereinafter Blass)(US 2020/0327244).

Blass teaches as follows:
The process begins when a request to access data is received in a column 
and/or row of a database at 802.  The access manager component identifies a requesting IP address of the user device sending the request at 804.  The access manager component compares the requesting IP address with the set of allowed IP addresses for the data in the row and/or column of the table at 806. The access manager component determines if the requesting IP address matches an allowed IP address or an IP address within an allowed IP address range at 808. If yes, the access manager component identifies a type of access requested at 810.  The access manager component determines if the type of access is permitted based on the IP address of the user device sending the request at 812.  If yes, the system permits the requested access at 814 (see, paragraph [0064] and figure 8); and
the system can include a range of allowed IP addresses set to allow the data read.  Currently these types of restrictions are implemented at the network layer (see, paragraph [0095]).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum in view of Bengtson and Grube with Blass to include comparing the requesting IP address with the allowed IP address range as taught by Blass in order to efficiently control access at the network layer.
Regarding claims 5, 6, and 16, Blum teaches as follows:
In another alternative embodiment, access to protected remote resources 

be restricted or limited.  This requires an additional configuration module that enables an administrator to control which resources can be accessed.  Such a configuration can be based on, but is not limited to: (A) Pattern matching for the resource part (e.g., file extension patterns, file name convention based patterns).  (B) List of all resources (equivalent to applicant’s object requirement) that are or are not accessible by relative references (see, paragraph [0065]).
Blum does not explicitly teach the object identifier.
	But it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum in view of Bengtson, Grube, and Blass to include the object identifier in order to conveniently identify each resource by the unique identifier.
Regarding claims 8 and 18, Blum in view of Bengtson and Grube teaches all limitations as presented above except for the object type requirement.
Blass teaches as follows:
When a user attempts to access particular types of data, the system applies logic to determine whether row, table, or column of data allowed to be accessed by the 
user device's IP address (see, paragraph [0099]).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum in view of Bengtson and Grube with Blass to include identifying types of data as taught by Blass in order to efficiently control access by data type (object type).

Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Blum et al. (hereinafter Blum)(US 2009/0217354) in view of Bengtson (US 2019/0349405), Grube et al. (hereinafter Grube)(US 2014/0351891), and Blass et al. (hereinafter Blass)(US 2020/0327244), and further in view of Amar et al. (hereinafter Amar)(US 2018/0109540).
Regarding claims 4 and 15, Blum in view of Bengtson, Grube, and Blass teaches all limitations as presented above except for the user-agent requirement.
Amar teaches as follows:
The parameters applied to the cryptographic signature function include access parameters 300 characterizing the request for content.  The access parameters may be obtained from or derived by analyzing the request from the user device that was received by the content server 120.  In this example, the user-agent, hostname, and network address of the client device may be used as access parameters to generate the token 340.  The user-agent describes the characteristics of the user-agent application executing on the client device, for example by specifying the type and version of application originating the request for content (see, paragraph [0025]).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum in view of Bengtson, Grube, and Blass with Amar to include specifying the type and version of application originating the request as taught by Amar in order to efficiently control access by the well-known user-agent access parameter.

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Blum et al. (hereinafter Blum)(US 2009/0217354) in view of Bengtson (US 2019/0349405), Grube et al. (hereinafter Grube)(US 2014/0351891), and Blass et al. (hereinafter Blass)(US 2020/0327244), and further in view of Figueroa et al. (hereinafter Figueroa)(US 2018/0146037).
Regarding claims 7 and 17, Blum in view of Bengtson, Grube, and Blass teaches all limitations as presented above except for the object name prefix requirement.
Figueroa teaches as follows:
A determination is made of a prefix for a container in the network storage associated with the logical entity.  The prefix is included in names of the data objects in the logical entity.  The prefix is added to a lock queue shared by the client systems having access to the data objects in the container at the network storage.  The data objects having the names including the prefix are transmitted to the network storage to store in the container in the network storage (see, paragraph [0005] and [0030] and figure 3).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum in view of Bengtson, Grube, and Blass with Figueroa to include adding a prefix on object names as taught by Figueroa in order to conveniently control access for multiple objects by the prefix.  

Claims 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Blum et al. (hereinafter Blum)(US 2009/0217354) in view of Bengtson (US .
Regarding claims 10 and 19, Blum teaches as follows:
In alternative embodiments, the base part and/or the authentication identifier can be encoded in any URL safe format (e.g., Base64) and/or compressed (see, paragraph [0061]).
Blum in view of Bengtson and Grube does not explicitly teach the well-known JSON blob.
Mansour teaches as follows:
Payload data 340A may be JSON data.  The collection of data to be sent by the application may be encoded into a JSON blob by the API/Application Layer (see, paragraph [0115]).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Blum in view of Bengtson and Grube with Mansour to include encoding into the well-known JSON blob as taught by Mansour in order to efficiently transmit the JSON data.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeong S Park whose telephone number is (571)270-1597.  The examiner can normally be reached on Monday through Friday 8:00-4:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/JEONG S PARK/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        
January 6, 2022