Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Claims 3-6, 10-13, and 17-20 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to nonelected species, there being no allowable generic or linking claim. Election was made without traverse in the reply filed on 9/22/2021.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8 and 9 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claims are directed towards software per se. For example, claim 8 recites an “actions and permissions ownership (APO) device” and continues to define the APO device as comprising “logic” to perform respective method steps as outlined within claim 1. However said “logic” is not specifically limited as being directed to hardware-only, nor is the “device”. For example, page 14, lines 25-30 of Applicant’s Specification outlines that, “The APO device can be, for example, … a portion of a hardware server or computer system. The APO device can include a non-transitory computer readable medium (CRM, such as read-only memory (ROM), flash drive, or disk drive) …”, which includes non-limiting examples of hardware, and potentially software (“computer system”). In other words, the claimed “APO device” comprising multiple “logic” functions is not specifically limited to be hardware only, and thus may be directed to solely software.  The examiner recommends amending the “APO device” further to include well-known hardware recitations, such as circuitry, a central processing unit, memory, and/or a non-transitory computer readable medium in order to sufficiently overcome the rejection above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8, and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Adam” (US 2018/0255101) in view of “Borgia” (US 8181016).

Regarding Claim 1:
Adam teaches:
A method of actions and permissions ownership (APO) for managing access to data of an enterprise (Abstract) for a plurality of roles (Figure 4B details an Administrative Hierarchy outlining different roles within an enterprise; ¶0032, “ As used herein, the term “standard user” refers to users who need to use one or more applications to access enterprise resources from a client device but whom are at least partially limited or restricted in their administrative authority with respect to accessing the enterprise resources as well as developing and/or managing the security policy … In contrast to a standard user, as used herein, the term “administrative authority” refers to an entity (e.g. a person and/or third-party vendor of the enterprise) that has greater administrative rights than standard users and that can override and/or preempt certain actions of standard users with regard to developing and/or managing the security policy”) as controlled by a plurality of applications of the enterprise (¶0041, “… exemplary security policy data 130 may define application management settings 112 for the plurality of application modules 122 with respect to enterprise resources … the account manager 106 may be configured to communicate with the policy enforcement service 108 to enable the application management settings 112 to be varied across different user accounts … the account data 114 may indicate that the standard user 132 is not permitted to access enterprise resources via application C 112(C), the account data 114 may also indicate that some other user (e.g., another standard user or a network administrator 134) is not restricted in their use of application C 112(C)”; i.e., maintain application management settings for at least two roles (a standard user and a “For example, the application management settings 112 may permit application A 122(A) and application B 112(B) to access local data 124 that is tagged as enterprise data 124(E In contrast to a standard user, as used herein, the term “administrative authority” refers to an entity (e.g. a person and/or third-party vendor of the enterprise) that has greater administrative rights than standard users and that can override and/or preempt certain actions of standard users with regard to developing and/or managing the security policy”; ¶0015, “For illustrative purposes, consider a scenario where a security policy includes application management settings that by default expressly permit various applications of a productivity suite (e.g. a word processing application, an email application, a spreadsheet application, etc.) to access enterprise resources” i.e., accessing enterprise data via a word processing, spreadsheet, or email application, would necessitate the ability to read, write, edit, or create various access data), …, the method comprising: 
receiving, by an APO circuit (the system shown in Figure 3 outlines an “APO circuit”) from an owner of a first role of the plurality of roles (¶0013, “… a standard user …”), a request to modify the data access for the first role as controlled by a first application of the plurality of applications through a first action of the respective plurality of actions of the first application (¶0015, “Further consider that the security policy indicates that a media editing application should be added to the set of permitted applications if requested by the standard user …”; ¶0013, “… enabling a standard user to generate a custom security policy…”), wherein the request is further to modify the “Accordingly, the system may respond to the standard user attempting to open this file by exposing the security policy customization interface so that the standard user can add the media editing application to her particular set of permitted applications”; Figure 4A further outlines this process by detailing how the standard user is enabled to modify a policy controlling data access for their particular role to allow for a media application (the first application) to access and edit enterprise data); 
…
requesting, by the APO circuit …, an approval to modify the data access for the first role by the first action to the first permission level (¶0058, “In some embodiments, the policy customization notification 310 may prompt an administrative authority to perform policy adjudication, via the policy adjudication module 126, with respect to the custom security policy 308. For example, the network administrator 134 may be prompted to review and, ultimately, approve or deny the custom security policy 308”; ¶0060, “Alternatively, the network administrator 134 may designate a relatively lower level of trust to another standard user that is not high enough to enable this standard user to unilaterally deploy security policy customizations but that is high enough to permit this standard user to generate custom security policies that are subsequently transmitted to the policy adjudication module 126 for adjudication by the network administrator 134”; i.e., receive a request from the standard user to modify the custom security policy such the application can access enterprise data); 
“Once the custom security policy has been properly adjudicated, the outcome of the adjudication may be communicated via the updated security policy data 144 to instruct the policy enforcement service 108 whether or not to deploy the custom security policy 308”); 
in response to receiving the approval, updating, by the APO circuit, a non-transitory electronic role database to modify the first role to reflect the request (¶0058, “In some embodiments, the policy enforcement service 108 may be configured to refrain from deploying the custom security policy 308 until it has received updated security policy data 144 indicating that the custom security policy 308 has been adjudicated and approved by the network administrator 134”; Figure 3 details the updated security policy data 144 being received by client device 102, where it is stored ); and 
in response to receiving the rejection, notifying (¶0059, “Accordingly, in some embodiments the security policy customization manager 304 may be configured to prevent the standard user 132 from modifying the application management settings 112 by adding expressly denied applications onto the set of permitted applications”; i.e., notifying, by way of adding an application to a list of denied applications, the standard user that the first application is denied access to enterprise data), by the APO circuit, the first role owner of the rejection (¶0060, “ Alternatively, in the event of a denial, the policy enforcement service 108 may continue to deploy the default security policy 302”; ¶0103, “… wherein the security policy data further indicates a set of denied applications that the administrative authority has disapproved for accessing the enterprise resources from the managed account, and wherein the security policy customization interface is configured to prevent the standard user from modifying the application management settings to include individual applications from the set of denied applications”).
Adam does not explicitly disclose:
	… each action having a respective plurality of permission levels with which to restrict the data access by the action…
in response to receiving the request, looking up, by the APO circuit in a non-transitory electronic APO database, an owner of the first application; 
requesting, by the APO circuit from the first application owner, an approval to modify the data access for the first role by the first action to the first permission level;
receiving, by the APO circuit from the first application owner, the approval or a rejection to modify the data access for the first role; 
Borgia teaches:
	… each action (Figure 8D depicts multiple actions for a respective application, such as read or read/write) having a respective plurality of permission levels with which to restrict the data access by the action (Col. 1, lines 52-60, “… for approving and re-certifying (including renewing, or modifying, or canceling) a user's access rights to appropriate levels and parts of applications stored or existing in an institution's computer system (e.g., a large corporate computer system) based on reviewing in a configurable timeframe the user's functional roles”; i.e., the access rights define which actions can be performed on which appropriate levels and parts of an application, which the examiner interprets as “a plurality of permission levels” for each action designated to each user)…

requesting, by the APO circuit from the first application owner, an approval to modify the data access (Figure 2, step 203; Col. 4, lines 18-22, “There is a link in the message to the user’s re-certification profile which enables the reviewer to remove or add accessible applications…”) for the first role by the first action to the first permission level (Figure 2, step 205; Col. 4, lines 22-26, “For some application which requires its application owner to decide whether to allow the user to access this specific application 204, the re-certification system sends a message to the application owner for confirmation” & lines 30-35, “The re-certification system then reconfigure the user’s access rights profile, initiate the access, and notify the user the allowable applications 207. Thereafter, the user has the authority to access the assigned domain in the institution’s computer system 208”; i.e., request an approval from an application owner to modify the permission level to access the application for a first user role by an action, shown in Figure 8D as Read or Read/Write);
receiving, by the APO circuit from the first application owner, the approval or a rejection to modify the data access for the first role (Figure 2, step 206; Col. 4, lines 26-30, “If the application owner accepts this request, the user can access this specific application. If the application owner rejects the request, the user doesn’t have the access right for this application. The application owner sends his decision to the re-certification system 206”); 
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Adam’s security policy delegation system by enhancing Adam’s method of modifying an application policy to query an owner of the application for approval or denial of the modification, as taught by Borgia, in order to efficiently approve of changes to the application policy by utilizing designated reviewers.
	The motivation is to allow an owner of an application used within an enterprise setting to review any changes to a security policy that affects access rights of the application itself (Borgia, Col. 1, lines 52-61). This provides an opportunity for entities with expertise associated with the application to provide additional oversight on the changes, which assists in preventing unauthorized or undesirable policy changes that could negatively affect the enterprise.

Regarding Claims 8 and 15:
Claim 8 recites an actions and permissions ownership (APO) device and claim 15 recites a non-transitory computer-readable medium (CRM) which correspond to claim .

Allowable Subject Matter
Claims 2 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Additionally, claim 9 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 101, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  The prior art of record does not fairly teach or suggest, individually or in combination, the subject matter outlined in claims 2, 9, and 16 when further considered as a whole in combination with the subject matter of their respective independent claims. Thus, these claims are deemed allowable over the prior art of record.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491