Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the communication and claim amendment filed on 11/15/2021; Claims 7 and 15-20 were cancelled; Claims 1-3, 5-6, 8, 11, 21, 23, and 25 have been amended; and claims 1, 23, and 25 are independent claims.  Claims 1-6, 8-14, and 21-25 have been examined and are pending.  This Action is made FINAL.
Response to Arguments
The objection to the claim 2 and 7 is withdrawn as the claim 2 has been amended and claim 7 has been canceled.
The rejections of claims 23-24 under 35 U.S.C. § 101 are withdrawn as the claims have been amended.
The rejection of claims 1, 4, 11, and 21 under 35 U.S.C. § 112 second paragraph is withdrawn as the claims have been amended.
The Electronic Terminal Disclaimer filed on filed on 11/15/2021.
Applicants’ arguments in the instant Amendment, filed on 11/15/2021 with respect to limitations listed below, have been fully considered but they are not persuasive.
“encrypting that at least one access permission” and  “transmitting, from the permissions management resource to one or more of the plurality of subject devices indirectly via a data processing device remote from the plurality of subject device , a communication comprising the encrypted at least one access permission to enable each of the one or more subject devices to perform an operation specified in the at least one access permission, wherein the data processing device is unable to decrypt the encrypted at least one access permission.” (Remarks/Arguments, pages 11-13).
         The Examiner disagrees with the Applicants. The Examiner respectfully submits that Sundaresan does disclose a portion of the aforementioned limitations as the following:
Sundaresan discloses transmitting, from the permissions management resource to one or more of the plurality of subject devices indirectly via a data processing device remote from the plurality of subject device (Sundaresan: pars. 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action …; fig. 1, pars. 0027-0028, 0035-0036; server computing device 125 A-B, devices 135A-C [i.e. subject devices], computing devices 105 include portable devices [i.e. a data processing device]), a communication comprising the at least one access permission to enable each of the one or more subject devices to perform an operation specified in the at least one access permission, wherein the data processing device is unable to decrypt the encrypted at least one access permission (Sundaresan: pars. 0061, 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action; fig. 1, pars. 0035-0036; computing devices 105 include portable devices).
Regarding to “encrypting the at least one access permission” and “a communication comprising the encrypted at least one access permission to enable each of the one or more subject devices” have been fully have been considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 5-6, and 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Sundaresan et al. (“Sundaresan,” US 2016/0112240, filed Oct. 15, 2014) in view of Matsuyama et al. (“Matsuyama,” US 2002/0010861, published Jan. 24, 2002).
Regarding claim 1, Sundaresan teaches method of creating, at a permissions management resource, access permissions for a plurality of subject devices, the method comprising:
obtaining, at the permissions management resource, input data to cause the permissions management resource to generate at least one access permission (Sundaresan: pars.  0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210; fig. 1);
generating, at the permissions management resource, the at least one access permission in response to the input data (Sundaresan: pars.  0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210; fig. 1); 
 transmitting, from the permissions management resource to one or more of the plurality of subject devices indirectly via a data processing device remote from the plurality of subject device (Sundaresan: pars. 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action …; fig. 1, pars. 0027-0028, 0035-0036; server computing device 125 A-B, devices 135A-C, computing devices 105 include portable devices), a communication comprising the at least one access permission to enable each of the one or more subject devices to perform an operation specified in the at least one access permission, wherein the data processing device is unable to decrypt the encrypted at least one access permission (Sundaresan: pars. 0061, 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action; fig. 1, pars. 0035-0036; computing devices 105 include portable devices).
Sundaresan discloses generating, at the permissions management resource, the at least one access permission, transmitting, from the permissions management resource to one or more of the plurality of subject devices, a communication comprising the at least one access permission to enable each of the one or more subject devices but does not 
However, in an analogous art, Matsuyama discloses encrypting the at least one access permission and a communication comprising the encrypted at least one access permission to enable each of the one or more subject devices (Matsuyama: par. 0051, encrypting the access permission and sending the encrypted access permission to the entity).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Matsuyama with the method and system of Sundaresan, wherein encrypting the at least one access permission and a communication comprising the encrypted at least one access permission to enable each of the one or more subject devices to provide users with means for eliminating necessity of requiring individual service providers to independently control the accesses made by the user devices (Matsuyama: abstract).
Regarding claim 2, the combination of Sundaresan and Matsuyama teaches the method according to claim 1. Sundaresan furthert discloses wherein the input data comprises: a rule/policy defined by an authorized party (Sundaresan: pars.  0053-0054, user enter read privileges but not write privileges to some devices); a device attribute of the at least one data processing device (Sundaresan: par. 0036, The remote control application 105A-C is programed to run on various operating sys ...); a device attribute of the subject device, and/or contextual information (Sundaresan: par. 0019)
Regarding claim 5, the combination of Sundaresan and Matsuyama teaches the method according to claim 1. Sundaresan further teaches wherein generating the at least one access permission in response to the input data comprises: automatically generating the at least one access permission at the permissions management resource (Sundaresan: par. 0016, a user may configure a rule that will cause a second network-connected device to perform an action responsive to an event on a first network-connected device.  The event and the action may be detected and performed automatically, whether or not the user is logged into any of the devices or to a service that provides the rules engine; pars. 0066-0067; fig. 1). 
Regarding claim 6, the combination of Sundaresan and Matsuyama teaches the method according to claim 5. Sundaresan further teaches transmitting, from the permissions management resource, a permission proposal communication to an authorized party, wherein the permission proposal communication comprises data relating to the automatically created at least one access permission (Sundaresan: par. 0016, a user may configure a rule that will cause a second network-connected device to perform an action responsive to an event on a first network-connected device.  The event and the action may be detected and performed automatically, whether or not the user is logged into any of the devices or to a service that provides the rules engine; pars. 0066-0067; fig. 1). 
Regarding claim 22, the combination of Sundaresan and Matsuyama teaches the method according to claim 1.  Sundaresan further discloses comprising:
receiving, at the permissions management resource, further input data (Sundaresan: pars.  0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210; fig. 1);
generating, at the permissions management resource, at least one further access permission in response to the further input data (Sundaresan: pars.  0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210; fig. 1); and
transmitting, from the permissions management resource to one or more of the plurality of subject devices or the further data processing device (Sundaresan: pars. 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action …; fig. 1), a communication comprising the at least one further access permission to enable each of the one or more subject devices or the further data processing device perform an operation specified in the at least one further access permission (Sundaresan: pars. 0061, 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action; fig. 1).
Regarding claim 23, Sundaresan discloses a permissions management resource for creating access permissions for a plurality of subject devices, the permissions management resource comprising:
computing hardware including at least one processor and memory operably coupled to the at least one processor (Sundaresan: figs. 1, 9, par. 0089);
 instructions that, when executed on the computing hardware, cause the computing hardware to implement: 
(Sundaresan: pars.  0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210; fig. 1); and
an identity management engine configured to manage the access permissions generated at the permission creation engine (Sundaresan: pars. 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action …; fig. 1) and to communicate the access permission to one or more of the plurality of subject devices via a data processing device remote from the plurality of subject devices to enable each of the one or more subject devices to perform an operation specified in the at least one access permission (Sundaresan: pars. 0061, 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action; fig. 1, pars. 0027-0028, 0035-0036).
Sundaresan discloses generating access permissions based on input data to cause the permissions management resource to generate at least one access permission, and to communicate the access permissions to one or more of the plurality of subject devices via a data processing device remote from the plurality of subject devices to enable each of the one or more subject devices but does not explicitly disclose encrypting access 
However, in an analogous art, Matsuyama discloses encrypting access permissions and to communicate the encrypted access permissions to one or more of the plurality of subject devices (Matsuyama: par. 0051, encrypting the access permission and sending the encrypted access permission to the entity).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Matsuyama with the method and system of Sundaresan, wherein encrypting access permissions and to communicate the encrypted access permissions to one or more of the plurality of subject devices to provide users with means for eliminating necessity of requiring individual service providers to independently control the accesses made by the user devices (Matsuyama: abstract).
Regarding claim 24, the combination of Sundaresan and Matsuyama teaches the method according to claim 23. Sundaresan further discloses wherein the permission creation engine is configured to automatically generate the permissions based on the input data (Sundaresan: par. 0016, a user may configure a rule that will cause a second network-connected device to perform an action responsive to an event on a first network-connected device.  The event and the action may be detected and performed automatically, whether or not the user is logged into any of the devices or to a service that provides the rules engine; pars. 0066-0067; fig. 1).
Regarding claim 25, the combination of Sundaresan and Matsuyama teaches a first data processing device for setting permissions at a permissions management resource, (Sundaresan: fig. 1, pars. 0027);
 the data processing device to:
receive, from a second data processing device, a request to access a subject device (Sundaresan: fig. 1; par. 0027, Status updates received from the embedded systems 150A-C may identify values or states of some or all detectable parameters of devices 135A-C that the embedded systems are included in…Such values, states and other information of the embedded systems 150A-C may change based on environmental conditions of the embedded systems.  By maintaining or periodically establishing sessions with the embedded systems 150A-C, the WAN accessible services 130 may maintain up-to-date information on the devices 135A-C);
transmit, to the permissions management resource, input data to cause the permissions management resource (Sundaresan: fig. 1, pars. 0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210) to generate at least one access permission for the subject device in response to the input data (Sundaresan: pars. 0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210); 
receive, from the permissions management resource, a communication comprising at least one access permission (Sundaresan: fig. 1, pars. 0053-0054, user enter read privileges but not write privileges to some devices; par. 0058, once a rule has been generated, rules creator 250 stores the rule in data store 210; fig. 1, pars. 0027-0028, 0035-0036);
transmit, to the subject device, the at least one access permission to enable subject device to perform an operation specified in the at least one access permission (Sundaresan: pars. 0061, 0066-0067, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action; fig. 1, pars. 0027-0028, 0035-0036).
Sundaresan discloses receiving, from the permissions management resource, a communication comprising at least one access permission and transmitting, to the subject device, the at least one access permission but does not explicitly disclose encrypting the at least one access permission and transmitting, to the subject device, the encrypted at least one access permission.
However, in an analogous art, Matsuyama discloses encrypting the at least one access permission and transmitting, to the subject device, the encrypted at least one access permission (Matsuyama: par. 0051, encrypting the access permission and sending the encrypted access permission to the entity).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Matsuyama with the method and system of Sundaresan, wherein encrypting the at least one access permission and transmitting, to the subject device, the encrypted at least one access permission to provide users with means for eliminating necessity of requiring individual (Matsuyama: abstract).
Claims 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over (“Sundaresan,” US 2016/0112240, filed Oct. 15, 2014) in view of Matsuyama et al. (“Matsuyama,” US 2002/0010861, published Jan. 24, 2002), further in view of Elibol et al. (“Elibol,” US 2016/0187961, filed Dec. 18, 2008).
Regarding claim 3, the combination of Sundaresan and Matsuyama discloses the method according to claim 1.  Sundaresan discloses wherein the input data relating to the subject device.  Sundaresan does not explicitly disclose the input data comprises classification data,
However, in an analogous art, Elibol discloses wherein the input data comprises classification data (Elibol: par. 0035, an analog frontend (AFE) circuit that is adjusted based on features calculation and/or classification of input features).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Elibol with the method and system of Sundaresan and Matsuyama, wherein the input data comprises classification data to provide users with means for dynamically adjusting to interface with the sensor based on the determined operating state, and hence improves operation while minimizing power consumption (Elibol: pars. 0020-21).
Regarding claim 4, the combination of Sundaresan, Matsuyama, and Elibol discloses the method according to claim 3. Sundaresan further discloses the method further comprising: 
(Sundaresan: par. 0044,  Additionally, rule applicator 225 may generate commands that will cause web services to perform actions.  Actions may be performed on a single device or a group of devices.  An action may be the generation of a report, such as a report detailing water usage or energy consumption for the month.  Other examples of actions include changing a setting of a device, enabling or disabling a device or function, and so on);
 transmitting the communication comprising the request to a remote directory service (Sundaresan: par. 0044, Additionally, rule applicator 225 may generate commands that will cause web services to perform actions.  Actions may be performed on a single device or a group of devices.  An action may be the generation of a report, such as a report detailing water usage or energy consumption for the month.  Other examples of actions include changing a setting of a device, enabling or disabling a device or function, and so on);
receiving, at the permissions management resource from the remote directory service, the device attribute relating associated with the group (Sundaresan: par. 0044, Additionally, rule applicator 225 may generate commands that will cause web services to perform actions.  Actions may be performed on a single device or a group of devices.  An action may be the generation of a report, such as a report detailing water usage or energy consumption for the month.  Other examples of actions include changing a setting of a device, enabling or disabling a device or function, and so on);

Claims 8-13 are rejected under 35 U.S.C. 103 as being unpatentable over (“Sundaresan,” US 2016/0112240, filed Oct. 15, 2014) in view of Matsuyama et al. Matsuyama,” US 2002/0010861, published Jan. 24, 2002), further in view of Akehurst et al. (“Akehurst,” US 2013/0254535, published Sep. 26, 2013).
Regarding claim 8, the combination of Sundaresan and Matsuyama discloses the method according to claim 1.  Sundaresan does not explicitly disclose wherein the access permission further comprises a credential associated with the at least one data processing device. 
However, in an analogous art, Akehurst discloses wherein the access permission further comprises a credential associated with the at least one data processing device (Akehurst: par. 0002, A public key certificate is one type of digital certificate that serves as electronic credentials which bind the identity of the certificate owner to a pair of digital keys (public and private)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Akehurst with the method and system of Sundaresan and Matsuyama, wherein the access permission further comprises a credential associated with the at least one data processing device to provide users with means for forming a basis of secure communication and authentication over the Internet or other networks (Akehurst: par. 0002).
Regarding claim 9, the combination of Sundaresan, Matsuyama, and Akehurst teaches the method according to claim 8.  The combination of Sundaresan, Matsuyama, and Akehurst further discloses wherein the credential associated with the data processing device comprises a first cryptographic key, wherein the first cryptographic key is associated with the at least one data processing device (Sundaresan: pars. 0014-0015; Akehurst: par. 0002, pair of digital keys (public and private)).
Regarding claim 10, the combination of Sundaresan, Matsuyama, and Akehurst teaches the method according to claim 9.  The combination of Sundaresan, Matsuyama, and Akehurst further discloses wherein the first cryptographic key comprises a public key of the at least one data processing device (Sundaresan: pars. 0014-0015; Akehurst: par. 0002, pair of digital keys (public and private)).
Regarding claim 11, the combination of Sundaresan, Matsuyama, and Akehurst teaches the method according to claim 10.  The combination of Sundaresan, Matsuyama, and Akehurst further discloses, wherein the at least one access permission comprises a certificate, wherein the certificate comprises a credential associated with an authorized party (Sundaresan: pars.  0053-0054; Akehurst: par. 0002).
Regarding claim 12, the combination of Sundaresan and Akehurst teaches the method according to claim 11. The combination of Sundaresan and Akehurst further discloses wherein the credential associated with the authorized party comprises a second cryptographic key, wherein the second cryptographic key is associated with the authorized party (Sundaresan: pars. 0014-0015; Akehurst: par. 0002, pair of digital keys (public and private)).
Regarding claim 13, the combination of Sundaresan and Akehurst teaches the method according to claim 12.  The combination of Sundaresan and Akehurst further discloses wherein the second cryptographic key comprises a private key of the authorized party (Sundaresan: pars. 0014-0015; Akehurst: par. 0002, pair of digital keys (public and private)).
Claims 14 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Sundaresan et al. (“Sundaresan,” US 2016/0112240, filed Oct. 15, 2014) in view of Matsuyama et al. (“Matsuyama,” US 2002/0010861, published Jan. 24, 2002), further in view of Matthieu et al. (“Matthieu,” US 9,094,407, filed Nov. 21, 2014).
Regarding claim 14, the combination of Sundaresan and Matsuyama discloses the method according to claim 1. Sundaresan does not explicitly disclose,
generating, at the permissions management resource, a blacklist of permissions;
transmitting, from the permissions management resource, a communication comprising the blacklist of permissions to the subject device.
However, in an analogous art, Matthieu discloses, wherein 
generating, at the permissions management resource, a blacklist of permissions (Matthieu: Col. 1, lines 23-63); 
transmitting, from the permissions management resource, a communication comprising the blacklist of permissions to the subject device (Matthieu: Col. 1,  lines 23-63; The devices may include Internet of Things (IoT) devices that are manufactured by different manufacturers, and that are not designed to natively communicate with one another.  The messaging system allows the devices to communicate despite not sharing common application programming interfaces or connection protocols.  Devices may be assigned a unique identifier (e.g., a universally unique identifier (UUID)) and a token. …A UUID registered or other connected with the messaging system network may have whitelist and blacklist arrays of other UUIDs that have permission or non-permission to cover the UUID, message with the UUID, message with the UUID, subscribe to UUID, configure the UUID, or other permission with the respect the UUID.)
(Matthieu: Col. 1,  lines 23-26).
Regarding claim 21, the combination of Sundaresan and Matsuyama discloses the method according to claim 1.  Sundaresan further discloses transmitting access permission via the data processing device as recited above but does not explicitly disclose transmitting the blacklist of permissions to the subject device.
However, in an analogous art, Matthieu discloses wherein transmitting a blacklist of permissions to the subject device (Matthieu: Col. 1,  lines 23-63; The devices may include Internet of Things (IoT) devices that are manufactured by different manufacturers, and that are not designed to natively communicate with one another.  The messaging system allows the devices to communicate despite not sharing common application programming interfaces or connection protocols.  Devices may be assigned a unique identifier (e.g., a universally unique identifier (UUID)) and a token. …A UUID registered or other connected with the messaging system network may have whitelist and blacklist arrays of other UUIDs that have permission or non-permission to cover the UUID, message with the UUID, message with the UUID, subscribe to UUID, configure the UUID, or other permission with the respect the UUID.). 
(Matthieu: Col. 1,  lines 23-26).

Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439

February 2nd, 2022 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439