DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they do not include the following reference sign(s) mentioned in the description: 104.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form 
The abstract of the disclosure is objected to because
The abstract is 159 words in length which exceeds the range of 50 to 150 words.  
Correction is required.  
The disclosure is objected to because of the following informalities:
In Paragraph [0014], Lines 2-4 “In some examples, the second computing device is configured to transmit an attribute-based control policy for the application to the second computing device” should read “In some examples, the second computing device is configured to transmit an attribute-based control policy for the application to the first computing device.”
In Paragraph [0038], Line 5 “110, 112, 114 110, 112, 114” should read “110, 112, 114”.
Appropriate correction is required.
Claim Objections
Claims 16, 18, 19 and 20 are objected to because of the following informalities:  
Claim 16 cannot depend on claim 5 as claim 5 recites the system of claim 1. For examination purpose examiner has interpreted claim 16 to be dependent on claim 15 which recites transmitting the attribute-based control policy to the second computing device.
Claim 18 cannot depend on claim 16 as claim 16 recites a method, not the non-transitory computer readable medium. For examination purpose examiner has interpreted claim 18 to be dependent on claim 17 which recites a non-transitory computer readable medium.

Claim 20 cannot depend on claim 18 as claim 18 recites the attribute-based control policy, not about transmitting the policy to the second computing device. For examination purpose examiner has interpreted claim 20 to be dependent on claim 17 which recites transmitting the attribute-based control policy for the application to the second computing device.
Appropriate correction is required.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 2, 4, 6, 7, 10, 11, 13, 15-18 and 20 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by Gershfield et al. (U.S. 6578029B2), hereinafter Gershfield. 
Regarding claim 1, Gershfield teaches a system comprising: 
a first computing device configured to: receive a request for data for an application for a user from a second computing device (Gershfield: Fig. 1, Col. 2 Lines 63-67, Col. 3 Lines 1-12 provide for computer 5 representing a first computing device and computers 18, 21 or 24 representing second computing device to request data for an application by accessing the first computing device. Fig. 3 Step 210 and Col. 11 Lines 41-48 provide for the user input representing the “request” for data for an application from the first computing device.); 

transmit the attribute-based control policy for the application to the second computing device in response to the request (Gershfield: Abstract, Col 2 Lines 19-23 provide for the attributes retrieval for the second device representing the control policy. Fig 3 Step 215, Col. 11 Lines 49-53 and Col. 12 Lines 1-65 provide for the transmission of the relevant attributes representing the “attribute-based control policy” in response to the request from the user).
Claim 10 recites the same limitations as claim 1 for a method and thereby is rejected under the same rationale.
Claim 17 recites the same limitations as claim 1 for a non-transitory computer readable medium and thereby is rejected under the same rationale.
Regarding claim 2, Gershfield further teaches the system of claim 1, wherein the attribute-based control policy comprises an application node identifying the application, and a plurality of feature nodes identifying features of the application (Gershfield: Abstract, Col. 1 Lines 19-28, Col. 2 Lines 6-14, 18-23, Col. 3 Lines 13-39 provide for the attribute-based control policy which comprises restricting access by certain users or classes of users to one or features of such application.)  
Claim 11 recites the same limitations as claim 2 for a method and thereby is rejected under the same rationale.

Regarding claim 4, Gershfield further teaches the system of claim 1, wherein the computing device is configured to identify the attribute-based control policy for the application from a plurality of attribute-based control policies based on an application identifier received in the request (Gershfield: Fig. 1, Col. 2 Lines 18-23, Col. 3 Lines 13-39 provide for identifying the attributes from a plurality of attributes from the database based on the application identifier coming from the second device).
Claim 13 recites the same limitations as claim 4 for a method and thereby is rejected under the same rationale.
Regarding claim 6, Gershfield further teaches the system of claim 1, wherein transmitting the attribute-based control policy to the second computing device causes the second computing device to configure the application based on the attribute-based control policy (Gershfield: Col. 2 Lines 18-23 provide for the second computing device to configure the application and run it based on the attributes from the first device).
Claim 15 recites the same limitations as claim 6 for a method and thereby is rejected under the same rationale.
Claim 20 recites the same limitations as claim 6 for a non-transitory computer readable medium and thereby is rejected under the same rationale.
Regarding claim 7, Gershfield teaches the system of claim 6, wherein transmitting the attribute-based control policy to the second computing device further causes the second computing device to obtain a plurality of user attributes for the user, and wherein configuring the application based on the attribute-based control policy comprises applying the plurality of user 
Claim 16 recites the same limitations as claim 7 for a method and thereby is rejected under the same rationale.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 5, 12, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gershfield (U.S. 6578029B2) in view of Gu et al. (U.S. 10462184 B1), hereinafter Gu.
Regarding claim 3, Gershfield does not explicitly teach about linking one feature nodes of the plurality of feature nodes to a location node and the location node being linked to at least one role node.  However Gu teaches this limitation (Gu: Col 6 Lines 5-22 provides for the access control policy which may restrict access to content based on a variety factors (features), such as identity (role) of the user, the time at which the user attempts to access the content, the location from where the user attempts to access the content etc).
Gershfield and Gu are both considered to be analogous to the claimed invention because they are in the same field of defining control policies for user to access application features. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gershfield to incorporate the teachings of Gu and provide a location based feature linked to user role. Doing so would aid in incorporating 
Claim 12 recites the same limitations as claim 3 for a method and thereby is rejected under the same rationale.
Claim 19 recites the same limitations as claim 3 for a non-transitory computer readable medium and thereby is rejected under the same rationale.
Regarding claim 5, Gershfield does not explicitly teach about the attribute-based control policy comprising a location node identifying a location, and wherein the location node is linked to a feature node identifying a feature of the application. However Gu teaches this limitation (Gu: Col. 6 Lines 5-22 provides for the access control policy comprising various factors (features), such as identity (role) of the user, the time at which the user attempts to access the content, the location from where the user attempts to access the content etc).
Claim 14 recites the same limitations as claim 5 for a method and thereby is rejected under the same rationale.
Claims 8 is rejected under 35 U.S.C. 103 as being unpatentable over Gershfield (U.S. 6578029B2) and Gu (U.S. 10462184 B1), in view of Smith et al. (U.S. 10218711B2), hereinafter Smith.
Regarding claim 8, Gershfield and Gu do not teach about the second computing device to: obtain location data from a global positioning system (GPS); and determine a current location based on the location data, wherein applying the plurality of user attributes for the user to the attribute-based control policy comprises: determining that the current location matches at least one location identified by a location node of the attribute-based control policy. However Smith teaches this limitation (Smith: Col. 10 Lines 1-64 provide for determining a current location of 
Gershfield, Gu and Smith are all considered to be analogous to the claimed invention because they are in the same field of defining control policies for user to access application features. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gershfield and Gu to incorporate the teachings of Smith and provide a location based feature where the location of the user matches the location information from the attributes-based control policy. Doing so would aid in incorporating location based access control feature to the system and configuring the application to enable the feature, thereby increasing the protection of the application resources against malicious user access attempts from a different location.
Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over Gershfield (U.S. 6578029B2) and Gu (U.S. 10462184 B1), in view of Jasper et al. (U.S. 20210385190A1), hereinafter Jasper.
Regarding claim 9, Gershfield further teaches The system of claim 1, wherein the computing device is configured to display a webpage to receive user inputs to generate the attribute-based control policy for the application (Gershfield: Col. 11 Lines 10-17 provides for website home pages to control the access to the applications being run in a database environment), 
wherein the attribute-based control policy comprises an application node identifying the application, a feature node identifying a feature of the application and linked to the application node (Gershfield: Abstract, Col. 1 Lines 19-28, Col. 2 Lines 6-14, 18-23, Col. 3 Lines 13-39 
Gu further teaches the control policy comprising at least one of a role node identifying a role and a location node identifying a location linked to the feature node (Gu: Col. 6 Lines 5-22 provides for the access control policy comprising various factors (features), such as identity (role) of the user, the time at which the user attempts to access the content, the location from where the user attempts to access the content etc).
Gershfield and Gu do not teach about control policy comprising a facility node identifying a facility. However Jasper teaches this limitation (Jasper: [0116] provides for the identity and security policy data for the user that has been imported from systems, including the user’s role, designated facility etc.)
Gershfield, Gu and Jasper are all considered to be analogous to the claimed invention because they are in the same field of defining control policies for user to access application features. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gershfield and Gu to incorporate the teachings of Jasper and provide a facility node identifying a facility to the control policy, thereby increasing the protection of the application resources against malicious user access attempts from an unauthorized facility.

Pertinent Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Koeda (U.S. 20060069915A1) teaches a method for restricting the use of an Application Program, system for authenticating the user of a measuring apparatus, authentication server, client apparatus and a storage medium.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346. The examiner can normally be reached Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 




/YASMIN JAHIR/            Examiner, Art Unit 2432                                                                                                                                                                                            
/SYED A ZAIDI/            Primary Examiner, Art Unit 2432