DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.  This is in response to the communications filed on 04 November 2021.
2.  Claims 1-20 are pending in the application.
3.  Claims 1, 2, 4, 5, 9, 11, 13, 17 and 19 have been rejected.
4.  Claims 3, 6-8, 10, 12, 14-16, 18 and 20 have been objected to.
Information Disclosure Statement
5.  The examiner has considered the information disclosure statement (IDS) filed on 17 April 2020, 16 June 2020, 30 November 2020 and 04 November 2021.
Claim Objections
6.  Claim 19 is objected to because of the following informalities:  typographical error.  There are two consecutive “to” in the claim.  Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
7.  Claims 1, 2, 11 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shulman et al US 2019/0007458 A1 (hereinafter Shulman) in view of Swift et al U.S. Patent No. 7,113,994 B1 (hereinafter Swift).
As to claim 1, Shulman discloses a method comprising: 
based on invocation of a first serverless function of a serverless application instantiated on a cloud infrastructure, runtime instrumentation of the first serverless function submitting a role request to an intermediary (i.e. requests for permissions from the serverless function) [0065]; 
the intermediary reading a set of one or more least privileges for the first serverless function, wherein the set of one or more least privileges were previously determined from analysis of program code of the serverless application (i.e. scanner identifying permissions) [0071]; 
the intermediary communicating with a service associated with the cloud infrastructure to create a first role with the set of one or more least privileges (i.e. defining the permissions) [0071]; 

Shulman does not teach the intermediary maintaining information to enforce expiration of the first role.  
Swift teaches the intermediary maintaining information to enforce expiration of the first role (i.e. enforcing by denying request from expired roles) [column 9, lines 42-53].  
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Shulman so that the intermediary would have maintained information to enforce expiration of the first role.  
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Shulman by the teaching of Swift because it helps control access to services in a network by means of user authentication [column 1, lines 6-9].
As to claim 2, Shulman teaches the method of claim 1 further comprising the runtime instrumentation executing the first serverless function instance with the assigned first role (i.e. executing the serverless function using each privileged role) [0033].
As to claim 11, Shulman discloses a non-transitory, machine-readable medium having program code stored thereon, the program code to: 

communicate with a service associated with a cloud infrastructure to create a first role with the set of privileges, wherein the instance of the instance of the first serverless function is deployed on the cloud infrastructure (i.e. defining the permissions) [0071]; 
communicate the first role to the instance of the first serverless function for runtime instrumentation of the first serverless function instance to execute the first serverless function instance with the first role (i.e. based on the reported roles) [0086].  
Shulman does not teach maintain information to enforce expiration of the first role.
Swift teaches maintain information to enforce expiration of the first role (i.e. enforcing by denying request from expired roles) [column 9, lines 42-53].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Shulman so that information would have been maintained to enforce expiration of the first role.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified 
As to claim 17, Shulman discloses an apparatus comprising: 
a processor [0109]; and 
a computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to [0110], 
based on receipt of a role creation request for an instance of a first serverless function of a serverless application (i.e. requests for permissions from the serverless function) [0065], read a set of privileges indicated for the first serverless function, wherein the set of privileges were previously determined from analysis of the program code of the serverless application (i.e. scanner identifying permissions) [0071]; 
communicate with a service associated with a cloud infrastructure to create a first role with the set of privileges, wherein the instance of the instance of the first serverless function is deployed on the cloud infrastructure (i.e. defining the permissions) [0071]; 
communicate the first role to the instance of the first serverless function for runtime instrumentation of the first serverless function instance to execute the first serverless function instance with the first role (i.e. based on the reported roles) [0086].  
	Shulman does not teach maintain information to enforce expiration of the first role.

Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Shulman so that information would have been maintained to enforce expiration of the first role.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Shulman by the teaching of Swift because it helps control access to services in a network by means of user authentication [column 1, lines 6-9].
8.  Claims 4, 13 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shulman et al US 2019/0007458 A1 (hereinafter Shulman) and Swift et al U.S. Patent No. 7,113,994 B1 (hereinafter Swift) as applied to claims 1, 11 and 17 above, and further in view of Robbins et al US 2021/0117558 A1 (hereinafter Robbins).
As to claim 4, the Shulman-Swift combination does not teach the method of claim 1 further comprising the intermediary expiring the first role based on determining that an expiration criterion is satisfied.  
Robbins teaches the intermediary expiring the first role based on determining that an expiration criterion is satisfied (i.e. criteria is when the privilege timer expires) [0053].  
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination so that the intermediary would have expired the first role based on determining that an expiration criterion was satisfied.  
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination by the teaching of Robbins because it helps provide non-privileged users administrator privileges [0002].
As to claim 13, the Shulman-Swift combination does not teach the machine-readable medium of claim 11, wherein the program code further comprises program code to expire the first role based on evaluation of the expiration information for the first serverless function instance and an expiration criterion defined for serverless functions of the serverless application.
Robbins teaches that the program code further comprises program code to expire the first role based on evaluation of the expiration information for the first serverless function instance and an expiration criterion defined for serverless functions of the serverless application (i.e. criteria is when the privilege timer expires) [0053].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination so that the program code further would have comprised program code to expire the first role based on evaluation of the expiration information for the first serverless function instance and an expiration criterion defined for serverless functions of the serverless application.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination by the teaching of Robbins because it helps provide non-privileged users administrator privileges [0002].
As to claim 19, the Shulman-Swift combination does not teach the apparatus of claim 17, wherein the computer-readable medium further comprises instructions executable by the processor to cause the apparatus to expire the first role based on evaluation of the expiration information for the first serverless function instance and an expiration criterion defined for serverless functions of the serverless application (i.e. criteria is when the privilege timer expires) [0053].  
Robbins teaches that the computer-readable medium further comprises instructions executable by the processor to cause the apparatus to expire the first role based on evaluation of the expiration information for the first serverless function instance and an expiration criterion defined for serverless functions of the serverless application.  
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination so that the computer-readable medium further would have comprised instructions executable by the processor to cause the apparatus to expire the first role based on evaluation of the expiration information for the first serverless function instance and an expiration criterion defined for serverless functions of the serverless application.  
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination by the teaching of Robbins because it helps provide non-privileged users administrator privileges [0002].
9.  Claim 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shulman et al US 2019/0007458 A1 (hereinafter Shulman) and Swift et al U.S. Patent No. 7,113,994 B1 (hereinafter Swift) as applied to claim 1 above, and further in view of Branson et al US 2019/0384912 A1 (hereinafter Branson).
As to claim 5, the Shulman-Swift combination does not teach the method of claim 1 further comprising determining least privileges for serverless functions of the serverless application based on at last one of static code analysis and behavior analysis of the serverless application prior to deployment of the serverless application to the cloud infrastructure.  
Branson teaches determining least privileges for serverless functions of the serverless application based on at last one of static code analysis and behavior analysis of the serverless application prior to deployment of the serverless application to the cloud infrastructure (i.e. using static analysis and runt-time behavior) [0013].  
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination so that least privileges would have been determined for serverless functions of the serverless application based on at last one of static code analysis and behavior analysis of the serverless application prior to deployment of the serverless application to the cloud infrastructure.  
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination by the teaching of Branson because it helps prevent illegitimate users from deploying malicious applications [0004].
10.  Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shulman et al US 2019/0007458 A1 (hereinafter Shulman) and Swift et al U.S. Patent No. 7,113,994 B1 (hereinafter Swift) as applied to claim 1 above, and further in view of Hulick, JR. US 2020/0026865 A1 (hereinafter Hulick).
As to claim 9, the Shulman-Swift combination does not teach the method of claim 1, wherein the runtime instrumentation submits the role request after authenticating the first serverless function instance with the intermediary.  
Hulick teaches that the runtime instrumentation submits the role request after authenticating the first serverless function instance with the intermediary (i.e. runtime requests a particular permission) [0033].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination so that the runtime instrumentation would have submitted the role request after authenticating the first serverless function instance with the intermediary.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Shulman-Swift combination by the teaching of Hulick because it provides for a policy generation agent to automatically generate a security policy for an application and a specified custom security manager function [0008].
Allowable Subject Matter
11.  Claims 3, 6-8, 10, 12, 14-16, 18 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
As to claim 3, the prior art does not disclose, teach or fairly suggest the method of claim 1, wherein the runtime instrumentation submits the role request according to a default role defined for a plurality of instrumented serverless functions of the serverless application, wherein the default role limits the plurality of instrumented serverless functions to communicating with the intermediary.  
As to claim 6, the prior art does not disclose, teach or fairly suggest the based on detection of an access violation by the first serverless function instance, determining whether the first serverless function instance satisfies an expansion criterion.  The prior art does not disclose, teach or fairly suggest the indicating an additional privilege for the first serverless function based on the access violation.  The prior art does not disclose, teach or fairly suggest the creating a second role for the first serverless function with the set of one or more least privileges and the additional privilege.  
As to claim 8, the prior art does not disclose, teach or fairly suggest the based on detection of an evaluation trigger, for each of a plurality of serverless functions of the serverless application including the first serverless function, determining resources accessed by the serverless function instantiated on the cloud infrastructure.  The prior art does not disclose, teach or fairly suggest the determining whether one or more of a set of privileges indicated as least privileges for the serverless function was not used based on the resources accessed.  The prior art does not disclose, teach or fairly suggest the removing an unused privilege indicated as a least privilege for the serverless function.  
As to claim 10, the prior art does not disclose, teach or fairly suggest the method of claim 9, wherein the intermediary maintaining information to enforce expiration of the first role comprises binding the first role to authentication information of the first serverless function instance.  
As to claim 12, the prior art does not disclose, teach or fairly suggest the machine-readable medium of claim 11, wherein the program code further comprises program code to determine whether the first serverless function instance successfully authenticates prior to reading the set of privileges, wherein the program code to maintain information to enforce expiration of the first role comprises program code to bind the first serverless function instance to authentication information of the first serverless function instance.  
As to claim 14, the prior art does not disclose, teach or fairly suggest the machine-readable medium of claim 11, wherein the program code further comprises program code to modify privileges indicated as least privileges for serverless functions based on a determination of an under-permissive role or an over-permissive role.  
As to claim 18, the prior art does not disclose, teach or fairly suggest the apparatus of claim 17, wherein the computer-readable medium further comprises instructions executable by the processor to cause the apparatus to determine whether the first serverless function instance successfully authenticates prior to reading the set of privileges, wherein the instructions to maintain information to enforce expiration of the first role comprise instructions to bind the first serverless function instance to authentication information of the first serverless function instance.  
As to claim 20, the prior art does not disclose, teach or fairly suggest the apparatus of claim 17, wherein the computer-readable medium further comprises instructions executable by the processor to cause the apparatus to modify privileges indicated as least privileges for serverless functions based on a determination of an under-permissive role or an over-permissive role.  
Any claims not directly addressed are objected to on the virtue of their dependency.
Relevant Prior Art
12.  The following references have been considered relevant by the examiner:
A.  Watson et al US 2021/0326458 A1 directed to mediating permissions for applications on user devices using predictive models [abstract].
B.  Xu et al US 2020/0175152 A1 directed to execution of an application in an application-level sandbox [abstract].
C.  Simpson et al US 2020/0242237 A1 directed to executing a security operation for microservices/serverless function of a microservices-based/serverless application running on a physical infrastructure using a central security controller to execute the security operation for different microservices/serverless functions of the microservices-based/serverless application [abstract].
Conclusion
13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARAVIND K MOORTHY whose telephone number is (571)272-3793. The examiner can normally be reached M-F 5:00-3:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ARAVIND K MOORTHY/            Primary Examiner, Art Unit 2492