Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the communication and claim amendment filed on 02/02/2022; Claim 12 was cancelled; claim 13 has been amended; and Claims 1, 13, and 14 are independent claims.  Claims 1-11 and 13-19 have been examined and are pending.  This Action is made FINAL.

Drawings
The drawings were received on 02/02/2022.  These drawings are reviewed and accepted by the Examiner.
Response to Arguments
The objection to the claim 8 is withdrawn.
Claims 14-16 and 19 are interpreted under 35 U.S.C. 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph as reciting means-plus functions are maintained.
The rejections of claims 13 under 35 U.S.C. § 101 are withdrawn as the claims have been amended.
Applicants’ arguments in the instant amendment, filed on 02/02/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
a. Applicants argue: Oliveira and Srinivasan, either alone or in combination, do not teach or suggest determining “credentials for a security data zone based on determining, by the access manager module, whether a first access token included in the received query belongs to an application registered at the access manager module and whether a user specified in the received query is allowed to use the registered application,” and determining “‘a second access token, generated based on the determined credentials, to the querying application, which uses a returned second access token to obtain access to data stored in the security data zone to be processed by the querying application,” as recited by independent claim 1 (Applicant Remarks/Arguments, pages 9-12, filed 02/02/2022).
         The Examiner disagrees with the Applicants. The Examiner respectfully submits that the combination of Oliveira and Srinivasan does disclose the aforementioned limitations as the following:
 Oliveira discloses determining, by an access manager module of the cloud platform, in response to a query received from a querying application of the cloud platform, credentials for a security data zone based on determining, by the access manager module (Oliveira: fig. 2, step 208, par. 0052, the user 130 transmits a request (202) to execute an application 116 [i.e. querying application].  The application 116 sends an authorization request (204) to the authorization manager 118 requesting access to personal data… In some examples, the user grants/denies the request to access the personal data.  For example, and in response to the authorization request, the user 130 can enter a credential (or credentials), which are sent (208) to the authorization manager 118.  The authorization manager 118 can check the authenticity of the credential(s) (e.g., compare the entered credential(s) to stored credential(s) of the user);
determining, by the access manager module of the cloud platform, a second access token, generated based on user input from user the determined credentials, to the querying application ,  which uses a returned second access token to obtain access to data stored in the security data zone to be processed by the querying application (Oliveira: abstract, par. 0003; determining, by the authorization manager and based on user input from a user, that access to the personal user data is to be granted, and in response: providing, by the authorization manager, an access token [i.e. 2nd access token]  to the application, receiving an access request from the application, the access request including the access token, and selectively providing the personal user data from a database container of the database system based on the access token, the database container being specific to the user.. receiving an access request from the application, the access request including the access token, and selectively providing the personal user data from a database container of the database system based on the access token [i.e. a second token], the database container being specific to the user; par. 0052, In some examples, the user grants/denies the request to access the personal data.  For example, and in response to the authorization request, the user 130 can enter a credential (or credentials), which are sent (208) to the authorization manager 118.  The authorization manager 118 can check the authenticity of the credential(s) (e.g., compare the entered credential(s) to stored credential(s) of the user). 
Srinivasan teaches determining whether a first access token included in the received query belongs to an application registered at the access manager module and whether a user specified in the received query is allowed to use the registered application (Srinivasan: par. 0093, In certain embodiments, token relay system 102 provides a way for a user (e.g., an administrator) to register client applications that it trusts and to set the audiences/scopes that each application is entitled to.  This enables token relay system 102 to, when an access token [i.e. a first access token] request comes in from a particular client, to check the access token scope requested by that request with the scope registered for that client application…). 
Olivera does not explicitly disclose determines whether a first access token included the receive query belongs to an application registered at the access manager module, in or order to authorized the request. On the other hand, Srinivasan discloses determining an application querying access to a database is authenticated or not to allow access the database based on a first access token included in the received query.
It is clear that the combination of Oliveira and Srinivasan as a whole does teach the aforementioned limitations. 
b. Applicants argue: One of ordinary skill in the art would not combine Oliveira and Srinivasan to practice the limitations of independent claim 1. The two access tokens recited by independent claim 1 are determined for applications requesting access to data stored in the cloud platform (Applicant Remarks/Arguments, pages 9-13, filed 02/02/2022).

In response to applicant's argument that there is no suggestion to combine the references, the examiner recognizes that obviousness can only be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988) and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992).  In this case, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Srinivasan with the method and system of Oliveiria, to include “whether a first access token included in the received query belongs to an application registered at the access manager module and whether a user specified in the received query is allowed to use the registered application.”  One would have been motivated to enable authenticating a user, so that a Cloud Gate permits access to protected resource, thus preventing unauthorized access to data (Srinivasan: abstract, 0007, 0042).
Applicants argue: Oliveira and Srinivasan, either alone or in combination, do not teach or suggest that the security data zone of the user includes “a logically separated data storage area in a data storage resource connected with the cloud platform or forming part of the cloud platform,” as recited by claim 9 (Applicant Remarks/Arguments, pages 13-14, filed 02/02/2022).
The Examiner respectfully disagrees with the Applicants as the following:

However, these additional features above are merely of design option of the combination of Oliveira and Srinivasan for one of ordinary skill in the art (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093). Please, see more details about the paragraphs of Oliveira and Srinivsan in response to arguments above. 
Applicants argue: Independent claims 13 and 14 recite limitations consistent with those discussed above with respect to independent claim 1 and are allowable for consistent reasons. Claims 15-17 and 19 depend, directly or indirectly, from allowable independent claim 14 and are allowable for at least this reason.to disclose Remarks/Arguments, page 14, filed 02/02/2022).
The Examiner disagrees with the Applicants. The Examiner respectfully submits that the dependent claims 15-17 and 19 are rejected at least based on the rationale and response presented to the argument for their respective base claims, and the reference applied to the claims 15-17 and 19.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/08/2022 is being considered by the examiner.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


Claims 14-16 and 19 are interpreted under 35 U.S.C. 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph as reciting means-plus functions. 
Regarding claims 14-17 and 19, this application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “A system for providing access by an application to data stored in a security data zone of a cloud platform, the system comprising: an access manager module configured to: determine …” recited in claims 14-17 and 19.  Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.
Claims 1-10, 13, 14-16, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over de Oliveira et al. (“Oliveira,” US 2017/0169249, published Jun. 15, 2017) in view of Srinivasan et al. (“Srinivasan,” US 2019/0103968, filed Sep. 27, 2018).
Regarding claim 1, Oliveira teaches a method for providing access by an application to data stored in a security data zone of a cloud platform, the method comprising: 
determining, by an access manager module of the cloud platform, in response to a query received from a querying application of the cloud platform, credentials for a security data zone based on determining, by the access manager module (Oliveira: fig. 2,  step 208, par. 0052, the user 130 transmits a request (202) to execute an application 116.  The application 116 sends an authorization request (204) to the authorization manager 118 requesting access to personal data… In some examples, the user grants/denies the request to access the personal data.  For example, and in response to the authorization request, the user 130 can enter a credential (or credentials), which are sent (208) to the authorization manager 118.  The authorization manager 118 can check the authenticity of the credential(s) (e.g., compare the entered credential(s) to stored credential(s) of the user) and
determining, by the access manager module of the cloud platform, a second access token, generated based on user input from user the determined credentials, to the querying application, which uses a returned second access token to obtain access to data stored in the security data zone to be processed by the querying application (Oliveira: abstract, pars. 0003, 0052, In some examples, the user grants/denies the request to access the personal data.  For example, and in response to the authorization request, the user 130 can enter a credential (or credentials), which are sent (208) to the authorization manager 118.  The authorization manager 118 can check the authenticity of the credential(s) (e.g., compare the entered credential(s) to stored credential(s) of the user).
Oliveira does not explicitly disclose “whether a first access token included in the received query belongs to an application registered at the access manager module and whether a user specified in the received query is allowed to use the registered application.”
However, in an analogous art, Srinivasan teaches determining wherein whether a first access token included in the received query belongs to an application registered at the access manager module and whether a user specified in the received query is allowed to use the registered application (Srinivasan: par. 0093, In certain embodiments, token relay system 102 provides a way for a user (e.g., an administrator) to register client applications that it trusts and to set the audiences/scopes that each application is entitled to.  This enables token relay system 102 to, when an access token request comes in from a particular client, to check the access token scope requested by that request with the scope registered for that client application…).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Srinivasan with the method and system of Oliveiria, wherein whether a first access token included in the received query belongs to an application registered at the access manager module and whether a user specified in the received query is allowed to use the registered application to provide users with means for enabling authenticating a user, so that a Cloud Gate permits access to protected resource, thus preventing unauthorized access to data (Srinivasan: abstract, 0007, 0042).
Regarding claim 2, the combination of Oliveira and Srinivasan teaches the method of claim 1.  The combination of Oliveira and Srinivasan further discloses wherein the application is registered at the access manager module of the cloud platform for assignment of at least one first access token but does not explicitly disclose, comprising a manager access login name, a manager access password, or the manager access login name and the manager access password.
Although Oliveira and Srinivasan do not explicitly disclose the application is registered at the access manager module of the cloud platform for assignment of at least one first access token but does not explicitly disclose, comprising a manager access login name, a manager access password, or the manager access login name and the manager access password.
(Oliveira: abstract, pars. 0003, 00052; Srinivasan: par. 0093).	
Regarding claim 3 the combination of Oliveira and Srinivasan teaches the method of claim 1.   Although Oliveira and Srinivasan do not explicitly disclose further comprising notifying the access manager module of the cloud platform by a service provider module of a service provider of the respective application about a relationship between the service provider and user that allows the respective user to use the registered application of the service provider.
However, these additional features above are merely of design option of the combination of Oliveira and Srinivasan (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093).
Regarding claim 4, the combination of Oliveira and Srinivasan teaches the method of claim 1.   Although Oliveira and Srinivasan do not explicitly disclose further comprising, wherein the query is transmitted by an application to the access manager module when the application is initiated on a user device of a user.
However, these additional features above are merely of design option the combination of Oliveira and Srinivasan (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093).
Regarding claim 5, the combination of Oliveira and Srinivasan teaches the method of claim 1. Although Oliveira and Srinivasan do not explicitly disclose, wherein the credentials for the security data zone of the user comprise a user name, a password, or the user name and the password.
(Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093).
Regarding claim 6, the combination of Oliveira and Srinivasan teaches the method of claim 1. Although Oliveira and Srinivasan do not explicitly disclose wherein the second access token is generated by an identity and access management unit of the cloud platform.
However, these additional features above are merely of design option the combination of Oliveira and Srinivasan (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093).
Regarding claim 7, the combination of Oliveira and Srinivasan teaches the method of claim 1.  Although Oliveira and Srinivasan do not explicitly disclose wherein further comprising performing, by the querying application a read access, a write access, or the read access and the write access to data stored in the security data zone of the respective user using the returned second access token.
However, these additional features above are merely of design option of the combination of Oliveira and Srinivasan (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093).
Regarding claim 8, the combination of Oliveira and Srinivasan teaches the method of claim 1.  Although Oliveira and Srinivasan do not explicitly disclose further comprising evaluating, manipulating or evaluating and manipulating of  the user, the evaluating, the manipulating, or the evaluating and the manipulating of the data of
However, these additional features above are merely of design option of the combination of Oliveira and Srinivasan (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093).
Regarding claim 9, the combination of Oliveira and Srinivasan teaches the method of claim 1. Although Oliveira and Srinivasan do not explicitly disclose wherein the security data zone of the user comprises a logically separated data storage area in a data storage resource connected with the cloud platform or forming part of the cloud platform.
However, these additional features above are merely of design option of the combination of Oliveira and Srinivasan (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093,).
Regarding claim 10, the combination of Oliveira and Srinivasan teaches the method of claim 1. Although Oliveira and Srinivasan do not explicitly disclose wherein the generated unique second access token is valid for a predefined time period.
However, these additional features above are merely of design option of the combination of Oliveira and Srinivasan (Oliveira: abstract, pars. 0003, 0052; Srinivasan: par. 0093).
Regarding claim 13, claim 13 is directed to a system comprising: a processor (Oliveira: figs. 1, 4; pars. 0061, 0065) configured to provide access by and     application to data stored in a security data zone of a cloud platform; and a program memory Oliveira: figs. 1, 4, pars. 0061, 0065) storing a program code that, when executed 
Regarding claim 14, Oliveira teaches a system for providing access by an application to data stored in a security data zone of a cloud platform, the system comprising:
an access manager module configured to:
determine, in response to a query received from a querying application, credentials for a security data zone of a user when the access manager module (Oliveira: fig. 2, step 208, par. 0052, the user 130 transmits a request (202) to execute an application 116.  The application 116 sends an authorization request (204) to the authorization manager 118 requesting access to personal data… In some examples, the user grants/denies the request to access the personal data.  For example, and in response to the authorization request, the user 130 can enter a credential (or credentials), which are sent (208) to the authorization manager 118.  The authorization manager 118 can check the authenticity of the credential(s) (e.g., compare the entered credential(s) to stored credential(s) of the user); and 
return a second access token generated based on the retrieved credentials to the querying application that uses the returned second access token to obtain access to data stored in the security data zone of the respective user to be processed by the querying application (Oliveira: abstract, pars. 0003, 0052, In some examples, the user grants/denies the request to access the personal data.  For example, and in response to the authorization request, the user 130 can enter a credential (or credentials), which are sent (208) to the authorization manager 118.  The authorization manager 118 can check the authenticity of the credential(s) (e.g., compare the entered credential(s) to stored credential(s) of the user.
Oliveira does not explicitly disclose determines that a first access token included in the received query belongs to a registered application registered at the access manager module and that the user specified in the received query is allowed to use the registered application.
However, in an analogous art, Srinivasan teaches trusted token replay infrastructure, wherein determines that a first access token included in the received query belongs to a registered application registered at the access manager module” and that the user specified in the received query is allowed to use the registered application (Srinivasan: par. 0093, In certain embodiments, token relay system 102 provides a way for a user (e.g., an administrator) to register client applications that it trusts and to set the audiences/scopes that each application is entitled to.  This enables token relay system 102 to, when an access token request comes in from a particular client, to check the access token scope requested by that request with the scope registered for that client application…).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Srinivasan with the method and system of Oliveira, wherein “determines that a first access token included in the received query belongs to a registered application registered at the access manager module” and “that the user specified in the received query is allowed to use the registered  to provide users with means for enabling authenticating a user, so that a Cloud te permits access to protected resource, thus preventing unauthorized access to data (Srinivasan: abstract, 0007, 0042).
Regarding claim 15, claim 15 is similar in scope to claims 2-3, and is therefore rejected under similar rationale.
Regarding claim 16, claim 16 is similar in scope to claim 8, and is therefore rejected under similar rationale.
Regarding claim 17, claim 17 is similar in scope to claim 9, and is therefore rejected under similar rationale.
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over de Oliveira et al. (“Oliveira,” US 2017/0169249, published Jun. 15, 2017) in view of Srinivasan et al. (“Srinivasan,” US 2019/0103968, filed Sep. 27, 2018), further in view of Huynh (Huynh,” US 10,397,207 filed Jul. 17, 2017).
Regarding claim 11, the combination of Oliveira and Srinivasan teaches the method of claim 1. The combination of Oliveira and Srinivasan wherein the credentials for the security data zone of the user but does not explicitly disclose undergo an automatic rotation.
However, in an analogous art, Huynh discloses Automatic credential rotation, wherein automatic credential rotation before each transmission or storage those credentials (Huynh: abstract, Credentials and other sensitive strings can undergo automatic rotation before each transmission or storage of those credentials: Col. 1, lines 61-65.).
(Huynh: abstract, Col. 1: lines 61-65: Col. 3, lines 64-67a).
Claims 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over de Oliveira et al. (“Oliveira,” US 2017/0169249, published Jun. 15, 2017) in view of Srinivasan et al. (“Srinivasan,” US 2019/0103968, filed Sep. 27, 2018), further in view of Dotchkoff et a. (“Dotchkoff,” US 2019/0123967, published Oct. 19, 2017).
Regarding claim 18, the combination of Oliveira and Srinivasan do not explicitly disclose the method of claim 8. Oliveira and Srinivasan do not explicitly disclose, wherein the data of the user is Internet of Things data of the user.
However, in an analogous art, Dotchkoff discloses IoT cloud to cloud architecture, wherein the data of the user is Internet of Things data of the user (Dotchkoff: par. 0037, Application back-end 313 refers to a device, or multiple devices such as a distributed system, that performs actions that enable data collection, storage, and/or actions to be taken based on the IoT data, including user access and control, data analysis, data display, control of data storage, automatic actions taken based on the IoT data, and/or the like).
Therefore, it would have been obvious to one of ordinary skill in the art  before the effective filing date of the claimed invention to combine the teaching of Dotchkoff with the method and system of Oliveira and Srinivasan, wherein the data of the user is (Dotchkoff: abstract, Col. 1, lines 26-38).
Regarding claim 19, claim 19 is similar in scope to claim 18, and is therefore rejected under similar rationale.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439

February 15th, 2022


/JAHANGIR KABIR/Primary Examiner, Art Unit 2439