DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Amendment filed on 12/29/2021.
In the instant Amendment, claims 1, 2, and 4-15 have been amended; claim 3 has been canceled; claims 1, 7 and 15 are independent claims. Claims 1,2 and 4-15 have been examined and are pending. This Action is Final. 

Response to Arguments
The objection to the Claims 1, 7, and 15 have been maintained as Applicant has not addressed nor amended the Claims. 
The rejection of Claim(s) 1-14 under 35 U.S.C 101 are withdrawn as claims have been amended. 
The rejection of Claim(s) 12-14 under 35 U.S.C 112(b) are withdrawn as Claim 12 has been amended. 
Applicant’s Arguments with respect to rejection of Claim(s) 1-14 under 35 U.S.C 102(a)(2) and 103 have been considered but are moot in view of the new ground(s) of rejection.





Claim Objections
Claims 1, 7 and 15 objected to because of the following informalities:  
Regarding Claims 1, 7 and 15; claims 1, 7 and 15 recite “user’s identification information”. The examiner notes for better clarity to remove the possession “user’s” by further amending the limitation to “identification information of a user”.   Appropriate correction is required.

















Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, and 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Ward et al. (US 2006/0248585 A1).

Regarding Claim 1;
Dayan discloses an information processing apparatus (FIG. 1) comprising: 
a hardware processor (FIG. 1) configured to: 
obtain first authority information indicating possession of authority over a server, the first authority information being associated with user's identification information, and second authority information indicating possession of authority over the server that is different from authority indicated by the first authority information ([0006] and [0039] - As disclosed herein, an identity may be a user account, machine account, application account, or any other type of account that can be established and associated with a particular user, machine, or application in a computer network... Identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights and [0040] and [0044] - In some embodiments, proxy server 106 may be configured to authenticate an identity associated with client device 104 before initiating and executing the second agent on target network resource 108 and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0056]);
accept a request for the server ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106);
in a case where the request is executable with authority based on the first authority information identified by the identification information, add the first authority information to the ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206); I.E. As constructed the least-privileged security level needed for a given request (i.e., write, see [0056]); and
in a case where the request is not executable with authority based on the first authority information and is executable with authority based on the second authority information, add the second authority information to the request and send the request with the second authority information to the server ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206) I.E. As constructed the least-privileged security level needed for a given request (i.e., read, see [0056]).
Dayan fails to explicitly disclose the first authority information including a first token and the second authority information including a second token, the second token having a range of authority that (a) encompasses a range of authority of the first token and (b) is wider than the range of authority of the first token.
However, in an analogous art, Ward teaches disclose the first authority information including a first token and the second authority information including a second token, the second token having a range of authority that (a) encompasses a range of authority of the first token and (b) is wider than the range of authority of the first token (Ward, [0046] - An access token is a collection of security identifiers and their associated privileges that define the access rights for a particular user. In the security context, integrity SID 303 announces the integrity level of its associated token, which in turn determines the level of access the token will be able to achieve as defined by the integrity policy. Each token may include multiple integrity SIDs. For example, there may be a separate user interface integrity SID for certain types of applications (e.g., accessibility applications) and Integrity levels may take any form and represent any designation. For example, the local computer system may be set at system integrity level, while administrator accounts may be set at a high integrity level. Normal user accounts may be set at medium integrity level, while all other users, such as "Guest" accounts, may be set at low integrity. Also, there may be an untrusted integrity level that includes anonymous users and all other tokens and [0052]-[0054] - First, there may be a low integrity level. The low integrity level may be assigned to subjects who cannot modify anything but content created at or below the low integrity level... xt, there may be a medium integrity level. The medium integrity level may be the default integrity level of non-privileged or non-Administrative users. Also, interactive user shell processes may be created at the medium integrity level. In addition, trusted application programs executed by non-administrative users may run in a process at the medium integrity level. User data files created by processes running at the medium integrity level may be assigned medium integrity... Next, there may be a high integrity level. The high integrity level may be assigned to processes running as administrative or full authority, as long as they execute signed code, which also is installed at the high integrity level).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Ward to the authority information of Dayan to include the first authority information including a first token and the second authority information including a second token, the second token having a range of authority that (a) encompasses a range of authority of the first token and (b) is wider than the range of authority of the first token
(Ward, [0001]).

Regarding Claim 2;
Dayan in view of Ward discloses the apparatus to Claim 1.
Dayan further teaches ...the hardware processor adds the first authority information to the request and sends the request with the first authority information to the server ([0035] - In the disclosed embodiments, systems for implementing least-privilege access to and control of target network resources are described. In some embodiments, systems may implement least-privilege code execution on target network resources. Disclosed embodiments enable any identity, application, service, user, etc. to access and execute functions on a remote resource securely, with least-privileges (i.e., a minimal scope of needed privileges, and/or a minimal duration of privileges) and [0039] and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0064]).
While, Dayan in view of Ward does not explicitly disclose wherein, in a case where the request is executable - 25 -with both authority based on the first authority information and authority based on the second authority information.
	The examiner notes it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention from the teachings of Dayan to render obvious [0039] - identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights] and from [0055] – For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206.; thus as reasonably constructed defined levels of least privilege could range from Level 1 – read, Level 2 – write, and as constructed Level 3 - read/write, to Level N root access, etc. thus having levels that can contain the features from a different level.  
One would have been motivated by Dayan to propose such a combination as provides / allows enable access and enable certain functions, without providing the remote resource with more privileges than necessary to complete its functions (Dayan, [0004])

Regarding Claim 4;
Dayan in view of Ward and Dayan’s obviousness discloses the apparatus to Claim 1.
Dayan further teaches wherein, in a case where a restriction is individually set to authority based on the first authority information associated with the identification information ([0055] – least-privileged [0056]-[0057] – write and read), the hardware processor does not accept a request affected by the restriction even in a case where the request is executable with authority based on the second authority information ([0057] – full administrator privileges).

Claim 5 and 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Ward et al. (US 2006/0248585 A1) and further in view of Uchikawa (US 2012/0260333 A1).

Regarding Claim 5;
Dayan in view of Ward discloses the apparatus to Claim 1
	Dayan further discloses... the server (FIG. 2A- Target Network Resource and [0043]).
Dayan in view of Ward fails to explicitly disclose wherein the hardware processor inquires of the whether, out of the obtained first authority information and second authority information, at least the second authority information is valid for the server.
However, in an analogous art, Uchikawa wherein the hardware processor inquires of the [device] whether, out of the obtained first authority information and second authority information, at least the second authority information is valid for the [device] (Uchikawa, FIG. 11 and FIG. 14 and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Uchikawa to the apparatus and server of Dayan in view of Ward to include wherein the hardware processor inquires of the [device] whether, out of the obtained first authority information and second authority information, at least the second authority information is valid for the [device].
One would have been motivated to combine the teachings of Uchikawa to Dayan in view of Ward to do so as it provides / allows easily determine which user’s profile... an operation for executing  a function is performed (Uchikawa, [0023]).

Regarding Claim 6;
Dayan in view of Ward and Uchikawa disclose the apparatus to Claim 5.
Dayan further discloses... the server (FIG. 2A- Target Network Resource and [0043]).
Uchikawa further teaches wherein the hardware processor inquires of the [device] before accepting the request, and, in accordance with a result of the inquiry, does not accept the request that is not executable with authority based on the second authority information (Uchikawa, FIG. 11 and FIG. 14 – User B Cannot execute this Function... and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).

Claims 7-9, 10 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Agarwal et al. (US 10,783,235 B1) and Ward et al. (US 2006/0248585 A1).

Regarding Claim 7;
Dayan discloses an information processing apparatus (FIG. 1) comprising: 
a hardware processor (FIG. 1) configured to: 
	obtain user’s identification information ([0044] - In some embodiments, proxy server 106 may be configured to authenticate an identity associated with client device 104 before initiating and executing the second agent on target network resource 108 and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106);
...a service usable based on first authority over a server, the first authority being associated with the identification information, and a service usable based on second authority over the server different from the first authority ([0006] and [0039] - As disclosed herein, an identity may be a user account, machine account, application account, or any other type of account that can be established and associated with a particular user, machine, or application in a computer network... Identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights and [0040] and [0044] - In some embodiments, proxy server 106 may be configured to authenticate an identity associated with client device 104 before initiating and executing the second agent on target network resource 108 and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0056]);
	accept an operation performed by the user... ([0056] – write... read);
in a case where the selected service is a service usable based on the first authority, output an execution request for the service based on the first authority ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206); I.E. As constructed the least-privileged security level needed for a given request (i.e., write, see [0056]); and
and in a case where the selected service is a service that is unusable based on the first authority and that is usable based on the second authority, output an execution request for the service based on the second authority ([0006] and [0046] - For example, as discussed below, proxy server 106 may be configured to identify a prompt from a requesting identity (e.g., from client device 104) for remote access to target network resource 106 and [0047] - Proxy server 106 may be further configured to retrieve, from secure storage 110, a second agent 114... In some embodiments, second agent 114 executes using a least-privilege credential or using least-privilege permissions, e.g., retrieved from a privilege database or credential vault, associated with the least-privilege requesting identity, e.g., an identity associated with client device 104 and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206) I.E. As constructed the least-privileged security level needed for a given request (i.e., read, see [0056]);
Dayan fails to explicitly disclose display, on a display device, a service usable based on first authority over a server, the first authority being associated with the identification information, and a service usable based on second authority over the server different from the first authority, the first authority represented by a first token and the second authority represented by a second token, the second token having a range of authority that (a) encompasses a range of authority of the first token and (b) is wider than the range of authority of the first token; accept an operation performed by the user to select a service.
However, in an analogous art, Agarwal teaches similar concepts of 
obtain user’s identification information (Agarwal, col. 3, lines 64-col. 4, lines 9 - In some examples, prior to requesting access to the computing resource, the user may first be required to log-on or connect to a computing service that provides the computing resource. In some cases, certain security information, such as a username, account, password and/or other identifiers, may be required in order to connect to the computing service. In some cases, the security information that is required to connect to the computing service may be referred to as service-level security information, while the security information that is required to access the computing resource may be referred to as resource-level security information);
(Agarwal FIG. 4 – Administrative Mode and Test Mode and FIG. 11 and col. 6, lines 24-34 and col. 10, lines - At operation 1116, a first instance of the resource-level security information is generated for accessing the computing resource. The first instance of the resource-level security information may be generated based, at least in part, on the request received at operation 1114. As set forth above, in some examples, the resource-level security information may include a password or other identifier. Also, in some examples, the first instance of the resource-level security information may include a particular value for the password or other identifier. The first instance of the resource-level security information may be for accessing the computing resource in, for example, an administrative mode and/or a test mode);
 accept an operation performed by the user to select a service (Agarwal FIG. 4);
in a case where the selected service is a service usable based on the first authority, output an execution request for the service based on the first authority; (Agarwal FIG. 4 and FIG. 11); and 
in a case where the selected service is a service that is unusable based on the first authority and that is usable based on the second authority, output an execution request for the service based on the second authority. (Agarwal FIG. 4 and FIG. 11).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Agarwal to the apparatus and server of Dayan to include display, on a display device, a service usable based on first authority over a server, the first authority being associated with the identification information, and a service usable based on 
One would have been motivated to combine the teachings of Agarwal to Dayan to do so as it provides / allows security information to assist in limiting access to the computing resources to authorized or other appropriate users (Agarwal, 2, lines 19-21). 
Further, in an analogous art, Ward teaches disclose the first authority information including a first token and the second authority information including a second token, the second token having a range of authority that (a) encompasses a range of authority of the first token and (b) is wider than the range of authority of the first token (Ward, [0046] - An access token is a collection of security identifiers and their associated privileges that define the access rights for a particular user. In the security context, integrity SID 303 announces the integrity level of its associated token, which in turn determines the level of access the token will be able to achieve as defined by the integrity policy. Each token may include multiple integrity SIDs. For example, there may be a separate user interface integrity SID for certain types of applications (e.g., accessibility applications) and Integrity levels may take any form and represent any designation. For example, the local computer system may be set at system integrity level, while administrator accounts may be set at a high integrity level. Normal user accounts may be set at medium integrity level, while all other users, such as "Guest" accounts, may be set at low integrity. Also, there may be an untrusted integrity level that includes anonymous users and all other tokens and [0052]-[0054] - First, there may be a low integrity level. The low integrity level may be assigned to subjects who cannot modify anything but content created at or below the low integrity level... xt, there may be a medium integrity level. The medium integrity level may be the default integrity level of non-privileged or non-Administrative users. Also, interactive user shell processes may be created at the medium integrity level. In addition, trusted application programs executed by non-administrative users may run in a process at the medium integrity level. User data files created by processes running at the medium integrity level may be assigned medium integrity... Next, there may be a high integrity level. The high integrity level may be assigned to processes running as administrative or full authority, as long as they execute signed code, which also is installed at the high integrity level).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Ward to the authority information of Dayan in view of Agarwal to include the first authority information including a first token and the second authority information including a second token, the second token having a range of authority that (a) encompasses a range of authority of the first token and (b) is wider than the range of authority of the first token
One would have been motivated to combine the teachings of Ward to Dayan in view of Agarwal to do so as it provides / allows mandatory integrity control in a computing system environment (Ward, [0001]).

Regarding Claim 8;
Dayan in view of Agarwal and Ward disclose the apparatus to Claim 7.
Agarwal further teaches wherein the hardware processor displays, on the display device, a service usable based on the first authority and a service usable based on the second authority without distinction (Agarwal, FIG. 4).


Regarding Claim 9;
Dayan in view of Agarwal and Ward disclose the apparatus to Claim 8.
Dayan further teaches ... the hardware processor outputs an execution request for the service based on the first authority ([0035] - In the disclosed embodiments, systems for implementing least-privilege access to and control of target network resources are described. In some embodiments, systems may implement least-privilege code execution on target network resources. Disclosed embodiments enable any identity, application, service, user, etc. to access and execute functions on a remote resource securely, with least-privileges (i.e., a minimal scope of needed privileges, and/or a minimal duration of privileges) and [0039] and [0054] - First agent 210 may be further configured to control remote desktop client 212 to initiate second agent 216 on target network resource 206 and [0055] - The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206 and [0064]).
While, Dayan and Agarwal and Ward do not explicitly disclose wherein, in a case where the selected service is usable based on both the first authority and the second authority, the hardware processor outputs an execution request for the service based on the first authority.
	The examiner notes it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention from the teachings of Dayan to render obvious wherein, in a case where the selected service is usable based on both the first authority and the second authority, the hardware processor outputs an execution request for the service based on the first authority as Dayan teaches from [0039] - identities may have varying levels of access rights associated with them, ranging from so-called "super-user" accounts with broad access rights (potentially root access privileges), administrator accounts with varying degrees of access rights, executive or VIP accounts with varying degrees of access rights, regular user accounts with generally narrower access rights, and guest or unknown accounts with even less access rights] and from [0055] – For example, the least-privilege security policy may be managed by proxy server 204 or a separate security server, and may define levels of least-privilege access for purposes of identities seeking access to target network resource 206. The least-privilege security policy may, in some embodiments, define minimal levels of privileges (e.g., privileged credentials, privileged account types, privileged group memberships, etc.) needed to perform tasks on target network resource 206.; thus as reasonably constructed defined levels of least privilege could range from Level 1 – read, Level 2 – write, and as constructed Level 3 - read/write, to Level N root access, etc. thus having levels that can contain the features from a different level.  
One would have been motivated by Dayan to propose such a combination as provides / allows enable access and enable certain functions, without providing the remote resource with more privileges than necessary to complete its functions (Dayan, [0004]).

Regarding Claim 10;
Dayan in view of Agarwal and Ward disclose the apparatus to Claim 8
Dayan further teaches wherein, in a case where an unusable service is individually set to the first authority associated with the identification information ([0055] – least-privileged [0056]-[0057] – write and read), the hardware processor does not accept selection of the service even in a case where the service is usable based on the second authority ([0057] – full administrator privileges).
Regarding Claim(s) 15; claim(s) 15 is/are directed to a/an a medium associated with the apparatus claimed in claim(s) 7. Claim(s) 15 is/are similar in scope to claim(s) 7, and is/are therefore rejected under similar rationale.

Claims 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Agarwal et al. (US 10,783,235 B1) and Ward et al. (US 2006/0248585 A1) and further in view of Lloyd et al. (US 2017/0126689 A1).

Regarding Claim 11.
Dayan in view of Agarwal and Ward disclose the apparatus to Claim 10.
Dayan further teaches ... an unusable service individually set to the first authority even in a case where the service is usable based on the second authority ([0055] – least-privileged [0056]-[0057] – write and read... ([0057] – full administrator privileges).
	Agarwal further wherein the processer, [displays] on the display device, a... service ... set to the first authority [and] a service is usable based on the second authority (Agarwal, FIG. 5).
Dayan in view of Agarwal and Ward fail to explicitly disclose wherein the hardware processor does not display, on the display device, an unusable service individually set to the first authority....
However, in an analogous art, Lloyd teaches wherein the hardware processor does not display, on the display device, an unusable service individually set to the first authority... (Lloyd, [0168]).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Lloyd to the unusable service individually set to the first 
One would have been motivated to combine the teachings of Lloyd to Dayan in view of Agarwal and Ward to do so as it provides / allows independent control access to each of the interactive user components... (Lloyd, [0002]).

Claims 12-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dayan (US 2021/0136084 A1) in view of Agarwal et al. (US 10,783,235 B1) and Ward et al. (US 2006/0248585 A1) and further in view of Uchikawa (US 2012/0260333 A1).

Regarding Claim 12.
Dayan in view of Agarwal and Ward disclose the apparatus to Claim 7.
Dayan further discloses... the server (FIG. 2A- Target Network Resource and [0043]).
Dayan and Agarwal and Ward fail to explicitly disclose wherein, when the hardware processor obtains the identification information, the hardware processor inquires of the server, regarding at least the second authority, whether each service is usable.
However, in an analogous art, Uchikawa teaches wherein, when the hardware processor obtains the identification information, the hardware processor inquires of the [device], regarding at least the second authority, whether each service is usable. (Uchikawa, FIG. 11 – User Authority of User A, B, and Anonymous User and FIG. 14 and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Uchikawa to the apparatus and server of Dayan in view of Agarwal and Ward to include wherein, when the hardware processor obtains the identification information, the hardware processor inquires of the [device], regarding at least the second authority, whether each service is usable.
One would have been motivated to combine the teachings of Uchikawa to Dayan in view of Agarwal and Ward to do so as it provides / allows easily determine which user’s profile... an operation for executing a function is performed (Uchikawa, [0023]).

Regarding Claim 13.
Dayan in view of Agarwal and Ward and Uchikawa disclose the apparatus to Claim 12.
Uchikawa further teaches wherein the hardware processor does not accept selection of an unusable service on a basis of a result of the inquiry to the server (Uchikawa, FIG. 11 – User Authority of User A, B, and Anonymous User and FIG. 14 – User B Cannot execute this Function... and [0095]-[0096] – User Logs in as an anonymous user by selecting the OK button... and [0097] – Here, when the user logs in again as the user B by inputting the authentication information about the user B on the login screen 9070, the user session management 3010 changes the user profile 5001 to that of the user B as indicated by reference numeral 5021 in FIG. 10, and changes the user authority 5002 so that all of the items, each of which has been permitted to either of the anonymous user and the user B, are changed to be "permitted" as indicated by reference numeral 5022 in FIG. 10).

Regarding Claim 14.
Dayan in view of Agarwal and Ward and Uchikawa disclose the apparatus to Claim 12.
Agarwal further teaches wherein the hardware processor displays, on the display device, a service usable based on the first authority and a service usable based on the second authority on a basis of a result of the inquiry to the server (Agarwal, FIG. 5).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439