Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on February 07, 2022 has been entered.

Response to Arguments
Response to applicant’s argument under 35 USC 103 
A 	Independent claim 1. 
In the applicant’s response, that applicant asserts that subject matter is not disclosed or described by the cited art of record. For example, amended claim 1 recites, in part, "providing, by the web server, access to the storage resource according to a schedule in a time zone of the authenticated requestor to satisfy the request based at least in part on fulfillment of the request being allowable."  In contrast, and as discussed during the Interview, the cited portions of Furuya appear to disclose "[providing] a temporary access right." See Furuya, at [0043]. Based on this, Applicant submits that Furuya does not disclose "providing... access to the storage resource according to a schedule in a time zone of the authenticated requestor."

The examiner disagrees with the applicant’s argument with regards to the independent claim 1 for the following reasons. First, due to amendment features, limitation of current independent claim 1 has a different boundary and scope from the previously rejected claim 1. In addition, currently amended features were not present in the interview agenda for discussion. Furthermore, the applicant’s argument is silent on the primary and secondary prior arts (Smith and Mankovskii), since the rejections are based on combination of Smith in view of Mankovskii in further view of Furuya. The applicant's argument is presented against the references individually, by selectively attacking a single reference (Furuya) where the rejection is based on combinations of references (Smith in view of Mankovskii in further view of Furuya). 
During examination, the examiner gave to the claim terms and languages, their BRI consistent with the applicant’s disclosure as they would be interpreted by one of ordinary skill in the art in order to construe boundary and scope of the claimed limitations. Accordingly, the examiner gave the fowling BRI to a schedule in a time zone of the authenticated requestor: [Applicant’s Disclosure: ¶ 0060] The context validation plugin retrieves 804 a current date and time using a network time service or system clock. At block 806, the context validation plugin determines the identity of the requester that submitted the request, and queries personnel management systems to determine the customary working hours of the requester. In some implementations, the customary working hours of the requester are determined by determining the geographical location of the requester, determining the time zone for the location of the requester, and assuming a customary working schedule such as 9 AM to 5 PM local time].
derive the time of day associated with the location of the computing device by acquiring time of day information from a time zone converter application that outputs a current time of day given a location).
Mankovskii, further discloses in (¶0047: The contextual information is stored and an identification of the deviation is outputted in response to detecting the deviation, the contextual information tagged or indexed with an identification of the request for access (e.g., identified using a unique access request number or a time stamp for when the access request was received). ¶0051 : an access control application may acquire contextual information associated with an access request by extracting the contextual information from a message header transmitted from a computing device. The access control application may derive the time of day associated with the location of the computing device by acquiring time of day information from a time zone converter application that outputs a current time of day given a location. ¶0060: The baseline set of rules may be updated to include a new web browser from which an access request has occurred or to include a new time of day during which an access request has occurred; the baseline set of rules may be updated only if an intrusion or attack to an access control system or application 
Therefore, with regard to claim 1, the applicant’s argument are not persuasive and the limitations are disclosed by Mankovskii as discussed above.

B. Independent Claims 6 and 14 
Applicant’s arguments, filed on February 07, 2022, with respect to claims 6 and 14 have been fully considered and are persuasive. Therefore, the rejections have been withdrawn. However, upon further consideration, a new ground of rejection is made of Smith et al. in view of Mahaffey et al.

For at least the above reasons, the applicant’s arguments are not persuasive to overcome the prior arts of record to place the independent claims including with their corresponding dependent claims in condition for allowance. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US. Pub. No.: 2015/0135258) in view of Mankovskii (US Pub. No.: 20160112397) in further view of Furuya US. Pub. No.: US 20060190989 A1.

As per claim 1:
Smith discloses a computer-implemented method comprising:
authorizing, at a web server, a request for access to a storage resource received by a requestor, where the requestor is an authenticated requestor (0012: user identification and/or authentication, device identification and/or authentication, seeking access to a resource; 0018: resource requestor);
as a result of determining that the request is authorized, determining whether one or more conditions are applicable to the request (0025:determine applicable criterion of context to access the requested resource);
performing an operation to determine whether fulfillment of the request is allowable, where the operation includes determining whether information from the one or more conditions satisfies a set of context-based rules (0016: context-based access and resource access policy; 0019: collection and/or monitoring of context-aware data may be performed continuously, 
determining that fulfillment of the request is allowable as a result of the one or more conditions satisfying the set of context-based rules (0030:  provisioning of context-aware access credentials may be performed on-demand; 0034;  0043: context-aware authorization policy for the requested resource) and
providing, by the web server, access to the storage resource to satisfy the request based at least in part on fulfillment of the request being allowable (0034; 0043; 0049: 0053).

Smith suggests in [¶0019: The collection and/or monitoring of context-aware data may be performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event]. Smith does not explicitly disclose wherein satisfaction of the one or more conditions depends, at least in part, on a timestamp of the request for access control, and the access to the storage resource according to a schedule in a time zone of the authenticated requestor.

Mankovskii, in analogous art however, discloses wherein satisfaction of the one or more conditions depends, at least in part, on a timestamp of the request for access control in, and the access to the storage resource according to a schedule in a time zone of the authenticated requestor [¶0020: An access control system acquire a request for access to a protected resource within a computing environment, identify a username associated with the request, authenticate the username, acquire contextual information associated with the request 
Mankovskii, further discloses in [¶0047: The contextual information is stored and an identification of the deviation is outputted in response to detecting the deviation, the contextual information tagged or indexed with an identification of the request for access (e.g., identified using a unique access request number or a time stamp for when the access request was received). ¶0051 : an access control application may acquire contextual information associated with an access request by extracting the contextual information from a message header transmitted from a computing device. The access control application may derive 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify features of the claimed limitations of the access control requestor disclosed by Smith to include wherein satisfaction of the one or more conditions depends, at least in part, on a timestamp of the request for access control, and the access to the storage resource according to a schedule in a time zone of the authenticated requestor. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide an improved technique of managing access to protected resources (e.g., networks, servers, processors, storage devices, databases, files, and computing applications) and for detecting anomalies related to access control events as suggested by Mankovskii in (0002; 0004; 0013).


Smith and Mankovskii do not explicitly disclose the access to the storage resource is on a temporary basis to satisfy the request being allowable. Furuya, in analogous art however, discloses the access to the storage resource is on a temporary basis to satisfy the request being allowable in [0043-0045: The information (hereinafter, referred to as a temporary access right) which is stored in the temporary access right storing unit 5-1 is obtained when the secure application 3, secure output apparatus 5, or secure input apparatus 6 requests it from the security managing server 4. The temporary access right is stored into the secure data 2. The security managing server 4 forms the temporary access right based on the information in the access right management table 3-4 and issues it. Fundamentally, the temporary access right is information obtained by adding restriction information to the access permission kind 3-6. The restriction information is information defining time/date when the temporary access right is valid, the number of times in which it is possible to access the secure data 2, inhibition of the edition, inhibition of the printing, and the like. That is, the temporary access right can be also regarded as a finite access right].


As per claim 2:
Smith discloses wherein the one or more conditions comprise one or more statements, wherein each of the one or more statements expresses an attribute-based control rule that is compared with the set of context-based rules to determine whether fulfillment of the request is allowable (0019; 0025).

As per claim 3:
Smith discloses wherein the one or more conditions applicable to the request are based at least in part on the storage resource or information related to the request (0083).

As per claim 4:
 discloses wherein the one or more conditions that are based at least in part on the storage resource further comprise at least one of: a name and type of the requested storage resource (0019; 0021; 0037; 0041).

As per claim 5:
Mankovskii discloses wherein the one or more conditions that are based at least in part on the information related to the request include at least one of: the timestamp, an originating Internet Protocol (IP) address, and a destination IP address of the requested storage resource (0021; 0037; 0041).

Claims 6-20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US. Pub. No.: 2015/0135258) in view of Mahaffey et al. (Hereinafter referred to as Mahaffey, US Pub. No.: US 20140189808 A1).

As per claim 6:
Smith discloses a system, comprising:
one or more processors (0014: Computing Device-Host Machine 102); and
memory storing executable instructions that, as a result of execution by the one or more processors (0014: Computing Device-Host Machine 104), cause the system to:
receive an access request for a computing instance hosted by a computing resource service provider (0012: user or device identification and/or authentication seeking access to a resource; the resource may include a variety of items, such as any number and type of data, files, 
determine whether contextual information related to the access request satisfies a set of context-based policies (0025: determine applicable criterion of context to access the requested resource; evaluation logic 216 evaluates the request which may include comparing the user/device contexts with one or more policies (e.g., policy P1) to determine the request meets the minimum criteria of contexts to access the requested resource (e.g., resource R1).)
provide an indication that fulfillment of the access request is allowable as a result of the contextual information satisfying the set of context-based policies (0016: context-based access and resource access policy; 0019: collection and/or monitoring of context-aware data may be performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event); and
provide access to the computing instance to satisfy the access request based at least in part on the indication (0026: using the evaluation results, decision/return logic 218 decides whether the request be granted, such as whether the user be allowed access to the requested resource. If the request is approved by decision/return logic 218, the approval decision is returned by decision/return logic 218 to policy enforcement point (PEP) 210; 0030-0031: provisioning of context-aware access credentials may be performed on-demand; 0038-0039: a determination is made as to whether the resource request satisfies a base policy. If the base policy is satisfied, at block 316, the user is allowed access to the requested resource).

Mahaffey, in analogous art however, discloses wherein satisfaction of the contextual information depends, at least in part, on a network address identifier of the computing instance provided in the access request to determine an allowable scope of operations to be performed using the computing instance ([0063] a hardware identifier that may be used to determine identity of the client (e.g. IMEI, IMSI, UDID, MAC address, serial number, or other unique identifier provided by device's hardware), and which, because hardware identifiers are not always secret, may be used alongside other mechanisms to strengthen authentication or provide additional context to server when evaluating client-supplied information (e.g., a hardware ID associated with hardware that has previously authenticated successfully may be treated differently than a hardware ID that has not previously authenticated. [0068] In an 
Mahaffey, further discloses in ([0078]: Authorization requirements may change based on information available to server. The determination of what authorization steps to take (if any), and how to determine whether or not the request is authorized may be based on a number of factors. Such data can include the context information described above. Examples of input to determine what level of authorization is required include: all authorizations are treated the same (i.e. no step of determining what form of authorization to do); server configuration/policy; requesting client configuration/policy or user input; based on type of authorization, e.g., if requesting client wants a one-time authorization vs. an authorization to access a number of services for the next 30 minutes creates different levels of authorization, access to view a bank account balance may be different than access to transfer money from the account.  [0090] The authentication server 102 uses certain context information to perform the authorization. Such context information can include information provided by the client, the location of the client (such as determined by Geo-IP, GPS or other location finding means, nearby wireless infrastructure, cell tower or other device triangulation means, transaction locations, building locations, etc.), network information (e.g., client configuration information, IP address, gateway, netmask, DNS, server, network names, access points, etc.), application data (e.g., pre-installed apps), common accounts, and device usage patterns and anomalies. [0091] The authentication process 106 is dynamic in that authorization requirements may change depending on the information available to the server. The level of authorization may be characterized as weak, strong, or any value in a range depending on a number of factors. These include: server 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify features of the claimed limitations of contextual information to the access request disclosed by Smith to include wherein satisfaction of the contextual information depends, at least in part, on a network address identifier of the computing instance provided in the access request to determine an allowable scope of operations to be performed using the computing instance. This modification would have been 

As per claim 7:
Smith discloses wherein access to the computing instance is provided on a temporary basis or with usage limitations on the computing instance (0025: context  necessary or minimally required for grant of access to one or more resources; policy decision point evaluate the request such that the context received with or within the request matched against the relevant policy for the requested resource to be accessed; comparing the user/device contexts with one or more policies to determine with the request meets the minimum criteria of contexts to access the requested resource –under BRI directed to usage limitations ). 

As per claim 8:
Smith discloses wherein the contextual information comprises one or more statements, wherein the system compares each of the one or more statements to the set of context-based policies to determine whether fulfillment of the request is allowable (0019: The collection and/or monitoring of context-aware data performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event; sensors devices configured to sense various characteristics of users, devices, environment, and/or things, etc., relative to computing device , e.g. biometric sensors to sense physical attributes (e.g., fingerprints, facial features/measurements, speech patterns, retinal patterns, etc.) and/or behavioral characteristics (e.g., body movement, visual focus patterns, eye movement, speed and strength of key inputs, etc.) of users of computing device; facilitate audio/visual devices to detect and monitor some of the characteristics, such as using a camera to detect a user's facial features, such as distance between the user's eyes, etc., microphone to detect the user's voice patterns, etc.)

As per claim 9:
Smith discloses wherein fulfillment of the access request is allowable if one or more statements, when evaluated against the set of context-based policies, indicate an approval (0025-0026).

As per claim 10:


As per claim 11:
Mahaffey discloses wherein the attributes based at least in part on the requested computing instance include at least one of: a name and type of the requested computing instance (0063; 0072-0073; 0078, 0091; 0094).

As per claim 12:
Mahaffey discloses wherein the attributes based at least in part on the information related to the access request include at least one of: a timestamp, an originating Internet Protocol (IP) address, and the network address of the requested computing instance (0063; 0072-0073; 0078, 0091; 0094).

As per claim 13:
Mahaffey discloses wherein the timestamp indicates a time that the access request is generated for the requested computing instance (0076; 0128; 0163; 0166).

As per claim 14:
Smith discloses a non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a 
receive a request generated by an authenticated user to access a web service (0012: user identification and/or authentication, device identification and/or authentication, seeking access to a resource; 0018: resource requestor);
as a result of receiving the request from the authenticated user, determining that the request is authorized (0025: determine applicable criterion of context to access the requested resource);
determine one or more conditions associated with the request, wherein the one or more conditions comprises one or more attributes to be checked against a set of context-based policies (0016: context-based access and resource access policy; 0019: collection and/or monitoring of context-aware data may be performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event; 0030:  provisioning of context-aware access credentials may be performed on-demand; 0034;  0043: context-aware authorization policy for the requested resource);
generate an indication that fulfillment of the request is allowable as a result of checking the one or more attributes against the set of context-based policies (0026: decision/return logic ; 0039: the rejection and the minimum policy are returned to the user); and
grant access to the web service  based at least in part on the indication (0030-0031; 0038-0039; 0041: in case of the acceptance of the request, the requested resource 356 is returned 352 to resource requestor 246 to be communicated on to the user; 0053: where the resource is a server, a server array or server farm, a web server, a network server, an Internet server, a work 

Smith does not explicitly disclose wherein the one or more attributes includes the identifier for the web service identified in the request is to be performed using the web service in accordance with an allowable scope of operations. Mahaffey, in analogous art however, discloses wherein the one or more attributes includes the identifier for the web service identified in the request is to be performed using the web service in accordance with an allowable scope of operations ([0047]: A service may use the server as a primary method of authenticating. In this case, the client sends a request to the server asking to authenticate with the service. The client automatically sends request to server (e.g. if user's request to take an action is implied or the request originates as part of a background, non-user-initiated, process on the service, no user action is required). In a user-initiated request, a web browser or app displays a button indicating that the user can authenticate (e.g. create account or login) to the service by clicking the appropriate button. When the user clicks the button, the client sends a request (e.g. HTTP) to server with information provided by the service. In an example implementation, the system can follow the OAuth standard. The request may contain information provided by service: an address (e.g. URL) where the authorized request can return information to the server, parameters indicating what type of authorization to perform to verify user consent (e.g. need voice, picture, biometric, parental or administrator authorization), or parameters indicating what type of information service requests to know about user. The server may determine what information to provide to service. A UI is displayed asking the user to choose what information 
Mahaffey, further discloses ([0073] The network may be determined by one of: client provided network configuration information, or the server determining source information from the client. Types of network information include client provides configuration information (e.g. ip, default gateway, netmask, DNS server, domain); client provided neighbor device information 

Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify features of the claimed limitations of contextual information to the access request disclosed by Smith to include wherein the one or more attributes includes the identifier for the web service identified in the request is to be 

As per claim 15:
Mahaffey discloses wherein access to the web service is granted for at least one of: a predetermined amount of time and granted with limited access to the web service (0076; 0128; 0163; 0166).

As per claim 16:


As per claim 17:
Smith discloses wherein the expression comprises one or more statements, wherein each of the one or more statements expresses an attribute-based control rule that is compared with the set of context-based policies to determine whether fulfillment of the is allowable (0019; 025).

As per claim 18:
Mahaffey discloses wherein the expression comprises a timestamp applicable to a time the request was generated by the authenticated user (0076; 0128; 0163; 0166).

As per claim 19:
Smith discloses wherein the context-based policies are obtained from policies determined by the authenticated user (0025-0026).

As per claim 20:
Smith discloses wherein the user is determined to be an authenticated user by at least submitting an identity associated with the request to an authentication service and receiving a result that the user is authenticated (0037; 0041).

BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as it would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given to them the following reasonable BRI considerations in view of the applicant’s disclosure in order to construe boundary and scope of the claimed limitations. For example, for the following claim words or terms or phrases or languages, the examiner’s BRI considerations from the applicant’s disclosure as follows:
Conditions; Satisfactions; Statement; Expressions; Attribute-Based; Policies and Timestamp, Computing Instance: are given their literal meaning as it would be understood by one of ordinary skill in the art in the context of the applicant’s disclosure. 

A schedule in a time zone of the authenticated requestor: [Applicant’s Disclosure: ¶ 0060] The context validation plugin retrieves 804 a current date and time using a network time service or system clock. At block 806, the context validation plugin determines the identity of the requester that submitted the request, and queries personnel management systems to determine the customary working hours of the requester. In some implementations, the customary working hours of the requester are determined by determining the geographical location of the requester, determining the time zone for the location of the requester, and assuming a customary working schedule such as 9 AM to 5 PM local time.

Network Address: (From Wikipedia, the free encyclopedia) A network address is an identifier for a node or host on a telecommunications network. Network addresses are designed 
Examples of network addresses include: Telephone number, in the public switched telephone network; IP address in IP networks including the Internet; IPX address, in NetWare; X.25 or X.21 address, in a circuit switched data network; MAC address, in Ethernet and other related IEEE 802 network technologies (From Wikipedia, the free encyclopedia).

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494