DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicants’ remarks/amendments filed on December 9, 2021. Claims 1-22 are pending for examination.

Response to Arguments
Applicant’s arguments, filed on December 9, 2021, with respect to Double Patenting rejection have been fully considered and are persuasive.  The Double Patenting rejection of claims 1-20 has been withdrawn. 

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Sarah Bassett on March 10, 2022.
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.



1.	(Previously Presented) A method comprising:
storing data that establishes one or more privilege rules that:
assign an operation-specific privilege to one or more users to perform a particular data change operation within a subset of rows in a database table within a database, and
assign one or more column-level privileges to perform operations on data within one or more columns of said database table;
via a database session established for a particular user, of the one or more users, receiving a data manipulation language (DML) statement that specifies the particular data change operation to at least one row of said subset of rows and to a particular column of said one or more columns;
based, at least in part, on the one or more privilege rules, allowing the particular data change operation;
wherein the method is performed by one or more computing devices.
2.	(Previously Presented) The method of claim 1, wherein: 
the one or more column-level privileges are to perform operations on data within a plurality of columns that comprises the one or more columns; and
 said DML statement does not specify to perform said particular data change operation on at least one of said plurality of columns.
3.	(Original) The method of claim 1, wherein:
the one or more users are each assigned a particular user role; and
the one or more privilege rules assign the operation-specific privilege to the one or more users based on assigning the operation-specific privilege to the particular user role.
4.	(cancelled) 

receiving one or more data definition language (DDL) statements that establish the one or more privilege rules;
wherein storing the data that establishes the one or more privilege rules is performed based on receiving the one or more DDL statements.
6.	(Original) The method of Claim 1, wherein: 
the one or more privilege rules assign the operation-specific privilege, to perform the particular data change operation, to the particular user within the subset of rows in the database table by:
mapping a particular access control list (ACL) to the subset of rows in the database table;
wherein the particular ACL maps particular user data, associated with the particular user, to the operation-specific privilege; and
the method further comprises: 
identifying, based on the one or more privilege rules, the particular ACL that is mapped to the subset of rows in the database table;
determining that the identified particular ACL maps the particular user data, associated with the particular user, to the operation-specific privilege to perform the particular data change operation specified by the DML statement; and
wherein allowing the particular data change operation is performed in response to determining that the identified particular ACL maps the particular user data to the operation-specific privilege.
7.	(Previously Presented) The method of Claim 1, further comprising: 
determining whether the one or more privilege rules assign, to the particular user, both (a) the operation-specific privilege to perform the particular data change operation within the subset of rows in the database table, and (b) a particular column-level privilege, of the one or more column-level privileges, to perform operations on data within the particular column;

8.	(Original) The method of Claim 1, further comprising:
determining, based at least in part on the one or more privilege rules, whether the particular user is authorized to select particular data that is referenced within a WHERE clause of the DML statement; and
wherein allowing the particular data change operation is performed in response to determining that the particular user is authorized to select the particular data that is referenced within the WHERE clause of the DML statement.
9.	(Original) The method of Claim 1, further comprising:
determining, based at least in part on the one or more privilege rules, whether the particular user is authorized to select particular data that is referenced within a RETURNING INTO clause of the DML statement; and
wherein allowing the particular data change operation is performed in response to determining that the particular user is authorized to select the particular data that is referenced within the RETURNING INTO clause of the DML statement.
10.	(Original) The method of Claim 1, further comprising:
determining that the DML statement updates a plurality of values within a particular row of the subset of rows;
in response to determining that the DML statement updates the plurality of values within the particular row of the subset of rows:
based, at least in part, on the one or more privilege rules, determining whether the particular user is authorized to update all of the plurality of values within the particular row, 

responsive to determining that the particular user is not authorized to update all of the plurality of values within the particular row, disallowing the DML statement to update any values within the particular row.
11.	(Previously Presented) One or more non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause:
storing data that establishes one or more privilege rules that:
assign an operation-specific privilege to one or more users to perform a particular data change operation within a subset of rows in a database table within a database, and
assign one or more column-level privileges to perform operations on data within one or more columns of said database table;
via a database session established for a particular user, of the one or more users, receiving a data manipulation language (DML) statement that specifies the particular data change operation to at least one row of said subset of rows and to a particular column of said one or more columns;
based, at least in part, on the one or more privilege rules, allowing the particular data change operation.
12.	(Previously Presented) The one or more non-transitory computer-readable media of claim 11, wherein:
the one or more column-level privileges are to perform operations on data within a plurality of columns that comprises the one or more columns; and
 said DML statement does not specify to perform said particular data change operation on at least one of said plurality of columns.

the one or more users are each assigned a particular user role; and
the one or more privilege rules assign the operation-specific privilege to the one or more users based on assigning the operation-specific privilege to the particular user role.
14.	(cancelled) 
15.	(Previously Presented) The one or more non-transitory computer-readable media of claim 11, wherein the instructions further comprise instructions that, when executed by one or more processors, cause:
receiving one or more data definition language (DDL) statements that establish the one or more privilege rules;
wherein storing the data that establishes the one or more privilege rules is performed based on receiving the one or more DDL statements.
16.	(Previously Presented) The one or more non-transitory computer-readable media of Claim 11, wherein: 
the one or more privilege rules assign the operation-specific privilege, to perform the particular data change operation, to the particular user within the subset of rows in the database table by:
mapping a particular access control list (ACL) to the subset of rows in the database table;
wherein the particular ACL maps particular user data, associated with the particular user, to the operation-specific privilege; and
the instructions further comprise instructions that, when executed by one or more processors, cause: 
identifying, based on the one or more privilege rules, the particular ACL that is mapped to the subset of rows in the database table;
determining that the identified particular ACL maps the particular user data, associated with the particular user, to the operation-specific 
wherein allowing the particular data change operation is performed in response to determining that the identified particular ACL maps the particular user data to the operation-specific privilege.
17.	(Previously Presented) The one or more non-transitory computer-readable media of Claim 11, wherein the instructions further comprise instructions that, when executed by one or more processors, cause: 
determining whether the one or more privilege rules assign, to the particular user, both (a) the operation-specific privilege to perform the particular data change operation within the subset of rows in the database table, and (b) a particular column-level privilege, of the one or more column-level privileges, to perform operations on data within the particular column;
wherein allowing the particular data change operation is performed in response to determining that the one or more privilege rules assign, to the particular user, both (a) the operation-specific privilege to perform the particular data change operation within the subset of rows in the database table, and (b) the particular column-level privilege.
18.	(Previously Presented) The one or more non-transitory computer-readable media of Claim 11, wherein the instructions further comprise instructions that, when executed by one or more processors, cause:
determining, based at least in part on the one or more privilege rules, whether the particular user is authorized to select particular data that is referenced within a WHERE clause of the DML statement; and
wherein allowing the particular data change operation is performed in response to determining that the particular user is authorized to select the particular data that is referenced within the WHERE clause of the DML statement.

determining, based at least in part on the one or more privilege rules, whether the particular user is authorized to select particular data that is referenced within a RETURNING INTO clause of the DML statement; and
wherein allowing the particular data change operation is performed in response to determining that the particular user is authorized to select the particular data that is referenced within the RETURNING INTO clause of the DML statement.
20.	(Previously Presented) The one or more non-transitory computer-readable media of Claim 11, wherein the instructions further comprise instructions that, when executed by one or more processors, cause:
determining that the DML statement updates a plurality of values within a particular row of the subset of rows;
in response to determining that the DML statement updates the plurality of values within the particular row of the subset of rows:
based, at least in part, on the one or more privilege rules, determining whether the particular user is authorized to update all of the plurality of values within the particular row, 
responsive to determining that the particular user is authorized to update all of the plurality of values within the particular row, allowing the DML statement to update the plurality of values within the particular row, and
responsive to determining that the particular user is not authorized to update all of the plurality of values within the particular row, disallowing the DML statement to update any values within the particular row.
21.	(Previously Presented) The method of claim 1, wherein:
said database session includes a particular security context for the particular user; and

22.	(Previously Presented) The one or more non-transitory computer-readable media of Claim 11, wherein:
said database session includes a particular security context for the particular user; and
said allowing the particular data change operation is based, at least in part, on the particular security context of the particular user.
23.	(new) The method of claim 21, further comprising:
creating a user privilege application session for the particular user, wherein the user privilege application session comprises: (a) the particular security context, and (b) one or more operation-specific privileges granted to the particular user based on the one or more privilege rules;
attaching the user privilege application session to the database session;
wherein said allowing the particular data change operation is based, at least in part, on the user privilege application session attached to the database session.
24.	(new) The one or more non-transitory computer-readable media of claim 22, wherein the instructions further comprise instructions that, when executed by one or more processors, cause:
creating a user privilege application session for the particular user, wherein the user privilege application session comprises: (a) the particular security context, and (b) one or more operation-specific privileges granted to the particular user based on the one or more privilege rules;
attaching the user privilege application session to the database session;
wherein said allowing the particular data change operation is based, at least in part, on the user privilege application session attached to the database session.

Prior Arts of Record
The closest prior art of record issued to Chen et al. (US Patent No. 7,761,404) discloses a system and method for managing privileges by storing system defined and user defined privilege definition codes in a database table, with a first plurality of the codes reserved to system defined privilege definition codes, and codes beyond the first plurality reserved to user defined privilege definition codes; and executing a database stored procedure selectively for adding, updating and deleting a user defined privilege (See Summary of Invention).
The prior art publication to Murthy et al. (US 2007/0276835) discloses a system and method for access control rewrite that generate rewritten queries that may be executed more efficiently using index evaluation to determine which rows satisfy one or more access control conditions. In an index evaluation, an index is examined to determine which rows satisfy a particular condition. The result of an index evaluation can be the rows (or identity of rows) that satisfy the particular condition e.g. the row ids of the rows that have a key value that satisfy a condition (see paragraph [0017]).

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Claims 1-3, 5-13, 15-24 are allowed.
The prior arts of record fails to teach or fairly suggest assign an operation-specific privilege to one or more users to perform a particular data change operation within a subset of rows in a database table within a database, and assign a column-level operation-specific privilege, associated with the particular data change operation, 
Thus, prior art of record neither renders obvious, nor anticipates the combination of the claimed invention in light of the specification.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEBBIE M LE whose telephone number is (571)272-4111.  The examiner can normally be reached on 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Fred Ehichioya can be reached on 571-272-4034.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DEBBIE M LE/           Primary Examiner, Art Unit 2168                                                                                                                                                                                             	March 11, 2022