Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed have been fully considered.  The arguments are persuasive to alter rejection of the independent claims, but based upon art that was previously relied upon.

Examiner believes Berg anticipates a “tenant specific execution environment” in at least [0022] and [0049] which state that the tenant system enforces a tenant isolation principal.   However, Examiner cites Prismon US 2015/0205602, which is not relied upon, but explicitly teaches said isolation execution environment in at least [0109]. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 7, 8, 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Berg US 2020/0120098 in view of Chhabra US 2020/0007455

eaches A computer implemented method, comprising: receiving an access request from a workload in a multi-tenant computing system that includes a plurality of tenants, the access request being indicative of a requestor requesting access to a resource: parsing. by a tenant-specific execution environment that is specific to a particular tenant associated with the requestor, the access to request to identify idand a resource attribute corresponding to the resource: selecting, based on information in the access request, a tenant-specific data access policy from a set of data access policies, the selected tenant-specific data access policy being specific to the particular tenant accessing a multi-tenant policy storage system that includes a plurality of tenant-specific policy stores, wherein each tenant-specific policy store corresponds to a different one of the tenants, and stores a set of tenant-specific data access policies, for the corresponding tenant, separate from data access policies for other tenants; obtaining the selected tenant-specific data access policy from the tenant-specific policy store corresponding to the particular tenant  loading the selected tenant-specific data access policy into the tenant-specific execution environment: generating, by the tenant-specific execution environment, an access decision indicative of whether the requested access is granted based on the requestor attribute. the resource attribute and the selected tenant-specific data access policy; and returning the access decision to the workload. [0021][0022][0042][0115]-[0125][0132][0139] (Berg teaches a multitenant system using attribute and or role based access control, the access control policy being tenant specific, obtaining policy from multitenant storage, tenant  the attrubutes of both tenant and user used to determine and access decision)

Chhabra explicitly teaches identifying a set of requestor attributes corresponding to the requestor and a set of resource attributes corresponding to the resource; generating an access decision indicative of whether the requested access is granted based on the set of requestor attributes, the set of resource attributes [0023][0024][0025][0034]  (Users are associated with tags or attributes in an attribute based access control system and associated resources with additional tags or attributes)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the access system of Chhabra with the previous art because it is more easily controlled.

As per claims 3. Chhabra teaches The computer implemented method of claim 1, and further comprising: determining whether any of the set of requestor attributes or the set of resource attributes are included with the access request; and if not, obtaining any of the set of requestor attributes and the set of resource attributes that are not included with the access request. [0024] [0034][0039] [0041] [0064]-[0066]   (teaches obtaining a set of requestor attributes and resource attributes from a storage system)

As per claims 7, Chhabra teaches The computer implemented method of claim 4 and further comprising: generating a user interface with a user actuatable tag type generation input mechanism; detecting user actuation of the tag type generation input mechanism indicative of a tag type; and storing the tag type in a tag type store. [0019][0020][0030][0031][0116]  (creation modification of tags for users and resources for access control)




As per claims 10, Chhabra teaches The computing system of claim 19 and further comprising: an administration system configured to generate a user interface with a user actuatable tag type generation input mechanism, detect user actuation of the tag type generation input mechanism indicative of a tag type, generate a user interface with user actuatable tag generation input mechanism, detect user actuation of the tag generation input mechanism indicative of a tag of a given tag type, generate a user interface with user actuatable tag mapping input mechanism, and detect user actuation of the tag mapping input mechanism indicative of a mapping between a tag of a tag type to a resource identity; and a data store configured to store the tag type, the tag and the tag mapping.   [0019][0020][0030][0031][0116] (creation modification of tags for users and resources for access control)


Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Berg US 2020/0120098 in view of Chhabra US 2020/0007455 in view of CAI US 2020/0097673

As per claims 6, CAI teaches The computer implemented method of claim 1 wherein generating the access decision comprises: obtaining a set of environment attributes corresponding to an 
It would have been obvious to one of ordinary skill in the art to use the tags of CAI with the previous combination because it increases metadata options.


Claim 4, 5, 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Berg US 2020/0120098 in view of Chhabra US 2020/0007455 in view of Joshi US 10,628,388

As per claims 4. Joshi teaches The computer implemented method of claim 3 wherein obtaining any of the set of requestor attributes and the set of resource attributes that are not included in the access request, comprises:   obtaining any of the set of requestor attributes that are not included with the access request from a multi-tenant attribute storage system that segments attributes corresponding to different tenants.   (Column 10 lines 31-50)  (Joshi explicitly teaches segmenting data for different tenants)
Chhabra teaches obtaining any of the set of requestor attributes and the set of resource attributes that are not included with the access request from a storage system. [0024] [0034][0039] [0041] [0064]-[0066]
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the storage of Joshi with the previous system because it provides extra security.



Chhabra teaches obtaining any of the set of requestor attributes and the set of resource attributes that are not included with the access request from a storage system. [0024] [0034][0039] [0041] [0064]-[0066]

As per claim 9, Chhabra teaches generating a user interface with user actuatable tag mapping input mechanism; detecting user actuation of the tag mapping input mechanism indicative of a mapping between a tag of a tag type to a resource identity; and storing the mapping in the multi-tenant attribute storage system.  [0019][0020][0030][0031][0116] (creation modification of tags for users and resources for access control)


Claim 2, 12, 15, 16, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Berg US 2020/0120098 in view of Chhabra US 2020/0007455 in view of Garcia US 8,788,815.
As per claims 2, Garcia teaches The computer implemented method of claim 1 wherein obtaining the relevant tenant- specific access policy comprises: obtaining the relevant tenant-specific 
It would have been obvious to one of ordinary skill in the art to use the encrypted policy of Garcia with the previous combination because it increases security.

As per claims 12,   Berg teaches A computer system. comprising: one or more processors; and memory that stores instructions which, when executed by the one or more processors, cause the one or more processors to: receive an access request from a workload in a multi-tenant computing system, the access request being indicative of a requestor requesting access to a resource; identify a particular tenant. of a plurality of tenants in the multi-tenant computing system. based on the access request; obtain a tenant-specific requestor attribute corresponding to the requestor. from a multi-tenant attribute storage system, the tenant-specific requestor attribute being specific to the particular tenant; obtain a resource attribute corresponding to the resource: select a tenant-specific data access policy, from a set of data access policies, based on information in the access request. the relevant tenant-specific data access policy being specific to the particular tenant: obtain the selected tenant-specific data access policy from a multi-tenant policy storage system in encrypted form decrypt the selected tenant-specific access policy to obtain a decrypted tenant- specific data access policy: generate an access decision indicative of whether the requested access is granted based on the requestor attribute, the resource attribute and the s [0021][0022][0042][0115]-

Chhabra explicitly teaches identifying a set of requestor attributes corresponding to the requestor and a set of resource attributes corresponding to the resource; generating an access decision indicative of whether the requested access is granted based on the set of requestor attributes, the set of resource attributes [0023][0024][0025][0034]  (Users are associated with tags or attributes in an attribute based access control system and associated resources with additional tags or attributes)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the access system of Chhabra with the previous art because it is more easily controlled.

Garcia teaches The computer implemented method of claim 1 wherein obtaining the relevant tenant- specific access policy comprises: obtaining the relevant tenant-specific access policy from the multi-tenant policy storage system in encrypted form; and decrypting the relevant tenant-specific access policy.  (Column 2 lines 8-28)   (teaches retrieving and decrypting an access policy)
It would have been obvious to one of ordinary skill in the art to use the encrypted policy of Garcia with the previous combination because it increases security.





As per claim 16, Berg teaches each tenant has a plurality of different users, the multitenant computing system hosts a service for users of the different tenants and the access decision includes a set of permitted actions that are permitted for the access request. [0021][0022][0042][0115]-[0125][0132][0139]

As per claim 17. Chhabra teaches The computer implemented method of claim 8 and further comprising: generating a user interface with user actuatable tag mapping input mechanism; detecting user actuation of the tag mapping input mechanism indicative of a mapping between a tag of a tag type to a resource identity; and storing the mapping in the multi-tenant attribute storage system.  [0019][0020][0030][0031][0116] (creation modification of tags for users and resources for access control)


Claim 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Berg US 2020/0120098 in view of Chhabra US 2020/0007455 in view of Garcia US 8,788,815 in view of CAI US 2020/0097673

As per claims 14. CAI teaches The computer implemented method of claim 1 wherein generating the access decision comprises: obtaining a set of environment attributes corresponding to an environment in which the workload operates; obtaining a set of device attributes corresponding to a device from which the access request was originated; and generating the access decision based on the environment attributes and the device attributes.  [0042][0043][0045][0046][0049]  (teaches using attributes including device and environment to determined access)
It would have been obvious to one of ordinary skill in the art to use the tags of CAI with the previous combination because it increases metadata options.



Claim 19, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Berg US 2020/0120098 in view of Chhabra US 2020/0007455 in view of Joshi US 10,628,388

As per claims 19.  Berg teaches 19. (Currently Amended) A computing system, comprising: a multi-tenant policy storage system configured to store tenant-specific data access policies in tenant-specific data stores; a workload request processor configured to: receive an access request from a workload in a multi-tenant computing system. the access request being based on parsing the access request, determine that one or more of a requestor attribute or a resource attribute are not included with the access request: in response to the determination, access a multi-tenant attribute storage system that segments attribute mappings corresponding to different tenants and identify a set of attribute mappings corresponding to a particular tenant corresponding to the requestor: obtain the one or more of the requestor attribute or the resource attribute from the identified set of attribute mappings attribute attribute  [0021][0022][0042][0115]-[0125][0132][0139] (Berg teaches a multitenant system using attribute and or role based access control, the access control policy being tenant specific, obtaining policy from multitenant storage, tenant  the attrubutes of both tenant and user used to determine and access decision)

Chhabra explicitly teaches identifying a set of requestor attributes corresponding to the requestor and a set of resource attributes corresponding to the resource; generating an access decision indicative of whether the requested access is granted based on the set of requestor attributes, the set of resource attributes [0019][0020] [0023][0024][0025][0030][0031][0034] [0064]-[0066] 
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the access system of Chhabra with the previous art because it is more easily controlled.

Joshi teaches obtaining any of the set of requestor attributes and the set of resource attributes that are not included in the access request, comprises:   obtaining any of the set of requestor attributes that are not included with the access request from a multi-tenant attribute storage system that segments attributes corresponding to different tenants.   (Column 10 lines 31-50)  (Joshi explicitly teaches segmenting data for different tenants)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the storage of Joshi with the previous system because it provides extra security.


As per claims 20. Chhabra teaches The computing system of claim 19 and further comprising: an administration system configured to generate a user interface with a user actuatable tag type generation input mechanism, detect user actuation of the tag type generation input mechanism indicative of a tag type, generate a user interface with user actuatable tag generation input mechanism, detect user actuation of the tag generation input mechanism indicative of a tag of a given tag type, generate a user interface with user actuatable tag mapping input mechanism, and detect user actuation of the tag mapping input mechanism indicative of a mapping between a tag of a tag type to a resource identity; and a data store configured to store the tag type, the tag and 



Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439