DETAILED ACTION

1.	This Office Action is in response to an application filed on June 11, 2020. The original filing includes claims 1-20. Therefore, Claims 1-20 are presented for examination. Now claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Drawings
3.	The drawings filed on June 11, 2020 are accepted.

Priority
4.	Applicant Claims NO priority on the instant application.
 
Oath/Declaration
5.	For the record, the Examiner acknowledges that the Oaths/Declarations submitted on June 11, 2020 have been accepted.

Information Disclosure Statement
6.	The information disclosure statements (IDSs) submitted on 06/11/2020 and 08/05/2021 have been considered. The submissions are in compliance with the provisions of 37 CFR 1.97. Forms PTO-1449 are signed and attached hereto. 
Examiner Note: Claims 16 has been analyzed by the examiner and in view of applicant’s disclosure on page 7 lines 13-17 and based on the broadest reasonable interpretation of the term "computer-readable storage medium" in the art, the medium is limited to non-transitory computer readable storage media, Thus, claim 16 is deemed statutory.


Claim Rejections - 35 USC § 103
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


9.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
10.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
11.	Claims 1-4, 6-20 are rejected under 35 U.S.C. 103 as being unpatentable over Russell Smith “Windows Server 2016: Set Up Privileged Access Management” hereinafter “Smith” Published Oct. 2, 2017 (according to applicant’s IDS filed on 08/05/2021) in view of Srinivasan et al. US 2019/0095516 hereinafter “Srinivasan” Published Mar. 28, 2019 (according to applicant’s IDS filed on 08/05/2021). 

Regarding claim 1, Smith teaches: A cloud-based privileged access management (CBPAM) system (Smith, see page 3, “vNext Privileged Access Management on the Petri IT Knowledgebase”; also see page 1, “implement Privileged Access Management (PAM) in Windows Server 2016”), comprising:
a digital memory in a cloud (Smith, see page 1 “implement Privileged Access Management (PAM) in Windows Server 2016” where server system includes memory (where memory in the cloud is digital) as part of the system; also see FIG. in page 1 where user implementing PAM in Window Server 2016); and
a processor in operable communication with the digital memory, the processor 
configured to perform CBPAM steps on behalf of a tenant of the cloud (Smith, see page 1 “implement Privileged Access Management (PAM) in Windows Server 2016” , 
the steps including (a) getting an enrollment request, the enrollment request identifying an enrollee group for enrollment in a CBPAM service (Smith, see page 3 “To fully implement Microsoft's ESAE model, Microsoft Identity Manager (MIM) is recommended. MIM is used to implement workflows so that users can request temporary access to privileged groups in the production forest”; also see page 6, “Domain Admins group”), 
the enrollee group belonging to an on-premise authentication domain (Smith, see page  6, “production domain”) which includes an on-premise resource domain (Smith, see page  6, “production domain” where implicitly the production domain includes production resources), the enrollee group having an enrollee group security identification (Smith, see page  6, “ObjectSID”), 
(b) creating a secured cloud-based shadow administrating group (SCBSAG) (Smith, see page 7, “Let's create a Shadow Principal (PROD-Domain Admins”) 
which has a SCBSAG security identification that includes at least a portion of the enrollee group security identification (Smith, see page 7, “$ShadowPrincipalContainer - OtherAttributes @{'msDS-ShadowPrincipalSid'=
$ProdShadowPrincipal.ObjectSID”), 
the SCBSAG belonging to a CBPAM authentication domain which is not the on-premise authentication domain (Smith, see page 6, “bastion domain”), 
and (c) directing an administrative action toward the on-premise resource through the SCBSAG on behalf of the tenant (Smith, see page 2, “Administrative access to the production forest is managed using Shadow Principals in the bastion
forest”) and 
based at least in part on at least a portion of the enrollee group security identification (Smith, SIDs are used for access control in Windows networks);
whereby the system is configured to provide secure management control of the on-premise resource from the cloud as a service to the cloud tenant (Smith, see page 2, “Administrative access to the production forest is managed using Shadow Principals in the bastion forest”).
Smith does not explicitly discloses managing resources in cloud or any deployment model regarding managing resources
However Srinivasan teaches using cloud services for flexible deployment of the resources (Srinivasan, see FIG. 2 along with ¶ [0052], “FIG. 4 is a block diagram 400 … IDCS 202 provides functionality to extend cloud identities to on-premise applications 218. The embodiment provides seamless view of the identity across all applications including on-premise and third-party applications. In the embodiment of FIG. 4, SCIM identity bus 234 is used to synchronize data in IDCS 202 with on-premise LDAP data called "Cloud Cache" 402. Cloud Cache 402 is disclosed in more detail below”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Smith with the teaching of Srinivasan because the use of Srinivasan’s idea (Srinivasan, see abstract) could provide Smith (Smith, abstract) the ability to use cloud services for flexible deployment of resources in a cloud so that the privileged access management of Smith the claimed cloud-bases privileged access management, “an LDAP-based application 218 makes a connection to Cloud Cache 402, and Cloud Cache 402 establishes a connection to IDCS 202 and then pulls data from IDCS 202” (Srinivasan, ¶ [0053]). 

Regarding claim 2, the combination of Smith and Srinivasan teach all the limitations of claim 1. Further Smith teaches: wherein the CBPAM authentication domain has a CBPAM authentication domain security identification which is embedded in the SCBSAG security identification (Smith, see page 3 “Create a New Bastion Forest” and go on to page 4 where the CB PAM has "contoso.com" as domain security identification. This domain is also embedded in the SCBSAG security identification ).

Regarding claim 3, the combination of Smith and Srinivasan teach all the limitations of claim 1. Further Smith teaches: wherein no user account of the CBPAM authentication domain is compromised and no user account of the SCBSAG is compromised (Smith, see page 4 “Privilege Access Management Feature” is enabled can be assumed the accounts are not compromised).

Regarding claim 4, the combination of Smith and Srinivasan teach all the limitations of claim 1. Further Smith teaches: wherein all user accounts of the CBPAM authentication domain conform with a least privilege criterion and all user accounts of the SCBSAG also conform with the least privilege criterion (Smith, see page 4 inside the code “Warning” once the privilege access is conformed and enabled the users accounts confirm with the privilege criterion and privilege access).

Regarding claim 6, this claim defines a method claim that corresponds to system claim 1 and does not define beyond limitations of claim 1. Therefore, claim 6 is rejected with the same rational as in the rejection of claim 1. 

Regarding claim 7, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Smith teaches: further comprising establishing a one-way trust relationship having the CBPAM authentication domain as a trusted entity and the on-premise authentication domain as a trusting entity (Smith, see page 5 “Create a PIM Trust”, "The PIM trust is a one-way cross-forest trust established from the production domain (ad.contoso.com) to the bastion domain (pim.contoso.com)").
Regarding claim 8, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Smith teaches: further comprising authenticating an administrative user to the SCBSAG, and accepting a description of the administrative action from the authenticated administrative user before directing the administrative action toward the on-premise resource (Smith teaches the configuration of the privileged access and is considered a description of an administrative action, which is provided by an administrator).

Regarding claim 9, the combination of Smith and Srinivasan teach all the limitations of claim 8. Further Smith teaches: further comprising setting a time-to-live value for at least one of the following: an authentication lifespan of the administrative user after which the administrative user will no longer be treated as authenticated to the SCBSAG; or an authorization lifespan of the administrative action after which the administrative action will no longer be treated as authorized (Smith, see pages 7-9, "The time limit is set in seconds using the TTL value" and "Don't forget we set a TTL of 5 minutes, so you will need to check within that timeframe. To confirm that the PIM-russells permissions were revoked after five minutes"; the authorization is revoked).

Regarding claim 10, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Smith teaches: further comprising at least one of the following: ensuring that the enrollee group does not contain any members, thereby fostering use of only the SCBSAG for administrative management of the on-premise resource; or restricting administrative management of the on-premise authentication domain to administrative actions which are directed from the SCBSAG (Smith discloses the enrollee group is an administrator group. It is understood that an administrator group only contains administrator accounts. The term "built-in" in a broad sense only means that it is part of the system).

Regarding claim 11, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Smith teaches: further comprising ensuring that each successful authentication to at least one of the following is a passwordless authentication: the CBPAM authentication domain, or the SCBSAG (Smith discloses that using passwordless authentication is a common way to improve security, which the person skilled in the art would readily apply in the present case specially when in page 10 of Smith “Test Log In” depending on domain we choose or the account of IT staffer make it obvious to ensuring to authenticate the user in the way it is set such as passwordless).

Regarding claim 12, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Smith teaches: further comprising directing another administrative action toward a cloud resource through the SCBSAG (Smith discloses page 9-10 that depending on the setting of domain an administrative can take actions) 
Smith does not explicitly disclose: a cloud resource
However Srinivasan teaches a cloud resource (Srinivasan, see FIG. 2 along with ¶ [0052], “FIG. 4 is a block diagram 400 … IDCS 202 provides functionality to extend cloud identities to on-premise applications 218. The embodiment provides seamless view of the identity across all applications including on-premise and third-party applications. In the embodiment of FIG. 4, SCIM identity bus 234 is used to synchronize data in IDCS 202 with on-premise LDAP data called "Cloud Cache" 402. Cloud Cache 402 is disclosed in more detail below”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Smith with the teaching of Srinivasan because the use of Srinivasan’s idea (Srinivasan, see abstract) could provide Smith (Smith, abstract) the ability to use cloud services for flexible deployment of resources in a cloud so that the privileged access management of Smith the claimed cloud-bases privileged access management, “an LDAP-based application 218 makes a connection to Cloud Cache 402, and 

Regarding claim 13, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Srinivasan teaches: further comprising receiving an access request which requests privileged access to the on-premise resource, and enforcing an access policy against the request, the access policy specifying at least one of the following:
how many approvals are required for the access request to be granted;
a particular approval that is required for the access request to be granted;
a level of approval that is required for the access request to be granted; or
a time within which an approval is required for the access request to be granted (Srinivasan, first see ¶ [0021] discloses at real-time based on requested resource types the query is determined and continues in ¶ [0100], “When an HTTP request for a microservice is received, the corresponding real-time tasks are performed by the microservice in the middle tier, and the remaining near-real-time tasks such as operational logic/events that are not necessarily subject to real-time processing are offloaded to message queues 628 that support a highly scalable asynchronous event management system 630 with guaranteed delivery and processing. Accordingly, certain behaviors are pushed from the front end to the backend to enable IDCS to provide high level service to the customers by reducing latencies in response times”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Smith with the teaching of Srinivasan because the use of Srinivasan’s idea (Srinivasan, see abstract) could provide Smith (Smith, abstract) the ability to use cloud services for flexible deployment of resources in a cloud so that the privileged access management of Smith the claimed cloud-bases privileged access management, “an LDAP-based application 218 makes a connection to Cloud Cache 402, and 

Regarding claim 14, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Smith teaches: further characterized as follows: directing the administrative action toward the on-premise resource through the SCBSAG occurs within a login session having state information which includes at least one of the following: a session key, an access credential; and the method further comprises discarding the state information when the login session ends (Smith see page 6, “Open Active Directory Users and Computers …”; using session keys and discarding them is a standard option in the field of Active Directory; In addition Srinivasan teaches session key see ¶ [0099], “The real-time tasks perform the main business functionality of a specific identity service. For example, when requesting a login service, an application sends a message to authenticate a user's credentials and get a session cookie in return” and the same motivation could be used for the combination).

Regarding claim 15, the combination of Smith and Srinivasan teach all the limitations of claim 6. Further Smith teaches: further comprising utilizing a directory as an intermediate storage location for a security identification of a member of the enrollee group, the directory being managed by a cloud-based identity management service (Smith discloses directories for storing security identifications of the group’s members from pages 3-7).
Smith does not explicitly disclose: a cloud-based management service
However Srinivasan teaches: a cloud-based management service (Srinivasan, see FIG. 2 along with ¶ [0052], “FIG. 4 is a block diagram 400 … IDCS 202 provides functionality to extend cloud identities to on-premise applications 218. The embodiment provides seamless view of the identity across all applications including on-premise and third-party applications. In the embodiment of FIG. 4, SCIM 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Smith with the teaching of Srinivasan because the use of Srinivasan’s idea (Srinivasan, see abstract) could provide Smith (Smith, abstract) the ability to use cloud services for flexible deployment of resources in a cloud so that the privileged access management of Smith the claimed cloud-bases privileged access management, “an LDAP-based application 218 makes a connection to Cloud Cache 402, and Cloud Cache 402 establishes a connection to IDCS 202 and then pulls data from IDCS 202” (Srinivasan, ¶ [0053]). 

Regarding claim 16, this claim defines a computer-readable storage medium claim that corresponds to system claim 1 and does not define beyond limitations of claim 1. Therefore, claim 16 is rejected with the same rational as in the rejection of claim 1. Furthermore, Smith in page 2, “Devolutions Remote Desktop Manager” discloses all; connections on a single platform across the entire team “With support for hundreds of integrated technologies” that includes computer readable storage medium where the storage medium executes instructions from a memory medium.

Regarding claim 17, this claim defines a computer-readable storage medium claim that corresponds to system claim 5 and method claim 10 and does not define beyond limitations of claims 5 and 10. Therefore, claim 17 is rejected with the same rational as in the rejection of claims 5 and 10. Furthermore, Smith in page 2, “Devolutions Remote Desktop Manager” discloses all; connections on a single platform across the entire team “With support for 

Regarding claim 18, this claim defines a computer-readable storage medium claim that corresponds to system claim 10 and does not define beyond limitations of claim 10. Therefore, claim 18 is rejected with the same rational as in the rejection of claim 10. Furthermore, Smith in page 2, “Devolutions Remote Desktop Manager” discloses all; connections on a single platform across the entire team “With support for hundreds of integrated technologies” that includes computer readable storage medium where the storage medium executes instructions from a memory medium.

Regarding claim 19, the combination of Smith and Srinivasan teach all the limitations of claim 16. Further Smith teaches: wherein the method further comprises verifying that the administrative action or the administrative user account or both of them satisfy an access policy which requires multiple approvals, with the verifying performed before directing the administrative action toward the on-premise resource (Smith in page 2, “Devolutions Remote Desktop Manager” discloses multiple protocols and VPNs along with built-in enterprise-grade password management tools that reads on applicant’s limitation). Furthermore, Smith in page 2, “Devolutions Remote Desktop Manager” discloses all; connections on a single platform across the entire team “With support for hundreds of integrated technologies” that includes computer readable storage medium where the storage medium executes instructions from a memory medium.

Regarding claim 20, the combination of Smith and Srinivasan teach all the limitations of claim 16. Further Smith teaches: wherein the method further comprises accepting a login to the administrative user account from at least one of the following: an administrative virtual desktop; (Smith in page 2, “Devolutions Remote Desktop Manager” discloses multiple protocols and VPNs along with built-in enterprise-grade password management tools that reads on applicant’s limitation);
privileged access workstation owned by a cloud tenant; or a privileged access workstation leased to a cloud tenant.
Furthermore, Smith in page 2, “Devolutions Remote Desktop Manager” discloses all; connections on a single platform across the entire team “With support for hundreds of integrated technologies” that includes computer readable storage medium where the storage medium executes instructions from a memory medium.

Allowable subject matter
12.	Claim 5 is objected to as being dependent upon a rejected base claim, but would be allowable (in view of other limitations of the independent claims) if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and further overcoming other rejections or objections that might have been rendered above. The detail reason for allowance will be furnished upon allowance of the application.
 
Examiner note:
13.	In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06. An amendment which does not comply with the provisions of 37 CFR 1.121(b), (c), (d), Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.131(b), (c), (d), and (h) and therefore held not fully responsive. Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.

Conclusion
14.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Gole et al. US 2014/0215136 discloses implementing efficiently storing information in a solid state storage device based on data classification.
Jalili et al. 2019 Published by Oxford University Press, “Cloud bursting galaxy: federated identity and access management” discloses users can access biomedical datasets across multiple cloud computing platforms using best practice Web security approaches and thereby minimize risks of unauthorized data access and credential
use.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALIL NAGHDALI whose telephone number is (571) 272-9884. The examiner can normally be reached on M-F 8AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, KRISTINE L KINCAID can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
/KHALIL NAGHDALI/Primary Examiner, Art Unit 2437