DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
2.	The information disclosure statements (IDS) submitted on 11/04/2019 and 03/24/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Objections
3.	Claim 2  is objected to because of the following informalities:  
In Claim 2,  a limitation recites, “wherein the resource managed by the access management service comprises an application for which the access management service manages access privileges to access the application, and wherein the instructions for receiving the first signal requesting an indication whether the user further comprise instructions configured to cause the processor to perform operations comprising:” (emphasis added). 
However, it is recommended by the examiner that it should be changed to “wherein the resource managed by the access management service comprises an application for which the access management service manages access privileges to access the application, and wherein the instructions for receiving the first signal further comprise instructions configured to cause the processor to perform operations comprising:”(emphasis added). 
Appropriate correction is required.

Claim Rejections - 35 USC § 112
4.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



5.	Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

6.	Claim 1 recites in a limitation “determining that first user account data does not include an access privilege attribute that permits access to the resource” (emphasis added). However, it is unclear whether the “first user account data” recited in the limitation is referring to the “first user account data” recited in the previous limitation or a different one, making the claim indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Claims 9 and 16 suffer similar deficiencies and rejected using the same rationale.
Dependent Claims 2-8, 10-15 and 17-20 are rejected based upon their respective dependence from independent claims 1, 9 and 16.
Note: Applicant may overcome this rejection by changing “first user account data” to “ the first user account data”. For examining purposes, the examiner is interpreting that the applicant is referring to the same “first user account data.”
an access management service, the method comprising” (Emphasis added). Another limitation recites “receiving, via a communication network, a first signal requesting an indication whether a user has an access privilege to access a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource” (Emphasis added). 
However, it is unclear whether thee “access management service” recited in the first limitation is referring to the “access management service” recited in the preamble or a different one. Further, it is unclear “the access management service” recited in later limitations are referring to the preamble or the first limitation, making the claim indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. There is insufficient antecedent basis for this limitation in the claim.
Claim 16 suffers similar deficiencies and rejected using the same rationale.
Dependent Claims 10-15 and 17-20 are rejected based upon their respective dependence from independent Claims 9 and 16.
Note: Applicant may overcome this rejection by changing “an access management service” in the first limitation to “the access management service”. For the examination purposes, the examiner is interpreting that the applicant is referring to the access management service recited in the preamble.

Claim Rejections - 35 USC § 102
7.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –




(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


8.	Claims 1, 8, 9, 15 and 16 are rejected under 35 U.S.C. 102 (a) (1) as being Anticipated by Drabant (US 2019/0014120 Al, hereinafter Drabant) [As disclosed in IDS].

Regarding Claim 1, 
Drabant discloses a computing device (Drabant: ¶ [0056] the computing system 500 can
include a processor 510, a memory 520, See Fig. 5, ¶ [0003]) comprising: 
a processor (Drabant: ¶ [0056] the computing system 500 can include a processor 510, a memory 520…, processor 510 is capable of processing instructions stored in the memory 520 and/or on the storage device 530, See Fig. 5); and 
a computer-readable medium storing executable instructions for causing the processor to perform operations (Drabant: ¶ [0056] the computing system 500 can include a processor 510, a memory 520…, processor 510 is capable of processing instructions stored in the memory 520 and/or on the storage device 530 See Fig. 5, ¶ [0057] memory 520 is a computer readable medium such as volatile or non-volatile that stores information within the computing system 500) comprising: 
receiving, via a communication network (Drabant: ¶ [0024] network 130 can be any wired and/or wireless network, See Fig. 1 --130), a first signal requesting an indication whether a user has an access privilege to access a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource (Drabant: ¶ [0051] cloud platform 110 can receive…, For example, the second user 120B can provide, via the user interface 210, the uniform resource locator (URL) of the second tenant 115B and the desired resource R associated with the first tenant 115A, ¶ [0052] the cloud platform 110 can determine, based on the authorization table 300, whether the second user 120B can access the resource R associated with the first tenant 115A,  ¶ [0025] first user 120A and the second user 120B can access the services provided by the cloud platform 110 by
being associated with one or more tenants of the cloud platform 110 including, for example, the first tenant 115A and/or the second tenant 115B, ¶ [0053] a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B, ¶ [0003, 0039]); 
responsive to receiving the first signal, accessing a first user account data of the user stored in a memory and associated with the first tenant of the access management service (Drabant: ¶ [0052] in response to the request from the second user 120B to access the resource R associated with the first tenant 115A, the cloud platform 110 can query the authorization table 300 to identify one or more relevant authorizations…, query the authorization table 300 to identify authorizations arising from…, user to-user sharing relationships that include the second user 120B…, determine that the second user 120B is authorized to access the resource R if one or more sharing relationships provides the second user 120B…, access to the resource R, ¶ [0053] a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource
R to the second user 120B, ¶ [0041] the second entry 320, the second user 120 of the second tenant 115B can have permission to access, via the vendor management system application 252D, data associated with the first tenant 115A, ¶ [0057] memory 520 can store data structures, See also Fig. 3, ¶¶ [0050, 0038]), wherein the first user account data comprises a linked account identifier attribute including a first identifier associated with a second tenant of the (Drabant: ¶ [0005] an entry corresponding to the sharing relationship can be inserted into the authorization table in response to a formation of the sharing relationship, ¶ [0047] identifier associated with the sharing relationship, ¶ [0041] the second entry 320 can include information identifying the users…, second entry 320 can further identify the home tenant of the relevant users (e.g., the second tenant 115B)) and a second identifier associated with second user account data of the second tenant  (Drabant: ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship, ¶ [0047] identifier associated with the sharing relationship, ¶ [0041] the second entry 320 can include information identifying the users…, second entry 320 can further identify the home tenant of the relevant users (e.g., the second tenant 115B), ¶ [0025] first user 120A and the second user 120B can access the services provided by the cloud platform 110 by being associated with one or more tenants of the cloud platform 110 including, for example, the first tenant 115A
and/or the second tenant 115B, ¶ [0035]); 
determining that first user account data does not include an access privilege attribute that permits access to the resource (Drabant: ¶ [0054] access to the resource associated with the second tenant based at least on the determination that the first user is authorized to access the resource…,); 
in response to determining that the first user account data does not have the access privilege to access the resource (Drabant: ¶ [0054] access to the resource associated with the second tenant based at least on the determination that the first user is authorized to access the resource…, the second user 120B can be given access to the resource R in the event that the cloud platform 110 determines that one or more sharing relationships provides the second user 120B access to the resource R associated with the first tenant 115A), performing a nested access privilege check (Drabant: ¶ [0049] cloud platform 110 can control, based on the authorization table 300, inter-tenant access to one or more resources (408)…, determine, based on the authorization table 300, whether a user associated with the second tenant 115B is authorized to access data and/or resources associated with the first tenant 115A, ¶ [0053] a user-to-user sharing relationship…, provides access to the resource R to the second user 120B specifically, to a user group associated with the second user 120B, and/or to user role associated with the second user 120B, ¶ [0047, 0050]) by: 
accessing the linked account identifier attribute of the first user account data to determine whether the user is associated with the second user account data of the second tenant (Drabant: ¶ [0025] first user 120A and the second user 120B can access the services provided by the cloud platform 110 by being associated with one or more tenants of the cloud platform 110 including, for example, the first tenant 115A
and/or the second tenant 115B, ¶ [0005] an entry corresponding to the sharing relationship can be inserted into the authorization table in response to a formation of the sharing relationship, ¶ [0032] the second tenant 115B can subsequently
assign this sharing relationship to one or more specific users, ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship, ¶ [0047] identifier associated with the sharing relationship, ¶ [0052] the cloud platform 110 can determine, based on the authorization table 300, whether the second user 120B can access the resource R associated with the first tenant 115A); 
upon determining that the user is associated with the second user account data  (Drabant: ¶ [0032] the second tenant 115B can subsequently assign this sharing relationship to one or more specific users, ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship), accessing the second user account data in the second tenant of the access management service (Drabant: ¶ [0033] the first user 120A may be unable to provide access to the resource R if the first user 120A is restricted from accessing the resource R and/or lack the privilege from providing such access, ¶ [0035] the resource provider is a user associated with one tenant while the resource consumer is one or more of the users associated with the same or a different tenant,  ¶ [0053] a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource
R to the second user 120B, See also Fig. 3); and 
determining that the second user account data includes the access privilege attribute indicating that the user is permitted to access to the resource (Drabant: ¶ [0041] the second entry 320 can include information identifying the users who are relevant to this inter-tenant authorization. The second entry 320 can further identify the home tenant of the relevant users, ¶ [0053] a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B,  ¶ [0036—Table 2 User-to-User] scope of access is commensurate with the scope of privilege of the user associated with the provider tenant who is providing the access, See Fig. 3—Data Access Allowed); and 
granting, via the communication network (Drabant: ¶ [0024] network 130 can be any wired and/or wireless network, See Fig. 1 --130), access to the resource responsive to the nested access privilege check determining that the user is permitted to access to the resource (Drabant: ¶ [0054] the second user 120B can be given access to the resource R in the event that the cloud platform 110 determines that one or more sharing relationships provides the second user 120B access to the resource R associated with the first tenant 115A…, the second user 120B can have access to the resource R based on a user-to-user sharing relationship between the first user 120A and the second user 120B, ¶ [0003,0025]).
Regarding Claim 8,
Claim 8 is dependent on Claim 1, and Drabant discloses all the limitations of Claim 1. Drabant further discloses wherein the instructions for performing the nested access privilege check further comprise instructions for causing the processor to perform the operations of (Drabant: ¶ [0003] memory storing instructions that result in operations when executed by the at least one data processor, ¶ [0056]): 
determining that the first user account of the user is associated with a plurality of user accounts managed by the access management service (Drabant: ¶ [0053] Access to the resource R can be further assigned, by the second tenant 115B, to one or more specific users such as the second user 120B…, a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B specifically, to a user group associated with the second user 120B); 
determining whether a respective one of the plurality of user accounts is associated with an access privilege to access the resources (Drabant: ¶ [0053] the second tenant 115B may subsequently assign this access to the resource R to one or more specific users of the second tenant 115B such as, for example, the second user 120B…, a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B specifically, to a user group associated with the second user 120B); and 
determining that the user is associated with a second user account that is associated with the access privilege to access the resource responsive to a respective one of the plurality of user (Drabant: ¶ [0053] a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B specifically, to a user group associated with the second user 120B, ¶ [0054] the second user 120B can be given access to the resource R in the event that the cloud platform 110 determines that one or more sharing relationships provides the second user 120B access to the resource R…, the second user 120B can have access to the resource R based on…, a user-to-user sharing relationship between the first user 120A and the second user 120B, ¶ [0025] the first user 120A and the second user 120B can both be associated with either the first tenant 115A or the second tenant 115B, ¶ [0039]).

Regarding Claim 9,
Drabant discloses a method performed by an access management service (Drabant:  [Abstract] methods and articles of manufacture, including computer program products, ¶ [0003] Methods, systems, and articles of manufacture, including computer program products, are provided for resource sharing), and discloses all the limitations of Claim 9 as discussed in Claim 1. Therefore, Claim 9 is rejected using the same rationales as discussed in Claim 1.

Regarding Claim 15,
Claim 15 is dependent on Claim 9, and Drabant discloses all the limitations of Claim 9. Drabant discloses all the limitations of Claim 15  as discussed in Claim 8. Therefore, Claim is 15 rejected using the same rationales as discussed in Claim 8.


Regarding Claim 16,
Drabant discloses a memory device storing instructions that, when executed on a processor of a computing device, cause the computing device to provide an access management service on the computing device, by (Drabant: ¶ [0010] a tangibly embodied machine-readable medium operable to cause one or more machines (e.g., computers, etc.) to result in operations implementing one or more of the described features…, memory, which can include a non-transitory computer-readable or machine-readable storage medium, may include, encode,
store, or the like one or more programs that cause one or more processors to perform one or more of the operations ¶ [0003] Methods, systems, and articles of manufacture, including computer program products, are provided for resource sharing) discloses all the limitations of Claim 16 as discussed in Claim 1. Therefore, Claim 16 is rejected using the same rationales as discussed in Claim 1.

Claim Rejections - 35 USC § 103
9.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



10.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

11.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

12.	Claims 2-4, 10-12 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Drabant (US 2019/0014120 Al, hereinafter Drabant) [As disclosed in IDS] in view of Fischer et al. (US 10,044,723 B1, hereinafter Fischer) [As disclosed in IDS]. 

Regarding Claim 2,
Claim 2 is dependent on Claim 1, and Drabant discloses all the limitations of Claim 1. Drabant further discloses wherein the resource managed by the access management service comprises an application for which the access management service manages access privileges to access the application (Drabant: ¶ [0011] web application user interfaces, ¶ [0022]  the cloud platform 110 can host a variety of services including, for example, identity and access management for each of the first tenant 115A and the second tenant 115B, ¶ [0038] the cloud platform 110 can include a user interface 210 for interfacing with users such as, for example, the first user 120A and/or the second user 120B. For instance, definitions of shared relationships can be provided via the user interface 210, ¶ [0051]), and wherein the instructions for receiving the first signal requesting an indication whether the user further comprise instructions configured to cause the processor to perform operations (Drabant: ¶ [0003] memory storing instructions that result in operations when executed by the at least one data processor, ¶ [0056]) comprising:
 receiving the first signal via an access privilege verification Application Programming Interface (API) associated with the access management service (Drabant: ¶ [0011] web application user interfaces, ¶ [0038] the cloud platform 110 can include a user interface 210 for interfacing with users such as, for example, the first user 120A and/or the second user 120B. For instance, definitions of shared relationships can be provided via the user interface 210, ¶ [0051]).
However, it is noted that Drabant does not explicitly disclose:
receiving the first signal via an access privilege verification Application Programming Interface (API) associated with the access management service. 
However, Fischer from the same field of endeavor as the claimed invention discloses plurality of tenants is identified in which the user is a member and, for each of the tenants associated with the user, one or more roles of the user are determined within the tenant (Fischer: [Abstract]),  includes user interface 410 configured to receive one or more access requests from one or more clients using the Remote Procedure Call (RPC), Hypertext Transfer Protocol Source (HTTPS), Representational State Transfer (REST) protocol…, an authentication access request refers to a request to perform a verification operation on a user (Fischer: [Col. 14 Lines: 33-37]), and 
Source (HTTPS), Representational State Transfer (REST) protocol, from an authenticated user, an access token from the authenticated user, and/or a request to determine which role(s) are assigned/authorized to the user within a requested tenant (e.g., the tenant specified/authenticated at the login process) and/or one or more child tenants of the requested tenant. Here, a data access request can be a read, write, delete, and/or replicate request (Fischer: [Col. 16 Lines: 23-36], also see [Col. 17 Lines: 31-46], Fig. 4—410 API).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Fischer in the teachings of Drabant. A person having ordinary skill in the art would have been motivated to do so because APIs allow connecting to different platforms and applications in cloud based systems to share information.	

Regarding Claim 3,
Claim 3 is dependent on Claim 2, and the combination of Drabant and Fischer discloses all the limitations of Claim 2. Drabant further discloses wherein the instructions for granting access to the resource further comprise instructions configured to cause the processor to perform operations (Drabant: ¶ [0003] memory storing instructions that result in operations when executed by the at least one data processor, ¶ [0056]) comprising: 
sending a second signal to the application via the access privilege verification API indicating that should be granted access to the application in response to the user being associated with a second user account that has the access privileged for the resource (Drabant: ¶ [0011] web application user interfaces, ¶ [0038] the cloud platform 110 can include a user interface 210 for interfacing with users such as, for example, the first user 120A and/or the second user 120B…, the first user 120A and/or the second user 120B can access, via the user interface 210, cloud-based data and/or resources at the cloud platform 110 including, for example, shared data and/or resources that are subject to the sharing relationship between the first tenant 115A and the second tenant 115B, ¶ [0054] the second user 120B can be given access to the resource R in the event that the cloud platform 110 determines that one or more sharing relationships provides the second user 120B access to the resource R associated with the first tenant 115A, Fig. 2, ¶ [0051, 0053, 0025]).	However, it is noted that Drabant does not explicitly disclose:
receiving the first signal via an access privilege verification Application Programming Interface (API) associated with the access management service. 
However, Fischer further discloses auth server 180 includes user interface 410 configured to receive one or more access requests from one or more clients using the Remote Procedure Call (RPC), Hypertext Transfer Protocol Source (HTTPS), Representational State Transfer (REST) protocol…, an authentication access request refers to a request to perform a verification operation on a user (Fischer: [Col. 14 Lines: 33-37]), and user group may also be organized/nested in to other user group. Each identity provider (e.g., identity provider server 170) may be associated with one or more tenants in an authentication/authorization server (e.g., auth server 180) to grant the users/principals access to resources associated with one or more tenants (Fischer: [Col. 14 Lines: 33-37]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Fischer in the teachings of Drabant. A person having ordinary skill in the art would have been motivated to do so because APIs allow connecting to different platforms and applications in cloud based systems to share information.	

Regarding Claim 4,
Claim 4 is dependent on Claim 1, and Drabant discloses all the limitations of Claim 1. Drabant further discloses further comprising instructions configured to cause the processor to perform operations of (Drabant: ¶ [0003] memory storing instructions that result in operations when executed by the at least one data processor, ¶ [0056]): 
responsive to a result of the nested access privilege check, granting access to the resource responsive to the nested access privilege check (Drabant: ¶ [0049] cloud platform 110 can control, based on the authorization table 300, inter-tenant access to one or more resources (408)…, determine, based on the authorization table 300, whether a user associated with the second tenant 115B is authorized to access data and/or resources associated with the first tenant 115A, ¶ [0053] a user-to-user sharing relationship…, provides access to the resource R to the second user 120B specifically, to a user group associated with the second user 120B, and/or to user role associated with the second user 120B, ¶ [0047]) determining that the user is associated with the second user account, the second user account is associated with the access privilege to access the resource (Drabant: ¶ [0032] the second tenant 115B can subsequently assign this sharing relationship to one or more specific users, ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship ¶ [0041] the second entry 320 can include information identifying the users who are relevant to this inter-tenant authorization. The second entry 320 can further identify the home tenant of the relevant users, ¶ [0053] a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B,  ¶ [0036—Table 2 User-to-User] scope of access is commensurate with the scope of privilege of the user associated with the provider tenant who is providing the access, See Fig. 3—Data Access Allowed), and the first tenant and the second tenant are part of the same organization.

determining whether the first tenant and the second tenant are part of a same organization; and 
responsive to a result of the nested access privilege check, granting access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account, the second user account is associated with the access privilege to access the resource, and the first tenant and the second tenant are part of the same organization.
However, Fischer further discloses an authentication and authorization server (also referred to as an auth server) is utilized to authenticate and authorize users (also referred to as principals) who may have different roles in different tenants of the same organization entity (i.e. tenants are part of the same organization) (Fischer: [Col. 3 Lines: 59-63]), and user group may also be organized/nested in to other user group. Each identity provider (e.g., identity provider server 170) may be associated with one or more tenants in an authentication/authorization server (e.g., auth server 180) to grant the users/principals access to resources associated with one or more tenants (Fischer: [Col. 14 Lines: 33-37]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Fischer in the teachings of Drabant. A person having ordinary skill in the art would have been motivated to do so because APIs allow connecting to different platforms and applications in cloud based systems to share information.

Regarding Claims 10 and 12,
Claims 10 and 12 are dependent on Claim 9, and Drabant discloses all the limitations of Claim 9. The combination of Drabant and Fischer discloses all the limitations of Claims 10 and 12 

Regarding Claim 11,
Claim 11 is dependent on Claim 10, and the combination of Drabant and Fischer discloses all the limitations of Claim 10. The combination of Drabant and Fischer discloses all the limitations of Claim 11  as discussed in Claim 3. Therefore, Claim 11 is rejected using the same rationales as discussed in Claim 3.


Regarding Claim 17,
Claim 17 is dependent on Claim 16, and Drabant discloses all the limitations of Claim 16. The combination of Drabant and Fischer discloses all the limitations of Claim 17 as discussed in Claims 2 and 3. Therefore, Claim 17 is rejected using the same rationales as discussed in Claims 2 and 3.


Regarding Claim 18,
Claim 18 is dependent on Claim 16, and Drabant discloses all the limitations of Claim 16. The combination of Drabant and Fischer discloses all the limitations of Claim 18 as discussed in Claim 4. Therefore, Claim 18 is rejected using the same rationales as discussed in Claim 4.


	
13.	Claims 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Drabant (US 2019/0014120 Al, hereinafter Drabant) [As disclosed in IDS] in view of Srinivasan et al. (US 2016/0173475 A1, hereinafter Srinivasan).
Regarding Claim 5,
Claim 5 is dependent on Claim 1, and Drabant discloses all the limitations of Claim 1. Drabant further discloses further comprising instructions configured to cause the processor to perform operations of (Drabant: ¶ [0003] memory storing instructions that result in operations when executed by the at least one data processor, ¶ [0056]): 
determining that the user has the second user account associated with the second tenant (Drabant: ¶ [0032] the second tenant 115B can subsequently assign this sharing relationship to one or more specific users, ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship…, the resource provider is a user associated with one tenant while the resource consumer is one or more of the users associated with the same or a different tenant,  ¶ [0041] the second entry 320 can include information identifying the users who are relevant to this inter-tenant authorization. The second entry 320 can further identify the home tenant of the relevant users, ¶ [0053] a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B, See also Fig. 3-320). 
However, it is noted that Drabant does not explicitly disclose:
determining that the user does not have a user account associated with the first tenant responsive to receiving the request from the user; and
creating the first user account with the first tenant responsive to determining that the user does not have a user account associated with the first tenant and that the user has the second user account with the second tenant.
However, Srinivasan from the same field of endeavor as the claimed invention discloses a customer can establish an account with a centralized store in order to enable that customer to 
computing environment…,  (i.e. creating an account) identity domain-specific account can be associated with and isolated to the identity domain that is created for the customer upon the customer's first purchase of a cloud-based service through the centralized store (i.e. responsive to the first request determine user does not have an account) (Srinivasan: ¶ [0166]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Srinivasan in the teachings of Drabant. A person having ordinary skill in the art would have been motivated to do so because to prevent users associated with customers' identity domains from performing operations relative to resources outside of their identity domains, but also can allow operations users associated with the cloud domain to perform operations relative to resources across customers' identity domains (Srinivasan: ¶ [0168]).
	
Regarding Claim 6,
Claim 6 is dependent on Claim 5, and the combination of Drabant and Srinivasan discloses all the limitations of Claim 5. Drabant further discloses further comprising instructions configured to cause the processor to perform operations of (Drabant: ¶ [0003] memory storing instructions that result in operations when executed by the at least one data processor, ¶ [0056]): 
linking the first user account to the second user account in the access management service (Drabant: ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship, ¶ [0005] an entry corresponding to the sharing relationship can be inserted into the authorization table in response to a formation of the sharing relationship, ¶ [0032] the second tenant 115B can subsequently assign this sharing relationship to one or more specific users, ¶ [0052] the cloud platform 110 can determine, based on the authorization table 300, whether the second user 120B can access the resource R ¶ [0025, 0047]).

Regarding Claim 7,
Claim 7 is dependent on Claim 5, and the combination of Drabant and Srinivasan discloses all the limitations of Claim 5. However, Drabant does not explicitly disclose wherein the instructions for creating the first user account responsive to determining that the user does not have a user account associated with the first tenant further comprise instructions configured to cause the processor to perform the operations of: creating a member account for the first user that is not associated with any access privileges to access resources associated with the first tenant.
However, Srinivasan further discloses a customer can establish an account with a centralized store in order to enable that customer to purchase cloud-based services…, purchasing a service through the centralized store using this account, an identity domain-specific account can be created for that customer within the cloud computing environment…,  (i.e. creating an account) identity domain-specific account can be associated with and isolated to the identity domain that is created for the customer upon the customer's first purchase of a cloud-based service through the centralized store (i.e. responsive to the first request determine user does not have an account) (Srinivasan: ¶ [0166]), and Components of infrastructure 102 do not belong to any single identity domain created for any customer (i.e. account is not associated with resources of store) (Srinivasan: ¶ [0168]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Srinivasan in the teachings of Drabant. A person having ordinary skill in the art would have been motivated to do so because to prevent users associated with customers' identity domains from performing operations relative to resources outside of their identity domains, but also can allow operations users associated with the cloud  (Srinivasan: ¶ [0168]).

14.	Claims 13-14 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Drabant (US 2019/0014120 Al, hereinafter Drabant) [As disclosed in IDS] in view of Fischer et al. (US 10,044,723 B1, hereinafter Fischer) [As disclosed in IDS] and further in view of Srinivasan et al. (US 2016/0173475 A1, hereinafter Srinivasan).


Regarding Claim 13,
Claim 13 is dependent on Claim 12, and the combination of Drabant and Fischer discloses all the limitations of Claim 12. Drabant further discloses determining that the user has user account associated with the second tenant associated with the first tenant (Drabant: ¶ [0032] the second tenant 115B can subsequently assign this sharing relationship to one or more specific users, ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship…, the resource provider is a user associated with one tenant while the resource consumer is one or more of the users associated with the same or a different tenant,  ¶ [0041] the second entry 320 can include information identifying the users who are relevant to this inter-tenant authorization. The second entry 320 can further identify the home tenant of the relevant users, ¶ [0053] tenant-to-tenant sharing relationship can exist between the first tenant 115A and the second tenant 115B in which the second tenant 115B is given access to the resource R..., a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B, See also Fig. 3-320).

determining that the user does not have an account associated with the first tenant responsive to receiving the request from the user; and
creating the first user account responsive to determining that the user does not have an account associated with the first tenant.
However, Srinivasan from the same field of endeavor as the claimed invention discloses a customer can establish an account with a centralized store in order to enable that customer to purchase cloud-based services…, purchasing a service through the centralized store using this account, an identity domain-specific account can be created for that customer within the cloud
computing environment…,  (i.e. creating an account) identity domain-specific account can be associated with and isolated to the identity domain that is created for the customer upon the customer's first purchase of a cloud-based service through the centralized store (i.e. responsive to the first request determine user does not have an account) (Srinivasan: ¶ [0166]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Srinivasan in the teachings of Drabant and Fischer. A person having ordinary skill in the art would have been motivated to do so because to prevent users associated with customers' identity domains from performing operations relative to resources outside of their identity domains, but also can allow operations users associated with the cloud domain to perform operations relative to resources across customers' identity domains (Srinivasan: ¶ [0168]).



Regarding Claim 14,
Claim 14 is dependent on Claim 13, and the combination of Drabant, Fischer and Srinivasan discloses all the limitations of Claim 13. Drabant further discloses all the limitations of Claim 14 as discussed in Claim 6. Therefore, Claim 14 is rejected using the same rationales as discussed in Claim 6.

Regarding Claim 19,
Claim 19 is dependent on Claim 18, and the combination of Drabant and Fischer discloses all the limitations of Claim 18. Drabant further discloses instructions configured to cause the computing device to perform operations of (Drabant: ¶ [0003] memory storing instructions that result in operations when executed by the at least one data processor, ¶ [0056]): determining that the user has user account associated with the second tenant associated with the first tenant (Drabant: ¶ [0032] the second tenant 115B can subsequently assign this sharing relationship to one or more specific users, ¶ [0035] a sharing relationship can also be a user-to-user sharing relationship…, the resource provider is a user associated with one tenant while the resource consumer is one or more of the users associated with the same or a different tenant,  ¶ [0041] the second entry 320 can include information identifying the users who are relevant to this inter-tenant authorization. The second entry 320 can further identify the home tenant of the relevant users, ¶ [0053] tenant-to-tenant sharing relationship can exist between the first tenant 115A and the second tenant 115B in which the second tenant 115B is given access to the resource R..., a user-to-user sharing relationship can exist between the first user 120A and the second user 120B in which the first user 120A provides access to the resource R to the second user 120B, See also Fig. 3-320). 

determining that the user does not have an account associated with the first tenant responsive to receiving the request from the user; and 
creating the first user account responsive to determining that the user does not have an account associated with the first tenant.
However, Srinivasan from the same field of endeavor as the claimed invention discloses a customer can establish an account with a centralized store in order to enable that customer to purchase cloud-based services…, purchasing a service through the centralized store using this account, an identity domain-specific account can be created for that customer within the cloud
computing environment…,  (i.e. creating an account) identity domain-specific account can be associated with and isolated to the identity domain that is created for the customer upon the customer's first purchase of a cloud-based service through the centralized store (i.e. responsive to the first request determine user does not have an account) (Srinivasan: ¶ [0166]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Srinivasan in the teachings of Drabant and Fischer. A person having ordinary skill in the art would have been motivated to do so because to prevent users associated with customers' identity domains from performing operations relative to resources outside of their identity domains, but also can allow operations users associated with the cloud domain to perform operations relative to resources across customers' identity domains (Srinivasan: ¶ [0168]).



Regarding Claim 20,
Claim 20 is dependent on Claim 19, and the combination of Drabant, Fischer and Srinivasan discloses all the limitations of Claim 19. Drabant further discloses all the limitations of Claim 20 as discussed in Claim 6. Therefore, Claim 20 is rejected using the same rationales as discussed in Claim 6.
Conclusion
15.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US-10972444-B1
US-20140280939-A1
US-10250612-B1
US-10819750-B1
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMEERA WICKRAMASURIYA whose telephone number is (571)272-1507.  The examiner can normally be reached on MON-FRI 8AM-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W. KIM can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 

/SAMEERA WICKRAMASURIYA/
Examiner, Art Unit 2494

/Jeremy S Duffield/Primary Examiner, Art Unit 2498