DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 07/28/2020, in which, claim(s) 1-20 are pending. Claim(s) 1, 6, 9 and 14 are independent.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/28/2020, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 07/28/2020 are accepted by The Examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mohamad Adbul et al. (US 2020/0007530 A1, cited by the applicant in the 07/28/2020 IDS) in view of Mani et al. (US 2014/0280595 A1).
Regarding Claims 1, 9, and 14, Mohamad Adbul discloses
provide a user interface via web portal through which users of a particular tenant of multiple tenants of a service provider are able to configure permissions for and access a plurality of resources of a set of services, including internal services and external services associated with a hybrid cloud ([0016], “hybrid cloud deployments (i.e., cloud deployments which include a combination of a public cloud and a private cloud)”, [0032], “provides a cloud-scale API platform and implements horizontally scalable microservices for elastic scalability. The embodiment leverages cloud principles and provides a multi-tenant architecture with per-tenant data separation. The embodiment further provides per-tenant customization via tenant self-service. The embodiment is available via APIs for on-demand integration with other identity services, and provides continuous feature release”, [0034], “implements a number of microservices in a stateless middle tier to provide cloud-based multi-tenant identity and access management services”, [0063], “providing users with the application access appropriate for their identity and role within the organization, certifying that they have the correct ongoing access permissions”, [0082], “SAML service providers”, [0090], “internal and external IDCS consumers”); 
provide a unified Identity and Access Management (IAM) control plane across the set of services, wherein at least some services of the set of services use a different IAM protocol or a different IAM scheme ([0024], “provide an Identity unified IAM functionality”, [0036], “services may include, for example, login/SSO services 128 (e.g., OpenID Connect), federation services 130 (e.g., SAML), token services 132 (e.g., OAuth), directory services 134 (e.g., SCIM), provisioning services 136 (e.g., SCIM or Any Transport over Multiprotocol (“AToM”)), event services 138 (e.g., REST), and authorization services 140 (e.g., SCIM). IDCS 118 may further provide reports and dashboards 120 related to the offered services”); 
maintain a centralized IAM service containing information regarding the permissions for the plurality of resources ([0024], “provide an Identity Cloud Service (“IDCS”) that is a multi-tenant, cloud-scale, IAM platform”, [0034], “a number of microservices”, [0082], “IDCS resources”); and 
support a plurality of service integrations for the set of services, including providing a first set of application programming interfaces (APIs) that facilitate a direct integration of the plurality of service integrations with the unified IAM control plane in which the centralized IAM service maintains access control information for resources associated with a first service of the set of services (Fig. 1 shows a plurality of APIs, [0032], “a cloud-scale API platform”, [0035], “Fig. 1… providing a unified identity platform 126 for onboarding users and applications. The embodiment provides seamless user experience across various applications such as enterprise cloud applications 102, partner cloud applications 104, third-party cloud applications 110, and customer applications 112”, [0036], “IDCS 118 provides a unified view 124 of a user's applications, a unified secure credential across devices and applications (via identity platform 126), and a unified way of administration (via an APIs 142. Such services may include, for example, login/SSO services 128 (e.g., OpenID Connect), federation services 130 (e.g., SAML), token services 132 (e.g., OAuth), directory services 134 (e.g., SCIM), provisioning services 136 (e.g., SCIM or Any Transport over Multiprotocol (“AToM”)), event services 138 (e.g., REST), and authorization services 140 (e.g., SCIM). IDCS 118 may further provide reports and dashboards 120 related to the offered services”, [0063], “An IDCS approach can save time and effort in one-off upgrades and ensure appropriate integration among necessary departments, divisions, and systems”).  
Mohamad Adbul does not explicitly teach but Mani teaches
a managed service provider (MSP) ([0241], “a Managed Services Provider”),
Mohamad Adbul and Mani are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mani with the disclosure of Mohamad Adbul. The motivation/suggestion would have been to manage users through Cloud-brokered virtual directory services (Mani, [0245]).

Regarding Claims 2, 10, and 15, the combined teaching of Mohamad Adbul and Mani teaches
wherein the instructions further cause the processing resource to provide a second set of APIs that facilitate a brokered integration of the plurality of service integrations with the unified IAM control plane in which the unified IAM control plane maintains consistency between the centralized IAM service and an authorization system utilized by a second service of the set of services (Mohamad Adbul, [0036], “IDCS 118 provides a unified view 124 of a user's applications, a unified secure credential across devices and applications (via identity platform 126), and a unified way of administration (via an admin console 122). IDCS services may be obtained by calling IDCS APIs 142. Such services may include, for example, login/SSO services 128 (e.g., OpenID Connect), federation services 130 (e.g., SAML), token services 132 (e.g., OAuth), directory services 134 (e.g., SCIM), provisioning services 136 (e.g., SCIM or Any Transport over Multiprotocol (“AToM”)), event services 138 (e.g., REST), and authorization services 140 (e.g., SCIM). IDCS 118 may further provide reports and dashboards 120 related to the offered services”).

Regarding Claims 3, 11, and 16, the combined teaching of Mohamad Adbul and Mani teaches
wherein the instructions further cause the processing resource to provide a third set of APIs that facilitate an authentication level enforcement integration of the - 25 -90849702 plurality of service integrations with the unified IAM control plane in which the unified IAM control plane injects claims into a single sign-on (SSO) authentication protocol implemented by a third service of the set of services that are interpreted and enforced by the third service on a per session basis (Mohamad Adbul, [0024], “provide an Identity Cloud Service (“IDCS”) that is a multi-tenant, cloud-scale, IAM platform”, Mani, [0372], “use the federated authentication indicated at first (using, e.g., SAML SSO) or OpenID --where Tenant serves as the Identity Provider (IdP) authenticating the user; and an OpenID provider may be 

Regarding Claims 4, 12, and 17, the combined teaching of Mohamad Adbul and Mani teaches 
wherein the centralized IAM service (Mohamad Adbul, [0024], “provide an Identity Cloud Service (“IDCS”) that is a multi-tenant, cloud-scale, IAM platform”) is based on a space-based access control (SBAC) model (Mani, [0032], “Select a last used DMA if space for the DMA is greater than or equal to the expected size of the conference. Otherwise, select another DMA with space greater than or equal to the expected size of DMA. These can be driven off a free space table that chains DMAs of different free space. If neither of these are available select an unused DMA”).

Regarding Claims 5, 13, and 18, the combined teaching of Mohamad Adbul and Mani teaches 
wherein the centralized IAM service (Mohamad Adbul, [0024], “provide an Identity Cloud Service (“IDCS”) that is a multi-tenant, cloud-scale, IAM platform”) is based on a role-based access control (RBAC) model (Mani, [0162], “Role-based Access Control”).

Regarding Claim 6, Mohamad Adbul discloses A system comprising: 
a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource ([0112] [0191], “event processor”, “one or more CPUs…and memory”), having stored therein instructions that when executed by the processing resource cause the processing resource to: 
provide a user interface via web portal through which users of a particular tenant of multiple tenants of a service provider are able to configure permissions for and access resources of a set of services, including internal services and external services associated with a hybrid cloud ([0016], “hybrid cloud deployments (i.e., cloud deployments which include a combination of a public cloud and a private cloud)”, [0032], “provides a cloud-scale API platform and implements horizontally scalable microservices for elastic scalability. The embodiment leverages cloud principles and provides a multi-tenant architecture with per-tenant data separation. The embodiment further provides per-tenant customization via tenant self-service. The embodiment is available via APIs for on-demand integration with other identity services, and provides continuous feature release”, [0034], “implements a number of microservices in a stateless middle tier to provide cloud-based multi-tenant identity and access management services”, [0063], “providing users with the application access appropriate for their identity and role within the organization, certifying that they have the correct ongoing access permissions”, [0082], “SAML service providers”, [0090], “internal and external IDCS consumers”); 
provide a unified Identity and Access Management (IAM) control plane across the set of services, wherein at least some services of the set of services use a different IAM protocol or a different IAM scheme ([0024], “provide an Identity unified IAM functionality”, [0036], “services may include, for example, login/SSO services 128 (e.g., OpenID Connect), federation services 130 (e.g., SAML), token services 132 (e.g., OAuth), directory services 134 (e.g., SCIM), provisioning services 136 (e.g., SCIM or Any Transport over Multiprotocol (“AToM”)), event services 138 (e.g., REST), and authorization services 140 (e.g., SCIM). IDCS 118 may further provide reports and dashboards 120 related to the offered services”); and 
maintain consistency between a centralized Identity and Access Management (IAM) service utilized by the service provider and an authorization system utilized by a first service of the set of services by: 
responsive to a first change to a permission model of the first service via the authorization system utilized by the first service, reflecting the first change to the centralized IAM service via an application programming interface (API) of the unified IAM control plane by invoking the API by a first authorization broker of a plurality of authorization brokers running within the service provider and corresponding to the first service ([0036], “IDCS 118 provides a unified view 124 of a user's applications, a unified secure credential across devices and applications (via identity platform 126), and a unified way of administration (via an admin console 122). IDCS services may be obtained by calling IDCS APIs 142. Such services may include, for example, login/SSO services 128 (e.g., OpenID Connect), federation services 130 (e.g., SAML), token services 132 (e.g., OAuth), directory services 134 (e.g., SCIM), provisioning services 136 (e.g., SCIM or Any Transport over Multiprotocol (“AToM”)), and 
responsive to a second change to the central IAM service relating to a user or a resource associated with the permission model, reflecting the second change to the authorization system via the first authorization broker ([0043], “an employee moving from engineering to sales can get near instantaneous access to the sales cloud and lose access to the developer cloud. When this change is reflected in on-premise AD 204, cloud application access change is accomplished in near-real-time. Similarly, access to cloud applications managed in IDCS 208 is revoked for users leaving the company”).  
Mohamad Adbul does not explicitly teach but Mani teaches
a managed service provider (MSP) ([0241], “a Managed Services Provider”),
Mohamad Adbul and Mani are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mani with the disclosure of Mohamad Adbul. The motivation/suggestion would have been to manage users through Cloud-brokered virtual directory services (Mani, [0245]).

Regarding Claims 7, and 20, the combined teaching of Mohamad Adbul and Mani teaches 
wherein the instructions further cause the processing resource to detect the first change by polling the authorization system (Mohamad Adbul, [0095], “to user notification”).

Regarding Claim 8, the combined teaching of Mohamad Adbul and Mani teaches 
wherein the first change comprises a change to or deletion of an application, a user or a group (Mohamad Adbul, [0095], “to register or create a new user”).

Regarding Claim 19, the combined teaching of Mohamad Adbul and Mani teaches 
comprising instructions to maintain consistency between the centralized IAM service and an authorization system utilized by a first service of the set of services by: 
responsive to a first change to a permission model of the first service via the authorization system utilized by the first service, reflecting the first change to the centralized IAM service by a first authorization broker of a plurality of authorization brokers corresponding to the first service ([0036], “IDCS 118 provides a unified view 124 of a user's applications, a unified secure credential across devices and applications (via identity platform 126), and a unified way of administration (via an admin console 122). IDCS services may be obtained by calling IDCS APIs 142. Such services may include, for example, login/SSO services 128 (e.g., OpenID Connect), federation services 130 (e.g., SAML), token services 132 (e.g., OAuth), directory services 134 (e.g., SCIM), provisioning services 136 (e.g., SCIM or Any and  
responsive to a second change to the central IAM service relating to a user or a resource associated with the permission model, reflecting the second change to the authorization system via the first authorization broker ([0043], “an employee moving from engineering to sales can get near instantaneous access to the sales cloud and lose access to the developer cloud. When this change is reflected in on-premise AD 204, cloud application access change is accomplished in near-real-time. Similarly, access to cloud applications managed in IDCS 208 is revoked for users leaving the company”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497