DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the communication filed on January 19, 2022 in response to the first office action on merit.

Remarks
Pending claims for reconsideration are claims 1-20. 

Response to Arguments
Applicant’s arguments filed on January 19, 2022 have been fully considered but they are not persuasive.
In the remarks, applicant argues in substance:
In response to argument (Page 12, Para: 1-3) - Examiner respectfully disagrees with applicant’s argument respect to the independent claims 1, 6, and 17 that Banerjee fails to disclose policies respect to first and second environments (See, applicant’s remark, Page 11: Para 1-3). First, examiner has used primary art Stefik to teach repository 1 i.e., a “first environment” or a “user environment”, repository 2 i.e., a “second environment” or a “resource provider environment”; and Fig. 1: Step 102, digital work with rights i.e., a “data object” (Page 3: line 45 - Page 4: line 3). Then, same mapping of first and second environments can be applied to Banerjee also, where Banerjee discloses Content Controller Server 11 i.e., a “resource provider environment”/ a ”second environment”, which has Content Distributor’s Business Policy Parameters 18 i.e., “other policies of the resource provider environment”; Para 0016: policy conflicts are resolved at the Content Controller Server 11 i.e., a “resource provider environment”; Potential Content Provider 19 i.e., a “first environment” with Proposed Distribution Parameter i.e., “policies of first environment” (Banerjee, Fig. 1). Furthermore, if no conflict then registered content is provided for distribution (See also, Banerjee, Para 0041-0042). Therefore, the different environments and the policies are disclosed by Banerjee.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-3, 6-8, 11-12, 13-17, and 19 are rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-3, 5-11, 17, and 20 of U.S. Patent No. 10,645,120. Although the conflicting claims are not identical, they are not patentably distinct from each other because all the limitations of claims 1-3, 6-8, 11-12, 13-17, and 19 of this instant application are found in claims 1-3, 5-11, 17, and 20 of the patent No. 10,645,120. Therefore, claims 1-3, 6-8, 11-12, 13-17, and 19 of this instant application are anticipated by claims 1-3, 5-11, 17, and 20 of Patent 10,645,120, because all the limitation of broader genus claims of this instant application are contained in the narrower species claims of Patent 10,645,120.

Application No. 16/835925
Patent No. 10,645,120
1. A system, comprising at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to: 
receive, in a second environment, a data object comprising data and a policy associated with accessing the data within a first environment; 









determine that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; 

upon the determining, store the data and the policy to the second environment;
 


authenticate a request for data in the data object; determine that access to the data is allowed under the policy in the second environment; and 
generate an updated data object with the data by adding information to an audit log associated with the data in response to access or actions taken with respect to the data.
1. A system, comprising: at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to: 
receive, to a resource provider environment, a first data object from a user environment, 
the first data object including user data, a data tag, a policy, and an audit log, the data tag corresponding to the policy applicable for the user data within the user environment, and the policy comprising a trigger; causing the policy to be applied to the first data object in the user environment based at least in part on the trigger, the audit log including a history of events relating to the user data, the resource provider environment including a plurality of data repositories available over a network; 
determine that the policy is supported by and is free of conflicts from other policies of the resource provider environment;


upon the determination, cause the user data, the policy, the data tag, and the audit log to be stored to at least one data repository of the plurality of data repositories in the resource provider environment;

receive a request for at least a portion of the user data; determine that a source of the request is authorized to receive the user data; 
add information for the request to the audit log for the user data; 


generate a second data object including the user data, the data tag, the policy, and the audit log; and send over the network the second data object to a destination specified by the request.
2. The system of claim 1, wherein the instructions when executed further cause the system to: determine an account associated with the request permits validation of the request; and validate a source of the request using stored information associated with the account as part of the authentication of the request.
3. The system of claim 2, wherein the instructions when executed further cause the system to: determine, from the request, an intended action to be performed with respect to the user data, wherein determining that the source of the request is authorized to receive the user data includes determining whether a corresponding policy, of the set of policies, allows the intended action to be performed on the user data by the source of the request.
3. The system of claim 1, wherein the instructions when executed further cause the system to: determine a tag associated with the policy in the first environment; determine that a source of the request is associated with a group in the second environment; and enable a second tag that is associated with the tag for association with the data object in the second environment.
2. The system of claim 1, wherein the first data object includes a set of tags, each tag of the set corresponding to at least one of: a categorization of the first data object, a respective policy of a set of policies for the first data object, or a respective action capable of being performed with respect to the first data object.

4. The system of claim 1, wherein the instructions when executed further cause the system to: grant access to the data after the authentication of the request in the second environment; determine that an action of a source of the request has caused a violation in the policy; and prevent the source from accessing the data.

5. The system of claim 1, wherein the instructions when executed further cause the system to: grant access to the data after the authentication of the request in the second environment; determine a risk level has changed for a source of the request based in part on the policy; and prevent further access to the data.

6. A computer-implemented method, comprising: receiving, in a second environment, a data object comprising data and a policy associated with accessing the data within a first environment; 









determining that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; 


upon the determining, storing the data and the policy to the second environment; 
authenticating a request associated with the data object; enabling access to the data under the policy in the second environment; and 
adding information to an audit log associated with the data in response to access or actions taken with respect to the data.
5. A computer-implemented method, comprising: receiving a data object from a first environment to a second environment, the second environment provided by a different entity than the first environment,

 the data object including data and a policy for managing access to the data within the first environment, the second environment including a plurality of data repositories available over a network and the policy comprising a trigger; 
causing the policy to be applied to the data object in the second environment based at least in part on the trigger; 
determining that the policy is supported by and is free of conflicts from other policies of the second environment; storing the data and the policy to the second environment in at least one data repository of the plurality of data repositories; 

enforcing access to the data in the second environment per the policy; 
and upon the determination, adding information to an audit log for the data in response to access or actions taken with respect to the data, 
wherein an updated data object including the data, the policy, and the audit log is generated in response to adding the information to the audit log.
7. The computer-implemented method of claim 6, further comprising: determining an account associated with the request permits validation of the request; and validating a source of the request using stored information associated with the account as part of the authentication of the request.

6. The computer-implemented method of claim 5, further comprising: receiving a request for at least a portion of the data; determining that a source of the request is authorized, per the policy, to receive the data; adding information for the request to the audit log for the data; generating a second data object including the data, the policy, and the audit log; and sending the second data object to a destination specified by the request.
8. The computer-implemented method of claim 6, further comprising: determining a tag associated with the policy in the first environment; determining that a source of the request is associated with a group in the second environment; and enabling a second tag that is associated with the tag for association with the data object in the second environment.

7. The computer-implemented method of claim 6, further comprising: extracting the policy and the audit log from an envelope of the data object, the data and a data tag included in the envelope, wherein generating the second data object further includes placing the data in a second envelope and including the policy and the audit log in the second envelope.

9. The computer-implemented method of claim 6, further comprising: granting access to the data after the authentication of the request in the second environment; determining that an action of a source of the request has caused a violation in the policy; and preventing the source from accessing the data.

10. The computer-implemented method of claim 6, further comprising: granting access to the data after the authentication of the request in the second environment; determining a risk level has changed for a source of the request based in part on the policy; and preventing further access to the data.

11. The computer-implemented method of claim 6, further comprising: receiving the request for at least a portion of the data in the second environment; determining that a source of the request is authenticated under the policy and separately from the authenticating of the request associated with the data object; and generating a second data object including the data, the policy, and the audit log having the information for a destination specified by the request.
10. The computer-implemented method of claim 5, further comprising: receiving a request to modify the policy, the policy being mutable; determining that a source of the request is authorized to modify the policy; updating the policy per the request; and updating the audit log to reflect modification of the policy.

12. The computer-implemented method of claim 11, further comprising: extracting the policy and the audit log from an envelope of the data object, the data and a data tag included in the envelope; and generating the second data object by placing the data in a second envelope and including the policy and the audit log with the information in the second envelope.
7. The computer-implemented method of claim 6, further comprising: extracting the policy and the audit log from an envelope of the data object, the data and a data tag included in the envelope, wherein generating the second data object further includes placing the data in a second envelope and including the policy and the audit log in the second envelope
13. The computer-implemented method of claim 6, further comprising: causing the policy to be stored to a policy repository managed by a policy engine associated with the second environment; and enforcing the policy in the second environment by the policy engine.
11. The computer-implemented method of claim 5, further comprising: storing a set of policies received with the data object, wherein a corresponding policy to enforce from the set of policies is based at least in part upon an expressed intended action to be performed with respect to the data.
14. The computer-implemented method of claim 6, further comprising: determining that the policy is immutable; and preventing modification of the policy or specification of a new policy for the data in at least the second environment.
9. The computer-implemented method of claim 5, further comprising: determining that the policy is immutable; and preventing modification of the policy or specification of a new policy for the data.
15. The computer-implemented method of claim 6, further comprising: receiving a request to modify the policy, the policy being mutable; determining that a source of the request is authorized to modify the policy; modifying the policy; and updating the audit log to reflect the modification of the policy.
20. The non-transitory computer-readable storage medium of claim 17, wherein the instructions when executed further cause the computer system to: specify whether each tag associated with the user data is mutable or immutable, a mutable tag modifiable only by a trusted and authorized entity.
16. The computer-implemented method of claim 6, further comprising: storing a set of policies received with the data object, wherein a corresponding policy to enforce from the set of policies is based at least in part upon an action to be performed with respect to the data.
8. The computer-implemented method of claim 5, further comprising: causing the policy to be stored to a policy repository managed by a policy engine, the policy engine responsible for enforcing the policy in the second environment, a set of policies stored to the policy repository each corresponding to a standardized policy format.
17. A non-transitory computer-readable storage medium including instructions 2 that, when executed by at least one processor of a computer system, cause the computer system to: 

receive, in a second environment, a data object comprising data and a policy associated with accessing the data within a first environment; 










determine that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; 
upon the determination being made, store the data and the policy to the second environment; authenticate a request associated with the data object; 
enable access to the data under the policy in the second environment; and 
add information to an audit log associated with the data in response to access or actions taken with respect to the data.
17. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computer system, cause the computer system to: 
determine a classification and at least one predicate for user data stored in a user environment, the at least one predicate relating to an action capable of being performed with respect to the user data within the user environment; 
determine, based at least in part upon the classification and the predicate, at least one data tag to be associated with the user data, a data tag of the at least one data tag associated with a policy of at least one policy for the user data within the user environment, the policy comprising a trigger; 
cause the policy to be applied to the user data in the user environment based at least in part on the trigger; 

determine that the policy is supported by and is free of conflicts from other policies of the second environment; 

upon the determination of the policy is supported and is free of conflicts, send a request to transmit the user data for storage in a data repository of a remote environment operated by a separate entity, the remote environment including a plurality of data repositories available over a network; 
generate a data object including at least the user data and the at least one policy; and transmit the data object to the remote environment.
18. The non-transitory computer-readable storage medium of claim 17 including the instructions that, when executed by the at least one processor of the computer system, cause the computer system to: determine an account associated with the request permits validation of the request; and validate a source of the request using stored information associated with the account as part of the authentication of the request.

19. The non-transitory computer-readable storage medium of claim 17 including the instructions that, when executed by the at least one processor of the computer system, cause the computer system to: determine a tag associated with the policy in the first environment; determine that a source of the request is associated with a group in the second environment; and enable a second tag that is associated with the tag for association with the data object in the second environment.
7. The computer-implemented method of claim 6, further comprising: extracting the policy and the audit log from an envelope of the data object, the data and a data tag included in the envelope, wherein generating the second data object further includes placing the data in a second envelope and including the policy and the audit log in the second envelope.

20. The non-transitory computer-readable storage medium of claim 17 including the instructions that, when executed by the at least one processor of the computer system, cause the computer system to: grant access to the data after the authentication of the request in the second environment; determine a risk level has changed for a source of the request based in part on the policy; and prevent further access to the data.



Claims 1-3, 5-11, 17, and 20 of Patent No. 10,645,120 contain every element of claims 1-3, 6-8, 11-12, 13-17, and 19 of the instant application and thus anticipate the claims of the instant application. Claims of the instant application therefore are not patently distinct from the earlier patent claims and as such are unpatentable over obvious-type double patenting. A later application/patent claim is not patentably distinct from an earlier claim if the later claim anticipated by the earlier claim.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “  ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED:  May 30, 2001).
 Accordingly, absent a terminal disclaimer, claims 1-3, 6-8, 11-12, 13-17, and 19 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2, 4, 6-7, 9,  and 11-18 are rejected under AIA  35 U.S.C. 103(a) 35 U.S.C. 103 as being obvious over Mark J. Stefik (EP0715243 A1 / or “Stefik” hereinafter) in view of Banerjee et al. (U.S. Patent No.: US 2003/0004880 A1 / or “Banerjee” hereinafter [both references are provided by the applicant]).

Regarding claim 1, Stefik discloses “A system, comprising at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to” (Abstract and Page 2: lines 33-34, system and method of controlling use and distribution of digital works disclosed; and Fig. 12: Processing Element 1201, Processor Memory 1202; and Page 7: lines 42-52):
“receive, in a second environment, a data object comprising data and a policy associated with accessing the data within a first environment” (Page 3: line 45 - Page 4: line 3, repository 1 i.e., a “first environment” or a “user environment”, repository 2 i.e., a “second environment” or a “resource provider environment”; and Fig. 1: Step 102, digital work with rights i.e., a “data object”),  
[determine that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; upon the determining, store the data and the policy to the second environment];
“authenticate a request for data in the data object; determine that access to the data is allowed under the policy in the second environment” (Fig. 1: Step 105, determines if access should be granted; Page 4: lines 15-16 & 22-24, a possession of a digital certificate is required to gain access to the digital work and trustworthiness is identified); 
“and generate an updated data object with the data by adding information to an audit log associated with the data in response to access or actions taken with respect to the data” (Fig. 18: Steps 1817-1818, copies and elapse time are accounted for the digital content).
Furthermore, Stefik discloses digital work is created by a creator i.e., a “user" and rights are attached before transmitting to the repository 1 i.e., the “user environment” (Page 3: line 45 - Page 4: line 3, Fig. 1: Step 102). Also, discloses resolving conflicts at a container (Page 8: lines 25 - Page 9: lines 32; Page 6: line 55-58).
Stefik fails to specially disclose resolving conflicts at the “second environment” or the “resource provider environment”.
However, Banerjee discloses “determine that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; upon the determining, store the data and the policy to the second environment” (Banerjee, Fig. 1: Content Controller Server 11 i.e., a “resource provider environment”, which has Content Distributor’s Business Policy Parameters 18 i.e., “other policies of the resource provider environment”; Para 0016: policy conflicts are resolved at the Content Controller Server 11 i.e., a “resource provider environment”; See also Para 0041-0042, if no conflict then registered content is provided for distribution).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of resolving conflicts at a “resource provider environment” of Banerjee to the System of Stefik to create a system where content distribution parameters are resolved before content can be accepted for distribution and the ordinary person skilled in the art would have been motivated to combine to facilitate proper distribution of digital content (Banerjee, Para 0041).

Regarding claim 2, in view of claim 1, Stefik discloses “wherein the instructions when executed further cause the system to: determine an account associated with the request permits validation of the request; and validate a source of the request using stored information associated with the account as part of the authentication of the request” (Page 17: line 19-26, a user access to content is validated using login credentials such as PIN i.e., “stored information”).


Regarding claim 4, in view of claim 1, Stefik discloses “wherein the instructions when executed further cause the system to: grant access to the data after the authentication of the request in the second environment; determine that an action of a source of the request has caused a violation in the policy; and prevent the source from accessing the data” (Page 6: line 55 – Page 7: lines 21).

Regarding claim 6, Stefik discloses “A computer-implemented method, comprising” (Page 2: lines 33-34, system and method of controlling use and distribution of digital works disclosed):
“receiving, in a second environment, a data object comprising data and a policy associated with accessing the data within a first environment” (Page 3: line 45 - Page 4: line 3, repository 1 i.e., a “first environment” or a “user environment”, repository 2 i.e., a “second environment” or a “resource provider environment”; and Fig. 1: Step 102, digital work with rights i.e., a “data object”);
[determining that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; upon the determining, storing the data and the policy to the second environment]; 
“authenticating a request associated with the data object; enabling access to the data under the policy in the second environment” (Fig. 1: Step 105, determines if access should be granted; Page 4: lines 15-16 & 22-24, a possession of a digital certificate is required to gain access to the digital work and trustworthiness is identified);  
“and adding information to an audit log associated with the data in response to access or actions taken with respect to the data” (Fig. 18: Steps 1817-1818, copies and elapse time are accounted for the digital content).
Furthermore, Stefik discloses digital work is created by a creator i.e., a “user" and rights are attached before transmitting to the repository 1 i.e., the “user environment” (Page 3: line 45 - Page 4: line 3, Fig. 1: Step 102). Also, discloses resolving conflicts at a container (Page 8: lines 25 - Page 9: lines 32; Page 6: line 55-58).
Stefik fails to specially disclose resolving conflicts at the “second environment” or the “resource provider environment”.
However, Banerjee discloses “determining that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; upon the determining, storing the data and the policy to the second environment” (Banerjee, Fig. 1: Content Controller Server 11 i.e., a “resource provider environment”, which has Content Distributor’s Business Policy Parameters 18 i.e., “other policies of the resource provider environment”; Para 0016: policy conflicts are resolved at the Content Controller Server 11 i.e., a “resource provider environment”; See also Para 0041-0042, if no conflict then registered content is provided for distribution).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of resolving conflicts at a “resource provider environment” of Banerjee to the System of Stefik to create a system where content distribution parameters are resolved before content can be accepted for distribution and the ordinary person skilled in the art would have been motivated to combine to facilitate proper distribution of digital content (Banerjee, Para 0041).

Regarding claim 7, in view of claim 6, Stefik discloses “further comprising: determining an account associated with the request permits validation of the request; and validating a source of the request using stored information associated with the account as part of the authentication of the request” (Page 17: line 19-26, a user access to content is validated using login credentials such as PIN i.e., “stored information”).

Regarding claim 9, in view of claim 6, Stefik discloses “further comprising: granting access to the data after the authentication of the request in the second environment; determining that an action of a source of the request has caused a violation in the policy; and preventing the source from accessing the data” (Page 6: line 55 – Page 7: lines 21).

Regarding claim 11, in view of claim 6, Stefik discloses “further comprising: receiving the request for at least a portion of the data in the second environment; determining that a source of the request is authenticated under the policy and separately from the authenticating of the request associated with the data object; and generating a second data object including the data, the policy, and the audit log having the information for a destination specified by the request” (Page 25: lines 29-57).


Regarding claim 12, in view of claim 11, Stefik discloses “further comprising: extracting the policy and the audit log from an envelope of the data object, the data and a data tag included in the envelope; and generating the second data object by placing the data in a second envelope and including the policy and the audit log with the information in the second envelope” (Page 16: lines 25-34; Fig. 1: Step 107; Page 6: lines 50-52, and Page 20: lines 21-25).

Regarding claim 13, in view of claim 6, Stefik discloses “further comprising: causing the policy to be stored to a policy repository managed by a policy engine associated with the second environment; and enforcing the policy in the second environment by the policy engine” (Page 7: lines 34-38, a Master Repository enforces repository certificates and security policy; Table 2: different level of security policies for different repositories).

Regarding claim 14, in view of claim 6, Stefik discloses “further comprising: determining that the policy is immutable; and preventing modification of the policy or specification of a new policy for the data in at least the second environment” (Page 7: lines 34-38, a Master Repository enforces repository certificates and security policy; and Page 20: lines 48 – Page 21: lines 1-4, the usage rights are provide and enforce and cannot be changed).

Regarding claim 15, in view of claim 6, Stefik discloses “ further comprising: receiving a request to modify the policy, the policy being mutable; determining that a source of the request is authorized to modify the policy; modifying the policy; and updating the audit log to reflect the modification of the policy” (Page 18: line 34-58, discloses usage rights checking and updating copy count or loan access rights i.e., i.e., “audit log”; and Page 19: lines 1-14, metering service is disclosed).

Regarding claim 16, in view of claim 6, Stefik discloses “further comprising: storing a set of policies received with the data object, wherein a corresponding policy to enforce from the set of policies is based at least in part upon an action to be performed with respect to the data” (Page 11: lines 14-21, rights can be exercised on the content).

Regarding claim 17, Stefik discloses “A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computer system, cause the computer system to” (Stefik: Fig. 4B, a computer system; Page 7: lines 53-58, computer readable medium is disclosed):
“receive, in a second environment, a data object comprising data and a policy associated with accessing the data within a first environment” (Page 3: line 45 - Page 4: line 3, repository 1 i.e., a “first environment” or a “user environment”, repository 2 i.e., a “second environment” or a “resource provider environment”; and Fig. 1: Step 102, digital work with rights i.e., a “data object”);
[determine that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; upon the determination being made, store the data and the policy to the second environment];
 “authenticate a request associated with the data object; enable access to the data under the policy in the second environment” (Fig. 1: Step 105, determines if access should be granted; Page 4: lines 15-16 & 22-24, a possession of a digital certificate is required to gain access to the digital work and trustworthiness is identified);  
“and add information to an audit log associated with the data in response to access or actions taken with respect to the data” (Fig. 18: Steps 1817-1818, copies and elapse time are accounted for the digital content).
Furthermore, Stefik discloses digital work is created by a creator i.e., a “user" and rights are attached before transmitting to the repository 1 i.e., the “user environment” (Page 3: line 45 - Page 4: line 3, Fig. 1: Step 102). Also, discloses resolving conflicts at a container (Page 8: lines 25 - Page 9: lines 32; Page 6: line 55-58).
Stefik fails to specially disclose resolving conflicts at the “second environment” or the “resource provider environment”.
However, Banerjee discloses “determine that the policy is supported by and is free of conflicts from other policies of the second environment and of other environments providing other data objects for the second environment; upon the determination being made, store the data and the policy to the second environment” (Banerjee, Fig. 1: Content Controller Server 11 i.e., a “resource provider environment”, which has Content Distributor’s Business Policy Parameters 18 i.e., “other policies of the resource provider environment”; Para 0016: policy conflicts are resolved at the Content Controller Server 11 i.e., a “resource provider environment”; See also Para 0041-0042, if no conflict then registered content is provided for distribution).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of resolving conflicts at a “resource provider environment” of Banerjee to the System of Stefik to create a system where content distribution parameters are resolved before content can be accepted for distribution and the ordinary person skilled in the art would have been motivated to combine to facilitate proper distribution of digital content (Banerjee, Para 0041).

Regarding claim 18, in view of claim 17, Stefik discloses “including the instructions that, when executed by the at least one processor of the computer system, cause the computer system to: determine an account associated with the request permits validation of the request; and validate a source of the request using stored information associated with the account as part of the authentication of the request” (Page 17: line 19-26, a user access to content is validated using login credentials such as PIN i.e., “stored information”).


Claims 3, 5, 8, 10, and 19-20 are rejected under AIA  35 U.S.C. 103(a) 35 U.S.C. 103 as being obvious over Stefik in view of Banerjee and in further view of Boss et al.  (U.S. 2015/0227754 A1 [provided by the applicant]).

	Regarding claim 3, in view of claim 1, Stefik discloses digital work is created by a creator i.e., a “user" and rights are attached before transmitting to the repository 1 i.e., the “user environment” (Page 3: line 45 - Page 4: line 3, Fig. 1: Step 102). Also, discloses resolving conflicts at a container (Page 8: lines 25 - Page 9: lines 32; Page 6: line 55-58). Furthermore, rules applies to group or individual based on access rights (Page 7: Para 2-3). 
	But Stefik and Banerjee fail to specially disclose a tag associated with a policy in a user environment and another tag associate with a provider environment.
However, Boss discloses “wherein the instructions when executed further cause the system to: determine a tag associated with the policy in the first environment; [determine that a source of the request is associated with a group in the second environment]; and enable a second tag that is associated with the tag for association with the data object in the second environment” (Boss, Para 0017 and 0020, applying data tag based on access control rules i.e., policies in the user environment; and  Para 0023: applying access control rule based on applied tags).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of tag associated with a policy in a user environment and another tag associate with a provider environment of Boss to the System of Stefik and Banerjee to create a system where applying data tag based on access control rules would help determine rendering function of the data object (Boss, Para 0023) and the ordinary person skilled in the art would have been motivated to combine to facilitate proper distribution of data object (Boss, Para 00025).

	Regarding claim 5, in view of claim 1, Stefik in view of Boss disclose “wherein the instructions when executed further cause the system to: grant access to the data after the authentication of the request in the second environment; determine a risk level has changed for a source of the request based in part on the policy; and prevent further access to the data” (Boss, Para 0017 and 0020, applying data tag based on access control rules i.e., policies in the user environment; Para 0025, prohibited from access based on measure attributes) [See motivation of claim 3].


Regarding claim 8, in view of claim 6, Stefik in view of Boss disclose “further comprising: determining a tag associated with the policy in the first environment; determining that a source of the request is associated with a group in the second environment; and enabling a second tag that is associated with the tag for association with the data object in the second environment” (See rejection of claim 3).

Regarding claim 10, in view of claim 6, Stefik in view of Boss disclose “further comprising: granting access to the data after the authentication of the request in the second environment; determining a risk level has changed for a source of the request based in part on the policy; and preventing further access to the data” (See rejection of claim 5).

Regarding claim 19, in view of claim 17, Stefik in view of Boss disclose “including the instructions that, when executed by the at least one processor of the computer system, cause the computer system to: determine a tag associated with the policy in the first environment; determine that a source of the request is associated with a group in the second environment; and enable a second tag that is associated with the tag for association with the data object in the second environment” (See rejection of claim 3).

Regarding claim 20, in view of claim 17, Stefik in view of Boss disclose “including the instructions that, when executed by the at least one processor of the computer system, cause the computer system to: grant access to the data after the authentication of the request in the second environment; determine a risk level has changed for a source of the request based in part on the policy; and prevent further access to the data” (See rejection of claim 5).

Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Cropper (US 2015/0193245 A1) detecting a resource conflict between the first virtual machine and a second virtual machine, wherein the first and second virtual machines are executing on a first host machine in the cloud computing environment, wherein the at least one rule is further based on the resource conflict and is for the first virtual machine and the second virtual machine (Claim 2).
Cross et al. (U.S.:  2008/0184329 A1) discloses “…user may aggregate more than one data label or may provide a union of data labels to a data object to form aggregate labels for a data object. Moreover, the user may set precedence or give priority to the multiple labels assigned to a data object to resolve conflicts between policies associated through those labels. The user may also order the multiple labels assigned to a data object” (Para 0029).
Kilday et al. (US 8,814,063 B1) discloses “… conflicts between two or more applicable retention policies are resolved prior to the conflict manifesting itself, e.g., by merging the requirements of two or more policies by resolving conflicts at or near the time when a second, third, etc. retention policy is made applicable to an item of content. In some embodiments a merged single policy that is free of conflicts is generated and made applicable to the content, e.g., by resolving conflicts in accordance with preconfigured and/or dynamically determined user preferences” (Para 0033).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431