DETAILED ACTION
This is a non-final Office action in response to communications received on 4/30/2020.  Claims 1-20 are pending.  Claims 1-20 are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings filed 4/30/2020 are acknowledged.
Priority
Priority to 8/13/2019 is recognized.

Objections
Claims 6 and 14 are objected to for the following reasons: the claim limitation appears to contradict itself.  Claims 1 and 9 already disclose that the response is generated by redacting based on the authorization context.  Claims 6 and 14 appear to disclose that the response is further (?) redacted by redacting definitions from another (?) response to the query.  It is unclear how this other response relates to the first response discloses in claims 1 and 9 (i.e. is it generated before, after, at the same time, same type, do they both come after the query is submitted, etc.)  Appropriate correction/explanation is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 17-20 are rejected under 35 U.S.C. 101 as not falling within one of the four statutory categories of invention because the claimed invention is directed to software per se.  
Under 35 U.S.C. 101, a claimed invention must fall within one of the four eligible categories of invention (i.e. process, machine, manufacture, or composition of matter) and must not be directed to subject matter encompassing a judicially recognized exception as interpreted by the courts.  MPEP § 2106.  The four eligible categories of invention include: (1) process which is an act, or a series of acts or steps, (2) machine which is an concrete thing, consisting of parts, or of certain devices and combination of devices, (3) manufacture which is an article produced from raw or prepared materials by giving to these materials new forms, qualities, properties, or combinations, whether by hand labor or by machinery, and (4) composition of matter which is all compositions of two or more substances and all composite articles, whether they be the results of chemical union, or of mechanical mixture, or whether they be gases, fluids, powders or solids. MPEP 2106(I).
Claim 17 is directed to an authorization system comprising “a GraphQL query engine”, “an authorization rule store” and “a query authorization reactor”. The Specification does not limit the elements “system”, “engine”, “rule store” or “query authorization reactor” to hardware.  Consequently, the elements of claim 17 are interpreted as coding/or software and fail to recite any physical device or machine, therefore claim 17 fails to recite any physical device or machine.  
Dependent claims 18-20 fail to remedy the deficiencies of claim 17 and are therefore similarly rejected.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 3, 11 and 17-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 3, 11 and 17-20 contain the trademark/trade name GraphQL.  Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph.  See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982).  The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product.  A trademark or trade name is used to identify a source of goods, and not the goods themselves.  Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name.  In the present case, the trademark/trade name is used to identify/describe the query engine and, accordingly, the identification/description is indefinite.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   
Claims 1-4, 7-12 and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 2021/0218773).  
       Regarding claim 1, Prakash discloses the limitations of claim 1 substantially as follows:
	A method for generating responses to queries from a client application, the method performed by an authorization system and comprising: 
	receiving a first query from the client application (paras. [0006], [0032], [0045]: receiving a query from a client/customer environment); 
	determining an authorization context for the first query based at least in part on a set of authorization restrictions corresponding to the client application (paras. [0019], [0033]: determining a context for the query based on a set of GraphQL policies/restrictions customized to a client/customer environment (i.e. corresponding to the customer/client applications)); 
	generating a response to the first query based at least in part on an intermediate response generated by a query engine, the response redacted based at least in part on the authorization context (paras. [0033], [0034], [0039], [0042]-[0043], [0048]: generating a redacted query or redacted query results (i.e. redacted response) in response to generating by the API gateway (i.e. query engine) query characteristics and applicable GraphQL policies (I.e. an intermediate response), where the redacted response is based at least in part on the context of the customer environment (i.e. authorization context)); and 
	providing the response to the client application (paras. [0034], [0048]: providing the response to the client/customer environment).
While Prakash does not explicitly disclose policies that correspond to a client application, it would have been obvious to one of ordinary skill in the art at the time of the invention, based on Prakash’s disclosure of customizing GraphQL policies to correspond to a customer/client environment, to customize GraphQL policies that correspond to the client applications within the customer environment in order to enable further tailoring responses to queries based on the individual customer applications in the customer/client environment.  

	Regarding claims 2 and 10, Prakash discloses the limitations of the method of claim 1 and the system of claim 9.
Prakash discloses the limitations of claims 2 and 10 as follows:
	wherein the set of authorization restrictions are expressed independently of the query engine (paras. [0019], [0033]: policies/restrictions are based on client/customer environment and applications rather than (i.e. independent of) the API gateway (i.e. query engine)).

	Regarding claims 3 and 11, Prakash discloses the limitations of the method of claim 1 and the system of claim 9.
Prakash discloses the limitations of claims 3 and 11 as follows:
	wherein the query engine is a GraphQL query engine (paras. [0030]-[0033]: API gateway comprises engines for processing GraphQL queries).
	
	Regarding claims 4 and 12, Prakash discloses the limitations of the method of claims 1 and 3 and the system of claims 9 and 11.
Prakash discloses the limitations of claims 4 and 12 as follows:
	wherein the first query is not an introspection query (para. [0032]: query from client is not for introspection), and wherein the method further comprises: 
	generating a redacted query corresponding to the first query by redacting requests from the first query based at least in part on the set of authorization restrictions (paras. [0034], [0042]: generating redacted query corresponding to the query received from the client (i.e. first query) by redacting the requests in the query based on security GraphQL policies (i.e. set of authorization restrictions)); and
	wherein the response to the first query comprises a response to the redacted query (paras. [0034]: response to the query from the client comprises a response to the redacted query)).

	Regarding claims 7 and 15, Prakash discloses the limitations of the method of claim 1 and the system of claim 9.
Prakash discloses the limitations of claims 7 and 15 as follows:
	wherein the set of authorization restrictions define a subgraph of types and fields the client application is authorized to view (paras. [0046], [0050]-[0051]: GraphQL policies define types of data, such as SSN’s, and headers and fields that the client is authorized and not authorized to view).

	Regarding claims 8 and 16, Prakash discloses the limitations of the method of claims 1 & 7 and the system of claims 9 & 15.
Prakash discloses the limitations of claims 8 and 16 as follows:
	wherein the response to the first query corresponds to the subgraph defined by the set of authorization restrictions (paras. [0046]-[0048], [0051]: response to the query corresponds to the authorized types of data defined by the GraphQL policies).

	Regarding claim 9, Prakash discloses the limitations substantially as follows:
An authorization system (para. [0030]: GraphQL API management system), comprising: 
	one or more processors; and 
	a memory storing instructions that, when executed by the one or more processors, cause the authorization system to perform operations comprising: 
	receiving a first query from a client application (paras. [0006], [0032], [0045]: receiving a query from a client/customer environment); 
	determining an authorization context for the first query based at least in part on a set of authorization restrictions corresponding to the client application(paras. [0019], [0033]: determining a context for the query based on a set of GraphQL policies/restrictions customized to a client/customer environment (i.e. corresponding to the customer/client applications)); 
	generating a response to the first query based at least in part on an intermediate response generated by a query engine, the response redacted based at least in part on the authorization context (paras. [0033], [0034], [0039], [0042]-[0043], [0048]: generating a redacted query or redacted query results (i.e. redacted response) in response to generating by the API gateway (i.e. query engine) query characteristics and applicable GraphQL policies (I.e. an intermediate response), where the redacted response is based at least in part on the context of the customer environment (i.e. authorization context)); and 
	providing the response to the client application (paras. [0034], [0048]: providing the response to the client/customer environment).
While Prakash does not explicitly disclose policies that correspond to a client application, it would have been obvious to one of ordinary skill in the art at the time of the invention, based on Prakash’s disclosure of customizing GraphQL policies to correspond to a customer/client environment, to customize GraphQL policies that correspond to the client applications within the customer environment in order to enable further tailoring responses to queries based on the individual customer applications in the customer/client environment.  

	Regarding claim 17, Prakash discloses the limitations substantially as follows:
An authorization system, comprising: 
	a GraphQL query engine (paras. [0030]-[0033]: API gateway comprises engines for processing GraphQL queries); 
	an authorization rule store storing a set of authorization restrictions associated with a client application (para. [0033], Fig. 2: storing a set of GraphQL policies associated with a client/customer environment in an API assembly); and 
	a query authorization redactor (QAR) (para. [0030]: GraphQL API management system) configured to : 
	receive a first query from the client application (paras. [0006], [0032], [0045]: receiving a query from a client/customer environment); 
	determine an authorization context for the first query based at least in part on the set of authorization restrictions (paras. [0019], [0033]: determining a context for the query based on a set of GraphQL policies/restrictions customized to a client/customer environment (i.e. corresponding to the customer/client applications));
	generate a response to the first query based at least in part on an intermediate response generated by the GraphQL query engine, the response redacted based at least in part on the authorization context (paras. [0033], [0034], [0039], [0042]-[0043], [0048]: generating a redacted query or redacted query results (i.e. redacted response) in response to generating by the API gateway (i.e. query engine) query characteristics and applicable GraphQL policies (I.e. an intermediate response), where the redacted response is based at least in part on the context of the customer environment (i.e. authorization context)); and 
	provide the response to the client application (paras. [0034], [0048]: providing the response to the client/customer environment).
While Prakash does not explicitly disclose policies that correspond to a client application, it would have been obvious to one of ordinary skill in the art at the time of the invention, based on Prakash’s disclosure of customizing GraphQL policies to correspond to a customer/client environment, to customize GraphQL policies that correspond to the client applications within the customer environment in order to enable further tailoring responses to queries based on the individual customer applications in the customer/client environment.  

	Regarding claim 18, Prakash discloses the system of claim 17.
Prakash discloses the limitations of claim 18 as follows:
	The authorization system of claim 17, wherein the set of authorization restrictions are determined independently of the GraphQL query engine (paras. [0019], [0033]: policies/restrictions are based on client/customer environment and applications rather than (i.e. independent of) the API gateway (i.e. query engine)).

	Regarding claim 19, Prakash discloses the system of claim 17.
Prakash discloses the limitations of claim 19 as follows:
	The authorization system of claim 17, wherein the first query is not an introspection query (para. [0032]: query from client is not for introspection), and wherein: 
	the QAR is further configured to generate a redacted query corresponding to the first query by redacting requests from the first query based at least in part on the set of authorization restrictions (paras. [0034], [0042]: API gateway generates redacted query corresponding to the query received from the client (i.e. first query) by redacting the requests in the query based on security GraphQL policies (i.e. set of authorization restrictions)); 
	the GraphQL query engine is configured to generate a response to the redacted query (paras. [0034]: API gateway generates response to the query from the client comprises a response to the redacted query)); and 
	the QAR is further configured to generate the response to the first query to include the response to the redacted query (paras. [0030], [0034]: GraphQL API management system sends response to the query from the client comprises a response to the redacted query).

Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 2021/0218773), as applied to claims 1 and 9, further in view of Brookler (US 2018/0293238).  
	Regarding claims 5 and 13, Prakash discloses the limitations of the method of claims 1, 3 & 4 and the system of claims 9 & 11-12.
Prakash does not disclose the limitations of claims 5 and 13 as follows:
	wherein generating the response to the first query further comprises adding one or more authorization errors to the response corresponding to each of the redacted requests.
However, in the same field of endeavor, Brookler discloses the limitations of claims 5 and 13 as follows:
	wherein generating the response to the first query further comprises adding one or more authorization errors to the response corresponding to each of the redacted requests (paras. [0025], [0031]:generating the response to the query by adding redacted errors to the response corresponding to each query/request resulting in redacted data (i.e. redacted requests)).
Brookler is combinable with Prakash because both are from the same field of endeavor of redacting query data.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Brookler’s method of adding one or more authorization errors to the response with the system of Prakash in order to safely provide the customer/user receiving the response with notification that there has been an error without releasing protected detail information.

Claims 6, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 2021/0218773), as applied to claims 1, 9 and 17, further in view of Tamjidi (US 2019/0340287).  
	Regarding claims 6 and 14, Prakash discloses the limitations of the method of claims 1 & 3 and the system of claims 9 & 11.
Prakash discloses the limitations of claims 6 and 14 as follows:
	wherein the first query is an query (paras. [0006], [0032], [0045]: first query), and wherein the method further comprises: 
	generating an unredacted response to the first query (paras. [0033]-[0034], [0042]-[0043], [0046], [0048]: determining query characteristics in response to receiving the query (i.e. generating an unredacted response to the query); and 
	generating the response to the first query by redacting from the unredacted response, the redactions based at least in part on the set of authorization restrictions (paras. [0033]-[0034], [0041]-[0043], [0046], [0048]: generating the response to the query by redacting one or more characteristics defined by the GraphQL policies (i.e. based on the authorization restrictions) from determined query characteristics).
Prakash does not explicitly disclose the remaining limitations of claims 6 and 14 as follows:
	wherein the first query is an introspection query, and wherein the method further comprises: 
	generating the response to the first query by redacting one or more definitions from the unredacted response, 
However, in the same field of endeavor, Tamjidi discloses the remaining limitations of claims 6 and 14 as follows:
	wherein the first query is an introspection query (paras. [0062]-[0063]: when query is an introspection query), and wherein the method further comprises: 
	generating an unredacted response to the first query (paras. [0062]: generating unredacted response comprising list of tables or fields from the GraphQL schema that are available to be referenced by the query).
	generating the response to the first query by redacting one or more definitions from the unredacted response (paras. [0057]: generating a response to the query by censoring/redacting the defined terms/definitions from the GraphQL schema (i.e. from the unredacted response)), 
Tamjidi is combinable with Prakash because both are from the same field of endeavor of redacting query data based upon GraphQL policies.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Tamjidi’s method of generating responses based upon introspection queries with the system of Prakash in order to provide clients with detailed information with which to generate the queries based upon enabling introspectively querying the GraphQL scheme “to determine which tables or fields are available to be referenced by the query” based upon the rights of the user(Tamjidi, para. [0062]).

	Regarding claim 20, Prakash discloses the system of claim 17.
Prakash discloses the limitations of claim 20 as follows:
	The authorization system of claim 17, wherein the first query is an query, and wherein: 
	the GraphQL query engine is further configured to generate an unredacted response to the first query (paras. [0033]-[0034], [0042]-[0043], [0046], [0048]: determining query characteristics in response to receiving the query (i.e. generating an unredacted response to the query); and 
	the QAR is further configured to generate the response to the first query by redacting from the unredacted response, the redactions based at least in part on the set of authorization restrictions (paras. [0033]-[0034], [0041]-[0043], [0046], [0048]: generating the response to the query by redacting one or more characteristics defined by the GraphQL policies (i.e. based on the authorization restrictions) from determined query characteristics).
Prakash does not explicitly disclose the remaining limitations of claim 20 as follows:
	wherein the first query is an introspection query, and wherein: 
	the QAR is further configured to generate the response to the first query by redacting one or more definitions from the unredacted response, 
However, in the same field of endeavor, Tamjidi discloses the remaining limitations of claim 20 as follows:
	wherein the first query is an introspection query (paras. [0062]-[0063]: when query is an introspection query), and wherein: 
	generating an unredacted response to the first query (paras. [0062]: generating unredacted response comprising list of tables or fields from the GraphQL schema that are available to be referenced by the query).
	the QAR is further configured to generate the response to the first query by redacting one or more definitions from the unredacted response (paras. [0057]: generating a response to the query by censoring/redacting the defined terms/definitions from the GraphQL schema (i.e. from the unredacted response)), 
Tamjidi is combinable with Prakash because both are from the same field of endeavor of redacting query data based upon GraphQL policies.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Tamjidi’s method of generating responses based upon introspection queries with the system of Prakash in order to provide clients with detailed information with which to generate the queries based upon enabling introspectively querying the GraphQL scheme “to determine which tables or fields are available to be referenced by the query” based upon the rights of the user(Tamjidi, para. [0062]).

Conclusion
For the above-stated reasons, claims 1-20 are rejected.
Prior art considered but not relied upon includes:
1) Hockey (US 2022/0028012) discloses using GraphQL as the API for this invention and redacting results of a query such as redacting merchant names, redacting amounts or dates or account numbers or transactions of authorized users or certain transaction types (paras. [0066], [0253], [0271], [0647]).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHARON S LYNCH/Primary Examiner, Art Unit 2438