Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .




DETAILED ACTION

Allowable Subject Matter
Claim 4 is objected to as being dependent upon a rejected based claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 112


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2, 7 and 8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 2 recites “…the viewed object is the role…or one of all the roles…” and “…the grantee and the viewed object are both users…” and “…the grantee and the viewed object are both employees…”; however, it is unclear to The Examiner how a viewed object can be a role, how a viewed object can be a user, and how a viewed object can be a employee. It is also unclear to The Examiner if Applicant intends for all of these conditions to be satisfied at one time. In addition, claim 7 is unclear for essentially the same reasons. In addition, claim 8 is unclear because it is unclear to The Examiner what “…the relation time…” refers. As a result, the metes and bounds of the claim are not clear and appropriate prior art cannot be searched and applied. Appropriate correction is required. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 5, 6, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over AAPA (Applicant Admitted Prior Art as disclosed in the as-filed disclosure) in view of Grack (US Pub. No. 2015/0040234 A1) in view of Wang (Machine Translation of CN 101510238 B).


Per claim 1, AAPA suggests a method for setting a permission to view an operation record based on a time range, comprising: selecting a grantee (reads on user with role employee A is temporarily transferred to investigate operation records within a certain time range of a user with role employee B, see AAPA para 0010); setting one or more viewed objects (reads on the employee obtains the permission to view all authorized operation records for the sales or production roles, see AAPA para 0010. The Examiner asserts those permissions must have been set in some fashion) for each grantee (a user with role employee B, see AAPA para 0010), wherein said grantee (reads on the user is associated with role employee A, see AAPA para 0010) and said viewed object (reads on all authorized operation records for the sales or production roles, see AAPA para 0010) are the same type as a role, a user, and an employee (reads on the user with role employee A and the user with role employee B are both users and both have the role employee and the operation records are associated with the role of sales or production, see AAPA para 0010); and setting a viewing-permission time range for each grantee (reads on user with role employee A is temporarily transferred to investigate operation records within a certain time range of a user with role employee B, see AAPA para 0010), wherein said grantee obtains a permission to view operation records of its corresponding viewed object within the viewing-permission time range of the grantee (reads on user with role employee A temporarily obtains the permission to view all the operation records of the user with role employee B, see AAPA para 0010); wherein said viewing-permission time range comprises one or more of the following five types: a time range from a time point (The Examiner construes this to be a necessary limitation of having temporary authority because in order to be temporary that authority must begin and end in a manner that has a duration, see AAPA para 0010), which is determined by going backwards from a current time for a fixed time length, to the current time, a time range from a start time to a current time, a time range from a deadline to a system initial time, a time range from a start time to a deadline, and a time range from a system initial time to a current time (The Examiner construes this to be a necessary limitation of having temporary authority because in order to be temporary that authority must begin and end in a manner that has a duration, see AAPA para 0010). AAPA does not explicitly state said grantee and said viewed object are the same type as a role. 

[0010] In the conventional management software system such as ERP, after an employee/a user obtains the permission to view his/her operation records, the employee/user can view all his/her operation records, but in some cases, it will cause information leakage of the company. For example, after Zhang San is transferred from the post of sales manager to the post of production supervisor, Zhang San, who has been transferred to the production supervisor, no longer needs to view the operation records of sales approval. However, because Zhang San has the permission to view his/her approval operation records, Zhang San can still view his/her previous approval operation records (such as approval records of sales contracts) that belong to the sales manager. In this case, the company fails to take effective restriction measures (if not authorized with the permission to view his/her approval operation records, Zhang San will fail to view his/her current approval operation records that belong to the sales supervisor, and as a result, Zhang San fails to work normally), thus leading to the data leakage of the company. For another example, when an employee A is temporarily transferred to investigate operation records within a certain time range of an employee B, the permission to view the operation records of the employee B needs to be authorized to the employee A. After obtaining the permission, the employee A can view all the operation records of the employee B, causing the leakage of other operation records in addition to the to-be-investigated operation records among all the operation records of the employee B. Therefore, it can be learned that the existing method for authorizing the permission to view operation records cannot achieve permission control effectively in some cases, which is adverse to the information security of the company and easily causes loss to the company.

[0011] The conventional method for authorizing the permission to view operation records fails to set a dynamic viewing-permission time range based on a mode/rule of “using a relation time of a role (grantee/viewed object) and its currently-related user as a reference time point”. If the enterprise wants to set a viewing time range to authorize a role to view operation records of some roles by using the relation time as a reference time point, but the relation time is dynamic (many factors such as induction, transfer, and resignation of employees will change the role related to the corresponding user, and thus the relation time is uncertain), none of the conventional methods provides the solution of the time range with dynamic authorization. However, the method in the present application can perfectly solve such a problem.

Grack suggests 
said viewed object is the same type as a role (reads on the object instance is linked to one or more roles with their associated security definitions, see Grack para 0024, 0029 and 0033).

[0024] Referring now to FIG. 2, the reference numeral 200 generally designates a flow chart illustrating an overview of an exemplary embodiment of a method of implementing RBAC in the content manager 120 (FIG. 1) component of an ECM system, such as the ECM system 100 (FIG. 1). The content manager 120 component (FIG. 1) provides lifecycle management of content within the ECM system 100 (FIG. 1). Tasks related to lifecycle management of the content include creating, classifying, securing, and scheduling content for archival or disposal. The content manager 120 (FIG. 1) may provide several constructs, such as classes, to efficiently perform these tasks and manage the content, including for example a folder, a link, a document, and a record. One skilled in the art of the object-oriented data model may recognize that in a highly typed extensible object-oriented data model, a class provides a blueprint or prototype from which objects are created. Therefore, executing the blueprint or prototype for a class, such as the folder class, creates an object instance of the class, such as a folder object.

[0029] At 220, the object instance may be linked to one or more roles. More particularly, when a content class is instantiated, the class instance 360 (FIG. 3) inherits its security definitions through the security proxy link 331 (FIG. 3) to the associated security adapter object 330 (FIG. 3).

[0033] Referring now to FIG. 4, the reference numeral 400 generally illustrates a variant of the exemplary embodiment illustrated in FIG. 3. The class instances 360 (FIG. 3) for the record class and the link class, along with their associated security adapter objects 330 are omitted in FIG. 4 for simplification, but their inclusion would otherwise apply. An additional role object 410 is provided to illustrate the relationships among the objects in a content manager 120 (FIG. 1) that includes more than one role. FIG. 4 uses a second role object 410 to illustrate the one-to-one relationship between the role object 410 and the role adapter object 420 using the link 411 property relating them. The role provided by role object 410 also includes accessing the class instance 360. Therefore, the link 433 property may also be stored in the security adapter object 330 for the class instance 360, which now inherits its security definitions from both the role object 310 and the role object 410.


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the access and role teachings of the prior art of record by integrating the access and role teachings of Grack to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the art would have recognized that applying the known having an object linked to a role technique of Grack would have yielded predictable results and resulted in an improved system where the object’s security is inherited from its role. It would have been recognized that applying the object tied to a role technology of Grack to the object access teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such object security based on role of the object technology into similar systems that would allow more tailored object security configurations. The motivation to combine the references applies to all claims under this heading.

Wang suggests 
said grantee is the same type as a role (reads on the user having the authority corresponding to a particular role where there is a 1:1 relationship between user and role, see Wang para 0039 – 0041).

[0005] Therefore, the main object of the present invention is to provide a secure access method and system for document library to realize the safe transmission of the role key. 

[0039] In order to carry out this step, firstly according to the background art cited by the patent application in the technical solution disclosed in the document library system created character, then distributing corresponding authority to each role. when the login file library system, it needs to use the role of login information for authenticating the identity after login. The user of the invention refers to the visitor of documents or document library system. when the user through corresponding user terminal accessing the document library system, must be registered to the corresponding role.

the corresponding relationship between the user and the role [0040] in this step, the set of may be many-to-many relationship, that is, one role may correspond to a plurality of users, the plurality of users can use the same role login document library system, and have the same rights in the document library system, a user also may correspond to multiple roles, indicates that the user may have multiple roles of authority.

[0041] Of course, the corresponding relationship between the user and the role can also be one-to-one, one-to-many or many-to-one corresponding relationship. In the invention, role and corresponding between the users through the key of the role to the user to achieve.


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the access and role teachings of the prior art of record by integrating the access and role teachings of Wang to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the art would have recognized that applying the known user having a 1:1 relationship with a role technique of Wang would have yielded predictable results and resulted in an improved system where the access method of the user is more secure (see Wang para 0005). It would have been recognized that applying the user tied to a role technology of Wang to the role access teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such role-based technology into similar systems that would allow more tailored security configurations. The motivation to combine the references applies to all claims under this heading.

25PEr claim 3 Per claim 3, the prior art of record further suggests wherein said role is an independent individual not a group/a class (reads on the user having the authority corresponding to a particular role where there is a 1:1 relationship between user and role, see Wang para 0039 – 0041), and during the same period, one role can only be related to a unique user (reads on the user having the authority corresponding to a particular role where there is a 1:1 relationship between user and role, see Wang para 0039 – 0041), while one 24user is related to one or more roles (reads on the user having the authority corresponding to a particular role where there is a 1:1 relationship between user and role, see Wang para 0039 – 0041); and the user obtains the permissions of the related role (reads on the user having the authority corresponding to a particular role where there is a 1:1 relationship between user and role, see Wang para 0039 – 0041).  
Claim 5 is analyzed with respect to claim 1. The prior art of record further suggests  setting a viewing-permission time range (reads on the certain temporary time range employee A is allowed for viewing the permitted records, see AAPA para 0010) for each viewed object respectively (reads on the object instance is linked to one or more roles with their associated security definitions, see Grack para 0024, 0029 and 0033), wherein said grantee obtains a permission to view operation records of each corresponding viewed object within the viewing-permission time range of each viewed object (reads on the certain temporary time range employee A is allowed for viewing the permitted records, see AAPA para 0010).  
Claim 6 is analyzed with respect to claim 5.
20Claim dcClaim 9 is analyzed with respect to claim 3.
Claim 10 is analyzed with respect to claim 6.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Jorge Ortiz Criado can be reached on (571) 272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).




/BRIAN F SHAW/Primary Examiner, Art Unit 2496