DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to application 17/008,547 filed on 8/31/2020.
Claims 1-20 have been examined and are pending in this application.
The examiner notes the IDS filed 9/17/2020 has been considered. 

Claim Objections
Claims 1, 2, 11, 12 and 20 are objected to because of the following informalities:  
Regarding Claims 1, 11 and 20; claims 1, 11 and 20 recites “user’s permission....”. The examiner notes for better clarity to further amend the language to “permission of the user” to remove the possession.  Appropriate correction is required.

Regarding Claims 2 and 12; claims 2 and 12 recites “platform’s Application Programming Interface (API)...”. The examiner notes for better clarity to further amend the language to “Application Programing Interface (API) of the computing platform...”.  Appropriate correction is required. 





Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-9, 11-18 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dutta (US 2005/0177570 A1) in view of Shimizu (US 2017/0230433 A1) and Wiese (US 8,230,484 B1).

Regarding Claim 1;
Dutta discloses a computing platform comprising:
a network interface (FIG. 11);
at least one processor (FIG. 11);
a non-transitory computer-readable medium (FIG. 11); and
program instructions stored on the non-transitory computer readable medium that are
executable by the at least one processor such that the computing platform is configured to:
receive a request to access one or more resources on behalf of a given user (FIG. 1-3 and FIG. 5 – receive query and [0069]);
identify a parameter within the request that requires a permission verification ([0037]-[0039] – data_name and [0048]-[0054] - emp and [0070] - At reference numeral 520, security expression(s) for the user can be obtained. For example, the owner of data in the database can create one or more security expressions for her data and link such expressions to the user. It is to be appreciated that one or more security expressions can be created for one or more tables and provided to one or more users);
apply a verification [expression] to the parameter, wherein the verification [expression] indicating that a permission verification has not been successfully performed for the given user with respect to the parameter ([0037]-[0039] – expression_name and/or expression  and [0048]-[0049] – SalLimit and [0071] -  At 530, the query can be augmented with the security expressions. When more than one expression is utilized, respective expressions can be aggregated into a logical statement via logical ANDs and/or ORs to provide a decision. In addition, such expressions can be created that expressly allow (e.g., grant) or prohibit (e.g., deny) access to data when satisfied. Since satisfying a data prohibiting such expression results in a "true," the complement can be utilized so that satisfying such expression results in "false”);
perform a permission verification for the given user with respect to the parameter ([0039] - For example, when utilizing SQL, data administrators can link a created security expression for a particular source of data to a user and/or group of users via the GRANT, REVOKE and DENY utilities and/or remove a security expression via the DROP utility, as describe in detail below and [0071] - At 530, the query can be augmented with the security expressions. When more than one expression is utilized, respective expressions can be aggregated into a logical statement via logical ANDs and/or ORs to provide a decision. In addition, such expressions can be created that expressly allow (e.g., grant) or prohibit (e.g., deny) access to data when satisfied. Since satisfying a data prohibiting such expression results in a "true," the complement can be utilized so that satisfying such expression results in "false." Thus, an aggregated expression can be created that returns "true" when at least one grant expression is satisfied and no deny expressions evaluate to "true." It is to be appreciated that although Boolean expressions can be employed, other techniques can be utilized in accordance with an aspect of the present invention);
based on performing the permission verification for the given user with respect to the parameter, either (i) [as a result of the] verification [expression] ... indicating that a permission verification has been successfully performed for the given user with respect to the parameter if the given user’s permission with respect to the parameter is successfully verified or (ii) [as a result of the] verification [expression indicating] if the given user’s permission with respect to the parameter is not successfully verified ([0031] – “1” or “0” and [0071] - Since satisfying a data prohibiting such expression results in a "true," the complement can be utilized so that satisfying such expression results in "false." Thus, an aggregated expression can be created that returns "true" when at least one grant expression is satisfied and no deny expressions evaluate to "true." It is to be appreciated that although Boolean expressions can be employed, other techniques can be utilized in accordance with an aspect of the present invention); and 
determine whether to grant or deny the request based at least in part on the verification [expression] for the parameter (FIG. 5 and [0071] – grant... deny).
Dutta fails to explicitly disclose concepts of:
apply a verification tag wherein the verification is set to a first value indicating that a permission verification has not been successfully performed for the given user ...;
based on performing the permission verification for the given user ..., either (i) update the verification tag from the first value to a second value indicating that a permission verification has been successfully performed for the given user ... if the given user’s permission ...is successfully verified or (ii) leave the verification tag set to the first value if the given user’s permission with respect ... is not successfully verified.
Further, in an analogous art, Shimizu concepts of:
a verification tag... indicating... a permission verification... for the given user...(Shimizu, [0043] – Flag);
based on performing the permission verification for the given user ..., either (i) update the verification tag [to a “second” value] indicating that a permission verification has been successfully performed for the given user ... if the given user’s permission ...is successfully verified or (ii) [update the tag to a “first” value] if the given user’s permission with respect ... is not successfully verified (Shimizu, [0043] - Specifically, information for controlling access is added to each individual operation setting and at the timing of the completion of the setting of the operation setting based on the policy data, the user access is limited. As information for controlling access, there is a flag that prohibits user access, for example, in the case of “ON”, and permits user access in the case of “OFF” (releases the access limit)).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Shimizu to the security expression of Dutta to include features of  a verification tag... indicating... a permission verification... for the given user...; based on performing the permission verification for the given user ..., either (i) update the verification tag [to a “second” value] indicating that a permission verification has been successfully performed for the given user ... if the given user’s permission ...is successfully verified or (ii) [update the tag to a “first” value] if the given user’s permission with respect ... is not successfully verified.
One would have been motivated to combine the teachings of Shimizu to Dutta to do so as it provides / allows limit access from a user for an [operation] based on the policy data (Shimizu, [0043]). 
However, in an analogous art, Wiese teaches concepts
 apply a verification..., wherein the verification is set to a first [state] indicating that a permission verification has not been successfully performed for the given user ... (Wiese, col. 4, lines 7-18 – denying, by default, access to a resource... via a permission list.... wherein the permission list by default the access to a particular group... wherein the authenticating (i.e., indicating that a permission verification has not been successfully performed for the given user );
based on performing the permission verification for the given user ..., either (i) update the verification from [a] first [state] to a second [state] indicating that a permission verification has been successfully performed for the given user ... if the given user’s permission ...is successfully verified or (ii) leave the verification ... set to the first [state] if the given user’s permission with respect ... is not successfully verified (Wiese, col. 4, lines 7-18 – denying, by default, access to a resource... via a permission list.... wherein the permission list by default the access to a particular group...; and wherein the updating (i.e., via authenticating limitation from EC1), removes the particular user from the particular group) (i.e., verification has been successfully performed for the given user ... if the given user’s permission ...is successfully verified)).  As reasonably constructed if authenticated a user is removed from the list (i.e., going from a first state to second state) and if authenticated the user’s permission is verified and if not authenticating the user’s permission would be not verified and thus still left to the first value (i.e., denied).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Wiese to the security expression/tags of Dutta and Shimizu to include features apply a verification..., wherein the verification is set to a first [state] indicating that a permission verification has not been successfully performed for the given user ...; based on performing the permission verification for the given user ..., either (i) update the verification from [a] first [state] to a second [state] indicating that a permission verification has been successfully performed for the given user ... if the given user’s permission ...is successfully verified or (ii) leave the verification ... set to the first [state] if the given user’s permission with respect ... is not successfully verified; thus making such features obvious when combined to be incorporated into the tag (i.e., first tag value being updated to a new tag value or remaining the same).
One would have been motivated to combine the teachings of Wiese to Dutta and Shimizu to do so as it provides / allows performance, efficiently, and utility of use in authentication (Wiese, col. 1, lines 20-25). 






Regarding Claim 2;
Dutta and Shimizu and Wiese disclose the platform to Claim 1.
Dutta further discloses wherein the program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to identify the parameter within the request that requires a permission verification comprise program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: use available information about the computing platform's Application Programming Interface (API) to identify the parameter within the request that requires a permission verification ([0027]-[0028] - The input component 110 receives queries. Such queries can be initiated from essentially any database programming language such as SQL, for example, and directed over a data repository that includes one or more databases, tables, contextual information, etc. The query manager 120 can augment a received query to incorporate data security therein. Such security can be created by the owner of data within the data repository, wherein the created security provides security for that owner's data.... Moreover, the creator of the table can link one or more of the security expressions to one or more queriers and [0031] - FIG. 2 illustrates the data security system 100 with the input component 110, the query manager 120, the output component 130, and, additionally, an optimizer 210. As noted above, the input component 110 receives requests for queries over a data repository of variously structured data. The query manager 120 augments requests to incorporate data security expressions therein. Such security can be created by the owner of data within the data repository, wherein the created security provides security for that owner's data and [0037] - Application Program Interface (API) (not shown) can be utilized by an administrator of data to create security expressions related to their data in the expression bank... create security expression).  As reasonably constructed by using created security expressions via the API the system identifies parameters in the user’s request that is augmented.  

Regarding Claim 3;
Dutta and Shimizu and Wiese disclose the platform to Claim 1.
Dutta further discloses wherein the parameter comprises an identifier of the one or more resources for which access is requested ([0027]-[0028] - The input component 110 receives queries. Such queries can be initiated from essentially any database programming language such as SQL, for example, and directed over a data repository that includes one or more databases, tables, contextual information, etc.).

Regarding Claim 4;
Dutta and Shimizu and Wiese disclose the platform to Claim 3.
Dutta further discloses wherein the program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to perform the permission verification for the given user with respect to the parameter comprise program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: obtain permission information for the given user ([0054]-[0055] – Grant... User1 is a user granted permission...); and based on the obtained permission information and the identifier of the one or more resources, determine whether the given user has permission to access the one or more resources ([0054]-[0055] – Grant... User1 is a user granted permission to the data in the rows of the table (i.e., resources) that satisfy SalLimit).

Regarding Claim 5;
Dutta and Shimizu and Wiese disclose the platform to Claim 1.
Dutta further discloses wherein the request to access the given resource on behalf of the given user is received from a client station associated with the given user (FIG. 4 – Query Manager in 405, see [0041] – user access point and [0054]-[0055] – Grant... User1 is a user granted permission...).

Regarding Claim 6;
Dutta and Shimizu and Wiese disclose the platform to Claim 1.
Dutta further discloses wherein the program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to determine whether to grant or deny the request based at least in part on the verification [expression] for the parameter comprise program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: ...  grant the request ([0071] - At 530, the query can be augmented with the security expressions. When more than one expression is utilized, respective expressions can be aggregated into a logical statement via logical ANDs and/or ORs to provide a decision. In addition, such expressions can be created that expressly allow (e.g., grant) or prohibit (e.g., deny) access to data when satisfied. Since satisfying a data prohibiting such expression results in a "true," the complement can be utilized so that satisfying such expression results in "false." Thus, an aggregated expression can be created that returns "true" when at least one grant expression is satisfied and no deny expressions evaluate to "true." It is to be appreciated that although Boolean expressions can be employed, other techniques can be utilized in accordance with an aspect of the present invention).
Shimizu further teaches determine that the verification tag for the parameter is set to the second value indicating that a permission verification has been successfully performed for the given user with respect to the parameter ([0043] – controlling access... “ON”); and in response to determining that the verification tag for the parameter is set to the second value, grant the request ([0043] – controlling access... “ON”).

Regarding Claim 7;
Dutta and Shimizu and Wiese disclose the platform to Claim 6.
Dutta further discloses further comprising program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: after granting the request, cause a client station associated with the given user to display an electronic version of the one or more resources to the given user (FIG. 4 and [0028] – provides access to the data).






Regarding Claim 8;
Dutta and Shimizu and Wiese disclose the platform to Claim 7.
Dutta further discloses further comprising program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: after granting the request, (i) update the one or more resources according to the request (FIG. 9 and [0078] - The system 900 can utilize SQL utilities such as CREATE; DROP; GRANT; REVOKE; and DENY, to facilitate access control at the row level and are advantageous when employing, inter alia, a SELECT, an UPDATE, a DELETE, and/or an INSERT action on a table), and (ii) cause a client station associated with the given user to display an electronic version of the updated one or more resources to the given user (FIG. 4 and [0028] – provides access to the data).

Regarding Claim 9;
Dutta and Shimizu and Wiese disclose the platform to Claim 1.
Dutta further discloses wherein the program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to determine whether to grant or deny the request based on at least in part on the verification [expression] for the parameter comprise program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: ...deny the request ([0071] - At 530, the query can be augmented with the security expressions. When more than one expression is utilized, respective expressions can be aggregated into a logical statement via logical ANDs and/or ORs to provide a decision. In addition, such expressions can be created that expressly allow (e.g., grant) or prohibit (e.g., deny) access to data when satisfied. Since satisfying a data prohibiting such expression results in a "true," the complement can be utilized so that satisfying such expression results in "false." Thus, an aggregated expression can be created that returns "true" when at least one grant expression is satisfied and no deny expressions evaluate to "true." It is to be appreciated that although Boolean expressions can be employed, other techniques can be utilized in accordance with an aspect of the present invention).
Shimizu further teaches determine that the verification tag for the parameter is set to the first value indicating that a permission verification has not been successfully performed for the given user with respect to the parameter ([0043] – controlling access... “OFF”); and in response to determining that the verification tag for the parameter is set to the second value, deny the request ([0043] – controlling access... “OFF”).

Regarding Claim(s) 11-18 claim(s) 11-18 is/are directed to a/an medium associated with the platform claimed in claim(s) 1-9. Claim(s) 11-18 is/are similar in scope to claim(s) 1-9; and is/are therefore rejected under similar rationale.

Regarding Claim(s) 20; claim(s) 20 is/are directed to a/an method associated with the platform claimed in claim(s) 1. Claim(s) 20 is/are similar in scope to claim(s) 1; and is/are therefore rejected under similar rationale.




Claims 10 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dutta (US 2005/0177570 A1) in view of Shimizu (US 2017/0230433 A1) and Wiese (US 8,230,484 B1) and further in view of Brickell (US 2002/0147917 A1).

Regarding Claim 10;
Dutta and Shimizu and Wiese disclose the medium to Claim 9.
Dutta and Shimizu and Wiese fail to explicitly disclose further comprising program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: store the denied request in a log.
However, in an analogous art, Brickell teaches concepts
further comprising program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: store the denied request in a log (Brickell, [0022] - The server 130 can log all such requests, both fulfilled requests and denied requests.).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Brickell to the medium of Dutta and Shimizu to include further comprising program instructions stored on the non-transitory computer readable medium that are executable by the at least one processor such that the computing platform is configured to: store the denied request in a log.
One would have been motivated to combine the teachings of Wiese to Dutta and Shimizu to do so as it provides / allows distributing secured information and notify “entities” of pending, fulfilled, or denied request (Brickell, [0001] and [0022]).
Regarding Claim(s) 19; claim(s) 19 is/are directed to a/an medium associated with the platform claimed in claim(s) 10. Claim(s) 19 is/are similar in scope to claim(s) 10; and is/are therefore rejected under similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439