PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/522,466
Filing Date: 25 Jul 2019
Appellant(s): Microsoft Technology Licensing, LLC



__________________
John W. Ogilvie
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed February 16, 2022.


(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated November 5, 2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

The following ground(s) of rejection are applicable to the appealed claims.

MAINTAINED REJECTIONS


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 7, 10, 13 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Morris (US 2007/0130183 A1) and Graham et al. (US 8,209,259 B2).
Regarding claim 1, Morris discloses: An access control system comprising an access controller, the access controller comprising:  5an access control memory [par. 0008]; an access control processor in operable communication with the access control memory [par. 0026, “the system includes a relationship manager 200 for managing relationships between system resources. In the illustrated example, relationship manager 200 includes a resource identifier 202 and a communications subsystem 204. Resource identifier 202 may identify resources selected by a user via a graphical user interface. Communication subsystem 204 may control communications between relationship manager 200 and other system resources”], the access control processor configured to perform access control steps which include (a) receiving a request by a requestor for access to a supplementary asset [par. 0052, “Larry has a picture of Moe on his desktop. He wants to be able to find all the resources related to Moe through this picture”, par. 0055, “Now Larry can select Moe's picture and request to see all the resources related to the picture”], (b) determining that 10the supplementary asset is related to a primary asset [FIG. 3 is a block diagram illustrating an exemplary database record that may be used to associate resources according to an embodiment of the subject matter described herein, par. 0034, “a relationship database 206 stores relationships created between resources based on behaviors”], (c) verifying that the request identifies or contains a proof of access to the primary asset, and (d) granting the access request based on a determination result of the determining step and on a verification result of the verifying step [par. 0048, “A security behavior may be an action where access to a second resource is conditioned on a user passing security measures associated with a first resource. For example, access to a first resource may be conditional on a user providing a user name and a password. If a user provides a user name and a password and is granted access to the first resource, the user may be automatically granted access to the second resource”];  15whereby the system provides an increase in available access to the supplementary asset without conditioning the increase in available access to the supplementary asset on any identity of the requestor [par. 0048, “A security behavior may be an action where access to a second resource is conditioned on a user passing security measures associated with a first resource”, claim 15, “determining a behavior includes determining a security behavior wherein access to the second resource depends on access to the first resource via at least one security behavior defined for the first resource”].
Morris does not explicitly disclose the supplementary asset is associated to a user account of a user who is not the requestor; granting the access request based on a determination result of the determining step and on a verification result of the verifying step even though the supplementary asset was not associated to an account of the requestor.    
However Graham et al. teaches the supplementary asset is associated to a user account of a user who is not the requestor [col. 1, lines 25-32, “provide a means for information sharing between separate business entities, and/or within these business entities; in particular, business platforms that may be hosted by a third party on behalf of a large number of separate business users that have a need to share certain selected information, and where access to the information should be restricted, permitted to a limited extent, or permitted based on information type and the particular user”]; granting the access request based on a determination result of the determining step and on a verification result of the verifying step even though the supplementary asset was not associated to an account of the requestor [claim 8, “a user assigned a role granting the user rights to access information of a first business entity representation automatically grants the user rights to access corresponding information of a second business entity representation based on a configurable link between the first business entity representation and the second business entity representation in the network of associated business entities”, col. 2, lines 33-35, “controlling user access to and manipulation of information shared by users through a common platform”, col. 2, lines 65-68, “based on the role of the user and whether the user's business entity has an association with the owner of that business object”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Graham et al. into the teaching of Marris with the motivation for controlling user access to and manipulation of information shared by users through a common platform as taught by Graham et al. [Graham et al.: col. 1, lines 25-32].
Regarding claim 7, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Morris discloses further discloses when the verification result of the verifying does not indicate the requestor has access to the primary asset, then denying the requestor access to the supplementary asset based on at least the verification result [par. 0048, “if the user is not granted access to the first resource, the user may be automatically denied access to the second resource”]; whereby the requestor is granted access to the supplementary asset or 5the requestor is denied access to the supplementary asset, without interactively seeking a supplementary asset access permission on behalf of the requestor from an administrator or an owner of the supplementary access [par. 0048, “A security behavior may be an action where access to a second resource is conditioned on a user passing security measures associated with a first resource”, claim 15, “determining a behavior includes determining a security behavior wherein access to the second resource depends on access to the first resource via at least one security behavior defined for the first resource”].  
Regarding claim 10, the rejection of claim 1 is incorporated.
Morris discloses further discloses the method grants the requestor 5access to the supplementary asset without conditioning that access on supplementary-asset-specific operations performed using a share link, a file share, or another explicit sharing management mechanism [par. 0048, “A security behavior may be an action where access to a second resource is conditioned on a user passing security measures associated with a first resource”, claim 15, “determining a behavior includes determining a security behavior wherein access to the second resource depends on access to the first resource via at least one security behavior defined for the first resource”].  
Regarding claim 13, the rejection of claim 7 is incorporated.
Morris discloses further discloses the method grants the requestor 20access to the supplementary asset without conditioning that access on a supplementary sign-in that is specifically performed to gain access to the supplementary asset [par. 0048, “A security behavior may be an action where access to a second resource is conditioned on a user passing security measures associated with a first resource”, claim 15, “determining a behavior includes determining a security behavior wherein access to the second resource depends on access to the first resource via at least one security behavior defined for the first resource”].  
Regarding claim 15, the rejection of claim 7 is incorporated.
Morris discloses further discloses the verifying comprises performing a challenge-response protocol to prove access to the primary asset [par. 0048, “access to a first resource may be conditional on a user providing a user name and a password. If a user provides a user name and a password and is granted access to the first resource”].  
Regarding claim 16, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.


Claims 2 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Morris (US 2007/0130183 A1) and Graham et al. (US 8,209,259 B2) as applied to claims 1, 7, 10, 13 and 15-16 above, and further in view of Nasr (US 2006/0101443 A1).
Regarding claim 2, the rejection of claim 1 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
Morris and Graham et al. do not explicitly disclose the primary asset includes source 20code, and the supplementary asset includes at least one of the following: an artifact which was computationally derived at least in part from the source code; or a build component of a project in which the source code is also a build component.
However Nasr teaches the primary asset includes source 20code, and the supplementary asset includes at least one of the following: an artifact which was computationally derived at least in part from the source code; or a build component of a project in which the source code is also a build component [par. 0092, “Source Code Developers use the IDE application for software development needs. The IDE enables the developers to view project hierarchy as well as individual source code content, edit, compile individual source code files and perform builds of entire source code project”, par. 0064, “the action modules 122, the file management module 128, and the branch module 142 each include modules and functions permitting appropriate operations to be performed on a single file, multiple files, a single folder, and multiple folders. Further, the build module 119 includes functions and modules relating to creating builds, executing builds, which include source code and content”, par. 0066, “authorized users of the system must be assigned permission to perform any actions within the embodiment”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Nasr into the teaching of Morris and Graham et al. with the motivation for managing source code to perform a file action on a folder, and managing a source code project, associated with the source code file as taught by Nasr [Nasr: abs.].
Regarding claim 6, the rejection of claim 1 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the assets reside in different respective regions for at least one of the following definitions of a region: a local area network, a physical server, a computer, a data center, a trust domain, a web site, a web service, a repository, a machine learning model, a geographic city, a 20geographic county, a geographic state, or a geographic province.
However Nasr teaches the assets reside in different respective regions for at least one of the following definitions of a region: a local area network, a physical server, a computer, a data center, a trust domain, a web site, a web service, a repository, a machine learning model, a geographic city, a 20geographic county, a geographic state, or a geographic province [par. 0074, “At the time of check in, the file is retrieved from this local hierarchy for checking in. Alternately, the user can choose to pick the file from a different location on the local file system. The user has additional options while checking in a source code file, such as retain lock, make it the current version, keep a local copy after check in and subscribe to this file.”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Nasr into the teaching of Morris and Graham et al. with the motivation for managing source code to perform a file action on a folder, and managing a source code project, associated with the source code file as taught by Nasr [Nasr: abs.].

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Morris (US 2007/0130183 A1) and Graham et al. (US 8,209,259 B2) as applied to claims 1, 7, 10, 13 and 15-16 above, and further in view of Ahadian et al. (US 2010/0293523 A1).
Regarding claim 3, the rejection of claim 1 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the system further characterized in at least one of the following ways: the system comprises a requestor device having a requestor device memory and a requestor device processor, and the requestor 30device is configured to generate within an integrated development environment the request for access to the supplementary asset;  59 the system comprises an access controller web service interface, and the access controller receives the request through the access controller web service interface.  
However Ahadian et al. teaches the system further characterized in at least one of the following ways: the system comprises a requestor device having a requestor device memory and a requestor device processor, and the requestor 30device is configured to generate within an integrated development environment the request for access to the supplementary asset;  59 the system comprises an access controller web service interface, and the access controller receives the request through the access controller web service interface [par. 0034, “FIG. 1 also shows database servers 140, application server 150, and web servers 160. Additionally, the application server 150 includes a database application 155. The database application 155 is included to be representative of a complete, deployed application composed using the IDE tool 120. For example, database application 155 may be hosted by the application server 150 and configured to access databases in the database server 140. In such a scenario, users may access the database application 155 through a web-based interface, where web pages requested through the web server 160 are generated by the application server 150 (e.g., by issuing data requests to database servers 140 and encapsulating query results in HTML markup). Of course, this scenario represents just one possible scenario for an application generated from development project 124 developed using IDE tool 106”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ahadian et al. into the teaching of Morris and Graham et al. with the motivation for an integrated development environment ( IDE) tool to manage database aware application development as taught by Ahadian et al. [Ahadian et al.: par. 0009].

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Morris (US 2007/0130183 A1) and Graham et al. (US 8,209,259 B2) as applied to claims 1, 7, 10, 13 and 15-16 above, and further in view of Zang et al. (US 2016/0188301 A1).
Regarding claim 4, the rejection of claim 1 is incorporated.
Morris and Graham et al. discloses an access control processor configured to perform access control steps.
They do not explicitly disclose the primary asset includes source code, the supplementary asset includes a model computationally derived at least in part from the source code, and the model is configured for use by an autocompletion tool.  
However Zang et al. teaches the primary asset includes source code, the supplementary asset includes a model computationally derived at least in part from the source code, and the model is configured for use by an autocompletion tool [par. 0032, “Metadata packager 124 may first parse each source code file 503 to determine if it is fully or partially annotated with comments. If complete and correct comments are available, metadata packager 124 invokes first metadata generator 123a to parse the comments and extract the metadata 502 for supporting editing features (e.g., autocompletion) of the code editor 122”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Zang et al. into the teaching of Morris and Graham et al. with the motivation for facilitating source code editing in which metadata may be extracted from the source code file of library and used to present the editing feature as taught by Zang et al. [Zang et al.: par. 0006].

Claims 5, 8-9, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Morris (US 2007/0130183 A1) and Graham et al. (US 8,209,259 B2) as applied to claims 1, 7, 10, 13 and 15-16 above, and further in view of Haikin (US 6757893 B1).
Regarding claim 5, the rejection of claim 1 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the primary asset includes source code in a version control system, the source code including source code versions at a plurality of commit points within the version control system, and wherein the supplementary asset includes an artifact that was computationally derived at least in part from the source code version at a commit point.    
However Haikin teaches the primary asset includes source code in a version control system, the source code including source code versions at a plurality of commit points within the version control system, and wherein the supplementary asset includes an artifact that was computationally derived at least in part from the source code version at a commit point [col. 4, lines 7-24, “each version of each source code line has a corresponding user code, which is stored in the source code storage, that contains information describing at least one of the software developers. Preferably, the user code identifies those software developers that are allowed to access and edit the version of the source code line to which the user code corresponds. In the case that a new version of a source code line is created corresponding to a source code line that has been accessed and edited by a software developer, the information contained in the user code corresponding to the new version preferably describes the software developer that accessed and edited the source code line…. each version of each source code line is stored in the source code storage in a compressed, canonical and format independent form in order to reduce storage requirements for the source code storage”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Haikin into the teaching of Morris and Graham et al. with the motivation for providing a software source code version control system for use during the development and maintenance of a software system by multiple software developers in which historical version tracking is maintained for all source code on a line-by-line basis without requiring excessive storage area, in which source code can be accessed and modified by more than one software developer at a time, in which historical version tracking of broad functional changes is provided, and in which quick and transparent access is provided to each version of the source code as taught by Haikin [Haikin: col. 3, lines 20-31].
Regarding claim 8, the rejection of claim 7 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the determining produces at least one of the following determination results, thereby representing a recognized relationship between the supplementary asset and the primary asset: at least a portion of one of the assets was computationally derived from at least a portion of the other asset;  15each asset belongs to the same software artifact build project; one of the assets is repository-resident and the other asset includes a development tool or artifact that is applicable to at least a portion of the repository-resident asset; one of the assets includes source code resident in a version control 20system and the other asset includes a development tool or artifact that is applicable to at least a portion of the source code; one of the assets includes a build dependency of the other asset or a runtime dependency of the other asset or both; one of the assets includes data stored in a system configured for large file 25storage and the other asset includes a text pointer or other reference to that data; or one of the assets includes a machine learning model which was trained at least in part using at least a portion of the other asset.    
However Haikin teaches the determining produces at least one of the following determination results, thereby representing a recognized relationship between the supplementary asset and the primary asset: at least a portion of one of the assets was computationally derived from at least a portion of the other asset;  15each asset belongs to the same software artifact build project; one of the assets is repository-resident and the other asset includes a development tool or artifact that is applicable to at least a portion of the repository-resident asset; one of the assets includes source code resident in a version control 20system and the other asset includes a development tool or artifact that is applicable to at least a portion of the source code; one of the assets includes a build dependency of the other asset or a runtime dependency of the other asset or both; one of the assets includes data stored in a system configured for large file 25storage and the other asset includes a text pointer or other reference to that data; or one of the assets includes a machine learning model which was trained at least in part using at least a portion of the other asset [col. 4, lines 7-24, “each version of each source code line has a corresponding user code, which is stored in the source code storage, that contains information describing at least one of the software developers. Preferably, the user code identifies those software developers that are allowed to access and edit the version of the source code line to which the user code corresponds. In the case that a new version of a source code line is created corresponding to a source code line that has been accessed and edited by a software developer, the information contained in the user code corresponding to the new version preferably describes the software developer that accessed and edited the source code line…. each version of each source code line is stored in the source code storage in a compressed, canonical and format independent form in order to reduce storage requirements for the source code storage”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Haikin into the teaching of Morris and Graham et al. with the motivation for providing a software source code version control system for use during the development and maintenance of a software system by multiple software developers in which historical version tracking is maintained for all source code on a line-by-line basis without requiring excessive storage area, in which source code can be accessed and modified by more than one software developer at a time, in which historical version tracking of broad functional changes is provided, and in which quick and transparent access is provided to each version of the source code as taught by Haikin [Haikin: col. 3, lines 20-31].
Regarding claim 9, the rejection of claim 7 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose there are multiple versions of the supplementary asset and multiple versions of the primary asset, and wherein the61 method further comprises mapping between a particular version of the supplementary asset and a particular version of the primary asset.    
However Haikin teaches there are multiple versions of the supplementary asset and multiple versions of the primary asset, and wherein the61 method further comprises mapping between a particular version of the supplementary asset and a particular version of the primary asset [col. 4, lines 7-24, “each version of each source code line has a corresponding user code, which is stored in the source code storage, that contains information describing at least one of the software developers. Preferably, the user code identifies those software developers that are allowed to access and edit the version of the source code line to which the user code corresponds. In the case that a new version of a source code line is created corresponding to a source code line that has been accessed and edited by a software developer, the information contained in the user code corresponding to the new version preferably describes the software developer that accessed and edited the source code line…. each version of each source code line is stored in the source code storage in a compressed, canonical and format independent form in order to reduce storage requirements for the source code storage”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Haikin into the teaching of Morris and Graham et al. with the motivation for providing a software source code version control system for use during the development and maintenance of a software system by multiple software developers in which historical version tracking is maintained for all source code on a line-by-line basis without requiring excessive storage area, in which source code can be accessed and modified by more than one software developer at a time, in which historical version tracking of broad functional changes is provided, and in which quick and transparent access is provided to each version of the source code as taught by Haikin [Haikin: col. 3, lines 20-31].
Regarding claim 12, the rejection of claim 7 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose there are multiple versions of the 15primary asset, and wherein the method further comprises associating different versions of the primary asset with corresponding versions of a proof of access to the primary asset.    
However Haikin teaches there are multiple versions of the 15primary asset, and wherein the method further comprises associating different versions of the primary asset with corresponding versions of a proof of access to the primary asset [col. 4, lines 7-24, “each version of each source code line has a corresponding user code, which is stored in the source code storage, that contains information describing at least one of the software developers. Preferably, the user code identifies those software developers that are allowed to access and edit the version of the source code line to which the user code corresponds. In the case that a new version of a source code line is created corresponding to a source code line that has been accessed and edited by a software developer, the information contained in the user code corresponding to the new version preferably describes the software developer that accessed and edited the source code line…. each version of each source code line is stored in the source code storage in a compressed, canonical and format independent form in order to reduce storage requirements for the source code storage”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Haikin into the teaching of Morris and Graham et al. with the motivation for providing a software source code version control system for use during the development and maintenance of a software system by multiple software developers in which historical version tracking is maintained for all source code on a line-by-line basis without requiring excessive storage area, in which source code can be accessed and modified by more than one software developer at a time, in which historical version tracking of broad functional changes is provided, and in which quick and transparent access is provided to each version of the source code as taught by Haikin [Haikin: col. 3, lines 20-31].

Claims 11, 14 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Morris (US 2007/0130183 A1) and Graham et al. (US 8,209,259 B2) as applied to claims 1, 7, 10, 13 and 15-16 above, and further in view of Margolus et al. (US 2002/0038296 A1).
Regarding claim 11, the rejection of claim 7 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the verifying comprises comparing 10a hash previously stored by the access controller in correspondence with the supplementary asset to a hash supplied to the access controller through the request.  
However Margolus et al. teaches the verifying comprises comparing 10a hash previously stored by the access controller in correspondence with the supplementary asset to a hash supplied to the access controller through the request [par. 0013, “The record in the repository with which the access authorization credential is associated may be an access identifier that is associated with the credential by computation of a one way hash function. The access identifier may be stored in the repository and may be compared with a later hash of an access authorization credential to verify access permission to a named object. The access authorization credential may include information sufficient to respond to a challenge. The access authorization credential may include data proof information created during a challenge process that is sufficient to prove to the repository that the challenge was passed. This data proof information may include the actual challenge response, so that it can be directly verified against the data-item”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Margolus et al. into the teaching of Morris and Graham et al. with the motivation to verify access permission to a named object as taught by Margolus et al. [Margolus et al.: par. 0013].
Regarding claim 14, the rejection of claim 7 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the verifying comprises performing 25a zero-knowledge protocol to prove access to the primary asset.  
However Margolus et al. teaches the verifying comprises performing 25a zero-knowledge protocol to prove access to the primary asset [par. 0013, “The record in the repository with which the access authorization credential is associated may be an access identifier that is associated with the credential by computation of a one way hash function. The access identifier may be stored in the repository and may be compared with a later hash of an access authorization credential to verify access permission to a named object. The access authorization credential may include information sufficient to respond to a challenge. The access authorization credential may include data proof information created during a challenge process that is sufficient to prove to the repository that the challenge was passed. This data proof information may include the actual challenge response, so that it can be directly verified against the data-item”, par. 0100, zero-knowledge protocol].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Margolus et al. into the teaching of Morris and Graham et al. with the motivation to verify access permission to a named object as taught by Margolus et al. [Margolus et al.: par. 0013].
Regarding claim 17, the rejection of claim 16 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the verification result indicates the requestor has access to the primary asset based on finding present a secret that is deemed available only to authorized users of 25the primary asset.    
However Margolus et al. teaches the verification result indicates the requestor has access to the primary asset based on finding present a secret that is deemed available only to authorized users of 25the primary asset [par. 0013, “The record in the repository with which the access authorization credential is associated may be an access identifier that is associated with the credential by computation of a one way hash function. The access identifier may be stored in the repository and may be compared with a later hash of an access authorization credential to verify access permission to a named object. The access authorization credential may include information sufficient to respond to a challenge. The access authorization credential may include data proof information created during a challenge process that is sufficient to prove to the repository that the challenge was passed. This data proof information may include the actual challenge response, so that it can be directly verified against the data-item”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Margolus et al. into the teaching of Morris and Graham et al. with the motivation to verify access permission to a named object as taught by Margolus et al. [Margolus et al.: par. 0013].
Regarding claim 18, the rejection of claim 17 is incorporated.
Margolus et al. further teaches the secret that is deemed available only to authorized users of the primary asset includes at least one of the following:  30a hash based on at least a portion of a repository commit history; at least a portion of a repository commit history; a hash based on at least a portion of a source code in the primary asset;  63 at least a portion of a source code in the primary asset; a hash based on at least a portion of a repository metadata; at least a portion of a repository metadata; a hash based on at least a portion of a document in the primary asset; or  5at least a portion of a document in the primary asset [par. 0013, “The record in the repository with which the access authorization credential is associated may be an access identifier that is associated with the credential by computation of a one way hash function. The access identifier may be stored in the repository and may be compared with a later hash of an access authorization credential to verify access permission to a named object. The access authorization credential may include information sufficient to respond to a challenge. The access authorization credential may include data proof information created during a challenge process that is sufficient to prove to the repository that the challenge was passed. This data proof information may include the actual challenge response, so that it can be directly verified against the data-item”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Margolus et al. into the teaching of Morris and Graham et al. with the motivation to verify access permission to a named object as taught by Margolus et al. [Margolus et al.: par. 0013].

Claims 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Morris (US 2007/0130183 A1) and Graham et al. (US 8,209,259 B2) as applied to claims 1, 7, 10, 13 and 15-16 above, and further in view of Carranza et al. (US 20190324727 A1).
Regarding claim 19, the rejection of claim 16 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the supplementary asset includes a machine learning model which was trained at least in part using at least a portion of the primary asset, and the method further 10comprises setting a model retraining schedule.  
However Carranza et al. teaches the supplementary asset includes a machine learning model which was trained at least in part using at least a portion of the primary asset, and the method further 10comprises setting a model retraining schedule [par. 0027, “The example model generator 118 trains a machine learning model using the data collected by the data collector 112. For example, the example model generator 118 trains a machine learning model (e.g., a PTV estimator model 210 of FIG. 2 as described in further detail below, etc.) based on the data contained within the training database 116… The model generator 118 can retrain the model in response to additional training data becoming available in the training database 116, in response to a threshold amount of time elapsing since generation of a prior model, etc”, par. 0029, “After some period of time (e.g., periodically, aperiodically, scheduled, after a threshold period of time, after an error rate of the current model is exceeded, etc.), the example model generator 118 transmits a query 138 to the training database 116 for model generation data 140”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Carranza et al. into the teaching of Morris and Graham et al. with the motivation to improve code review techniques by analyzing source code and providing review suggestions using a neural network tuned to process the function calls of code and generate review suggestions based on this analysis as taught by Carranza et al. [Carranza et al.: par. 0018].
Regarding claim 20, the rejection of claim 16 is incorporated.
Morris and Graham et al. disclose an access control processor configured to perform access control steps.
They do not explicitly disclose the supplementary asset includes a machine learning model which was trained at least in part using at least a portion of the primary asset, and the method further 15comprises setting a model deletion criterion whereby a model that is not deemed in active use will be automatically deleted.  
However Carranza et al. teaches the supplementary asset includes a machine learning model which was trained at least in part using at least a portion of the primary asset, and the method further 15comprises setting a model deletion criterion whereby a model that is not deemed in active use will be automatically deleted [par. 0027, “The example model generator 118 trains a machine learning model using the data collected by the data collector 112. For example, the example model generator 118 trains a machine learning model (e.g., a PTV estimator model 210 of FIG. 2 as described in further detail below, etc.) based on the data contained within the training database 116… The model generator 118 can retrain the model in response to additional training data becoming available in the training database 116, in response to a threshold amount of time elapsing since generation of a prior model, etc”, par. 0024, “The example model storage 110 is the location where the current model(s) utilized by the machine programming engine 108 are stored… when an updated model is received or otherwise retrieved from the model storage 110, the previous iteration of the model is deleted”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Carranza et al. into the teaching of Morris with the motivation to improve code review techniques by analyzing source code and providing review suggestions using a neural network tuned to process the function calls of code and generate review suggestions based on this analysis as taught by Carranza et al. [Carranza et al.: par. 0018].


(2) Response to Argument
All Groups, Claims 1-20, Business Relationships Are Not Asset Relationships
	At pages 8-9 of the Appeal Brief, Appellant argues that Graham does not teach a non-requestor-owned supplementary asset and a requestor-owned primary asset, because Graham teaches a business entities connection, not an assets relationship. Specifically, Graham does not teach a supplementary asset — primary asset relationship as claimed. Differently stated, one of skill in the art would have understood that Graham does not teach Applicant’s claimed distinction between a supplementary asset and primary asset.
	In response, the Examiner respectfully disagrees. Independent claims recite “receiving a request by a requestor for access to a supplementary asset which is associated to a user account of a user who is not the requestor” and “determining that the supplementary asset is related to a primary asset”. Claims do not recite the primary asset is requestor owned asset. Claims also do not explicitly recite what kind of  relationship between supplementary asset and primary asset. Morris discloses a system includes a relationship manager for managing relationships between system resources, a relationship database stores relationships created between resources based on behaviors.  In the illustrated example of Morris’s disclosure, Larry has a picture of Moe on his desktop. He can select Moe's picture and request to see all the resources related to the picture (pars-0052-0055). In other word, Morris teaches “receiving a request by a requestor for access to a supplementary asset” and “determining that the supplementary asset is related to a primary asset”. Morris does not explicitly disclose the supplementary asset is associated to a user account of a user who is not the requestor. However Graham et al. in the field related to information sharing teaches a software module for controlling user access to and manipulation of information shared by users through a common platform. Graham further disclose an illustrative example relates to the automotive industry from the perspective of a particular dealer such that The Marketing Library Manager 106c permits dealers to access a variety of digital multimedia assets that include pictures, logos, videos, audio or text from advertising agencies, OEMs, and other sources as provided through the platform. Graham et al. teaches the supplementary asset (digital multimedia assets ) is associated to a user account of a user who is not the requestor.
	At pages 9-11 of the Appeal Brief, Appellant creates a plurality of scenarios. However, these scenarios and arguments are not directed toward claimed limitations.

Groups II, Claim 4
	At pages 12 of the Appeal Brief, Appellant first argues that Zang does not mention a “primary asset” and a “supplementary asset”, which are the related assets. Appellant then argues although the rejection apparently asserts source code file 503 as the primary asset and metadata 502 as the supplementary asset, Zang does not mention any “relationship” between source code file 503 and metadata 502 other than the metadata being extracted from comments in the source code. Appellant also argues that Zang does not teach any relationship between source code file 503 and metadata 502 which conditions access to one of them on proof of access to the other. 
In response, the Examiner respectfully disagrees.  Claim 4 recites the primary asset includes source code, the supplementary asset includes a model computationally derived at least in part from the source code, and the model is configured for use by an autocompletion tool. Zang discloses a metadata packager may first parse each source code file (primary asset) to determine if it is fully or partially annotated with comments. If complete and correct comments are available, metadata packager invokes first metadata generator to parse the comments and extract the metadata (supplementary asset) for supporting editing features (e.g., autocompletion) of the code editor. Zang explicitly metadata is generated from the library source code (par. 0029). Therefore, Zang teaches/suggest the claimed limitation.
At page 12 of the Appeal Brief, Appellant then argues that Zang is not analogous art and therefore is not available for use in Section 103 rejections. The reference combination including Zang is not a proper combination.
In response, the Examiner respectfully disagrees. Morris, Graham and Zang are analogous art because they are in the same field of endeavor, computer resource accessible by a computer system.

Groups III, Claim 14
At pages 14 of the Appeal Brief, Appellant first argues that Margolus might apply if the requestor was seeking access to the primary asset and was being required to prove that the requestor had previously been authorized to access that same primary asset. But that is not the situation set forth in claim 7 and its dependent claims. Rather, the requestor is seeking access to the supplementary asset based on earlier access to the primary asset. Margolus is not on point.
In response, the Examiner respectfully disagrees. Claim 14 recites performing a zero-knowledge protocol to prove access to the primary asset. Appellant’s argument are not directed toward the claimed limitation. Margolus explicitly disclose using a zero-knowledge protocol to verify access permission to a named object (par. 0100). Therefore, Margolus teaches/suggests claimed limitation. 

Groups IV, Claim 15
At pages 15 of the Appeal Brief, Appellant argues that The rejection conflates an initial granting of access with a distinct and subsequent verification as to whether access has previously been granted. Initially granting access is not the same as later verifying that access was previously granted….
In response, the Examiner respectfully disagrees. Claim 15 recites that verifying comprises performing a challenge-response protocol to prove access to the primary asset. Appellant’s argument are not directed toward the claimed limitation. Morris explicitly disclose access to a first resource may be conditional on a user providing a user name and a password. If a user provides a user name and a password and is granted access to the first resource, the user may be automatically granted access to the second resource (par. 0048). Therefore, Morris teaches/suggests claimed limitation. 







For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,

/JASON CHIANG/Primary Examiner, Art Unit 2431                                                                                                                                                                                                        

Conferees:
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431                                                                                                                                                                                                                        
  /MICHAEL R VAUGHAN/  Primary Examiner, Art Unit 2431                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.