DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This Office action is in response to communications filed on 5/23/2022.
Claims 1, 4-13, and 16-20 are pending.
Response to Arguments
Applicant’s arguments filed 5/23/2022 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Response to Amendment
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 4-5, 8, 10-13, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cavage et al. (US 9985969 B1, hereinafter Cavage) in view of Wells (US 20110184771 A1, published 7/28/2011; hereinafter Wel).


Regarding claim 1, Cavage discloses a method for controlling an access to a resource, the method being implemented by at least one processor (col. 4, lines 7-33, a computer including a processor for performing recited access control routines), the method comprising: 
receiving, from a first user that has a business-related interest in the resource, a first input that relates to a business criterion for a provision of the access to the resource (col. 6, lines 3-7, "manage access to computing-related resources by one or more software applications executing on behalf of a user, such that the access may be managed based at least in part on multiple access policies specified by multiple distinct parties"; col. 6, lines 13-19, "For example, in some embodiments, one or more software application developers (e.g., such as one or more of the software application providers 150) may each interact with the system 110 to specify one or more access policies to control access to one or more computing-related resources"; col. 6, line 57, to col. 7, line 2, "a software application provider may interact with the system 110 to specify one or more access policies to control later access to computing-related resources used by the software application on behalf of the one or more users. For example, a software developer may design one or more software applications to provide functionality that uses one or more computing-related resources provided by one or more of the remote resource provider services 160, and may interact with the system 110 to specify access policies to control future access to computing-related resources from those resource provider services"; col. 7, lines 6-9, "a user may interact with the system 110 to specify access policies by, for example, interacting with an interactive Web site interface provided by the system 110 (e.g., via a Web browser 120)"); 
receiving, from a second user that has an application related interest in the resource, a second input that relates to an application-specific criterion for the provision of the access to the resource (col. 6, lines 3-7, "manage access to computing-related resources by one or more software applications executing on behalf of a user, such that the access may be managed based at least in part on multiple access policies specified by multiple distinct parties"; col. 6, lines 27-30, "prior to using the one or more software applications 130, one or more of the users 105 may each interact with the system 110 to specify one or more access policies to control access to one or more computing-related resources"; col. 7, lines 6-9, "a user may interact with the system 110 to specify access policies by, for example, interacting with an interactive Web site interface provided by the system 110 (e.g., via a Web browser 120)"); 
generating, based on the first input and the second input, at least one rule for the provision of the access of the resource (col. 6, line 57, to col. 7, line 2, "may interact with the system 110 to specify access policies to control future access to computing-related resources from those resource provider services"; col. 6, lines 27-30, "the users 105 may each interact with the system 110 to specify one or more access policies to control access to one or more computing-related resources"; col. 6, lines 31-32, "At least some such access policies may be stored by the system 110 for later use, with each software application having a unique identifier that is associated with those access policies for later retrieval when access requests are made"); 
receiving, from a third user, a resource access request that includes information that relates to an identification of the third user (col. 6, lines 46-48, "an access request from a particular software application operating on behalf of a particular user to use or otherwise access a particular computing-related resource"); 
determining, based on the at least one rule and the information included in the resource access request, whether to grant the access to the resource (col. 6, lines 46-55, "an access request [...] may be determined to satisfy multiple access policies specified by multiple parties (e.g., a software developer for that software application, and that user) for that particular computing-related resource [...]. If so, the access to the computing-related resource is then provided"), and 
at least one condition upon which the access grant is contingent (col. 6, lines 46-55, "an access request [...] may be determined to satisfy multiple access policies specified by multiple parties (e.g., a software developer for that software application, and that user) for that particular computing-related resource, such as if the multiple access policies indicate that the requested use is allowed by the particular application and the particular user. If so, the access to the computing-related resource is then provided" - see also col. 8, lines 20-24, "The Resource Access Authorization Service 116 may provide functionality that includes determining whether requested access to one or more computing-related resources is authorized based at least in part on satisfying multiple access policies specified by multiple distinct parties"); and 
transmitting, to the third user, a message that indicates a result of the determining (col. 12, lines 31-43, "the service 116 may provide an indication of success and/or failure to a requester, such as a software application making an access request, or a resource provider service that provides the resource(s) whose access is requested. In such cases, after the requester receives an indication of success or failure, it may then handle the request for access accordingly. Alternatively, in some embodiments, the service 116 may indicate success by fulfilling the request for access, such as by making a request to a resource provider service on behalf of a software application (e.g., by brokering the request) and/or by directly accessing the requested computing-related resource on behalf of the software application"),
wherein the business criterion includes at least one of an indication of an entity to which the access is to be granted and an indication of a condition upon which the access grant depends (col. 6, line 57, to col. 7, line 2, "a software application provider may interact with the system 110 to specify one or more access policies to control later access to computing-related resources used by the software application on behalf of the one or more users" - see also col. 9, lines 64-54, "user interactions may include providing various information related to a subscription request (e.g., user identification [...])" and col. 10, lines 4-10, "may also provide functionality to allow users to specify one or more access policies to control access to computing-related resources by the subscribed-to software application on behalf of the users"), and
Cavage does not explicitly teach wherein the first input includes at least one of a job title of an employee, access time information, and a permissible access location. 
However, Wel teaches wherein the first input includes at least one of a job title of an employee, access time information, and a permissible access location (Wel ¶ 0065 With reference to FIGS. 7a, 7b, 7c, 7d and 7e, a second embodiment or component is illustrated with the web based application software running on a centralized computer server executes a proprietary algorithm that accesses the data stored in the server in database tables illustrated in FIG. 2 allowing it to calculate and factor in additional project and/or resource time due to an employee's title and experience level that meets the minimum requirements to complete an assigned task though they may not be the optimal fit.).
Wel and Cavage are analogous art because they are both related to user access.
Before the effective filing date of the claimed invention it would have been obvious to one of ordinary skill in the art to use the access techniques of Wel with the system of Cavage actor in additional project and/or resource time based on job title (Wel ¶ 0065).
Regarding claim 4, Cavage-Wel discloses the method of claim 1, wherein the application-specific criterion includes at least one of an indication of an entity to which the access is to be granted and an indication of a condition upon which the access grant depends (col. 6, line 57, to col. 7, line 2, "a software application provider may interact with the system 110 to specify one or more access policies to control later access to computing-related resources used by the software application on behalf of the one or more users" - see also col. 9, lines 64-54, "user interactions may include providing various information related to a subscription request (e.g., user identification [...])" and col. 10, lines 4-10, "may also provide functionality to allow users to specify one or more access policies to control access to computing-related resources by the subscribed-to software application on behalf of the users").
Regarding claim 5, Cavage-Wel discloses the method of claim 4, wherein the second input includes at least one of a name of a person, a job title of an employee, a name of a group, an organizational identification, access time information, a permissible access location, and an operational aspect of the access (col. 9, lines 64-54, "user interactions may include providing various information related to a subscription request (e.g., user identification, group affiliation, [...])").
Regarding claim 8, Cavage-Wel discloses the method of claim 1, wherein when the result of the determining indicates that the access is to be granted to the third user, the method further includes authenticating an identification of the third user and granting the access to the third user in response to a successful authentication (col. 10, lines 57-65, "functionality to authenticate subscribed users. For example, in some embodiments, the User Subscription and Authentication Service may verify that a user is subscribed to use a particular software application, such as based on a request from the software application").
Regarding claim 10, Cavage-Wel discloses the method of claim 1, further comprising: receiving, from at least one of the first user and the second user, a request that relates to a proposed access rule change (col. 25, lines 45-49, "perform one or more other indicated operations as appropriate. For example, a user may make a request to modify an existing subscription, such as to cancel the subscription or to change one or more access policies associated with the subscription"); and 
adjusting the at least one rule based on the received request (Fig. 5, 560, "perform other indicated operation as appropriate").
Regarding claim 11, Cavage discloses a computing apparatus for controlling an access to a resource, the computing apparatus comprising: a processor (col. 4, lines 7-33, a computer including a processor for performing recited access control routines); 
a memory (col. 4, lines 7-33, a computer including a memory); and 
a communication interface coupled to each of the processor and the memory (col. 4, lines 7-33, the memory storing instructions to be implemented by the processor, coupling of the memory and processor inherent), wherein the processor is configured to: 
receive, from a first user that has a business-related interest in the resource via the communication interface, a first input that relates to a business criterion for a provision of the access to the resource (col. 6, lines 3-7, "manage access to computing-related resources by one or more software applications executing on behalf of a user, such that the access may be managed based at least in part on multiple access policies specified by multiple distinct parties"; col. 6, lines 13-19, "For example, in some embodiments, one or more software application developers (e.g., such as one or more of the software application providers 150) may each interact with the system 110 to specify one or more access policies to control access to one or more computing-related resources"; col. 6, line 57, to col. 7, line 2, "a software application provider may interact with the system 110 to specify one or more access policies to control later access to computing-related resources used by the software application on behalf of the one or more users. For example, a software developer may design one or more software applications to provide functionality that uses one or more computing-related resources provided by one or more of the remote resource provider services 160, and may interact with the system 110 to specify access policies to control future access to computing-related resources from those resource provider services"; col. 7, lines 6-9, "a user may interact with the system 110 to specify access policies by, for example, interacting with an interactive Web site interface provided by the system 110 (e.g., via a Web browser 120)"); 
receive, from a second user that has an application-specific interest in the resource via the communication interface, a second input that relates to an application-specific criterion for the provision of the access to the resource (col. 6, lines 3-7, "manage access to computing-related resources by one or more software applications executing on behalf of a user, such that the access may be managed based at least in part on multiple access policies specified by multiple distinct parties"; col. 6, lines 27-30, "prior to using the one or more software applications 130, one or more of the users 105 may each interact with the system 110 to specify one or more access policies to control access to one or more computing-related resources"; col. 7, lines 6-9, "a user may interact with the system 110 to specify access policies by, for example, interacting with an interactive Web site interface provided by the system 110 (e.g., via a Web browser 120)"); 
generate, based on the first input and the second input, at least one rule for the provision of the access of the resource (col. 6, line 57, to col. 7, line 2, "may interact with the system 110 to specify access policies to control future access to computing-related resources from those resource provider services"; col. 6, lines 27-30, "the users 105 may each interact with the system 110 to specify one or more access policies to control access to one or more computing-related resources"; col. 6, lines 31-32, "At least some such access policies may be stored by the system 110 for later use, with each software application having a unique identifier that is associated with those access policies for later retrieval when access requests are made"); 
receive, from a third user via the communication interface, a resource access request that includes information that relates to an identification of the third user (col. 6, lines 46-48, "an access request from a particular software application operating on behalf of a particular user to use or otherwise access a particular computing-related resource"); 
determine, based on the at least one rule and the information included in the resource access request, whether to grant the access to the resource (col. 6, lines 46-55, "an access request [...] may be determined to satisfy multiple access policies specified by multiple parties (e.g., a software developer for that software application, and that user) for that particular computing-related resource [...]. If so, the access to the computing-related resource is then provided"), and 
at least one condition upon which the access grant is contingent (col. 6, lines 46-55, "an access request [...] may be determined to satisfy multiple access policies specified by multiple parties (e.g., a software developer for that software application, and that user) for that particular computing-related resource, such as if the multiple access policies indicate that the requested use is allowed by the particular application and the particular user. If so, the access to the computing-related resource is then provided" - see also col. 8, lines 20-24, "The Resource Access Authorization Service 116 may provide functionality that includes determining whether requested access to one or more computing-related resources is authorized based at least in part on satisfying multiple access policies specified by multiple distinct parties"); and 
transmit, to the third user via the communication interface, a message that indicates a result of the determination (col. 12, lines 31-43, "the service 116 may provide an indication of success and/or failure to a requester, such as a software application making an access request, or a resource provider service that provides the resource(s) whose access is requested. In such cases, after the requester receives an indication of success or failure, it may then handle the request for access accordingly. Alternatively, in some embodiments, the service 116 may indicate success by fulfilling the request for access, such as by making a request to a resource provider service on behalf of a software application (e.g., by brokering the request) and/or by directly accessing the requested computing-related resource on behalf of the software application"),
wherein the application-specific criterion includes at least one of an indication of an entity to which the access is to be granted and an indication of a condition upon which the access grant depends (col. 6, line 57, to col. 7, line 2, "a software application provider may interact with the system 110 to specify one or more access policies to control later access to computing-related resources used by the software application on behalf of the one or more users" - see also col. 9, lines 64-54, "user interactions may include providing various information related to a subscription request (e.g., user identification [...])" and col. 10, lines 4-10, "may also provide functionality to allow users to specify one or more access policies to control access to computing-related resources by the subscribed-to software application on behalf of the users"), and
Cavage does not explicitly teach wherein the second input includes at least one of a job title of an employee, access time information, and a permissible access location. 
However, Wel teaches wherein the second input includes at least one of a job title of an employee, access time information, and a permissible access location (Wel ¶ 0065 With reference to FIGS. 7a, 7b, 7c, 7d and 7e, a second embodiment or component is illustrated with the web based application software running on a centralized computer server executes a proprietary algorithm that accesses the data stored in the server in database tables illustrated in FIG. 2 allowing it to calculate and factor in additional project and/or resource time due to an employee's title and experience level that meets the minimum requirements to complete an assigned task though they may not be the optimal fit.).
Wel and Cavage are analogous art because they are both related to user access.
Before the effective filing date of the claimed invention it would have been obvious to one of ordinary skill in the art to use the access techniques of Wel with the system of Cavage actor in additional project and/or resource time based on job title (Wel ¶ 0065).
Regarding claim 12, Cavage-Wel discloses the computing apparatus of claim 11, wherein the business criterion includes at least one of an indication of an entity to which the access is to be granted and an indication of a condition upon which the access grant depends (col. 6, line 57, to col. 7, line 2, "a software application provider may interact with the system 110 to specify one or more access policies to control later access to computing-related resources used by the software application on behalf of the one or more users" - see also col. 9, lines 64-54, "user interactions may include providing various information related to a subscription request (e.g., user identification [...])" and col. 10, lines 4-10, "may also provide functionality to allow users to specify one or more access policies to control access to computing-related resources by the subscribed-to software application on behalf of the users").
Regarding claim 13, Cavage-Wel discloses the computing apparatus of claim 12, wherein the first input includes at least one of a name of a person, a job title of an employee, a name of a group, an organizational identification, access time information, a permissible access location, and an operational aspect of the access (col. 9, lines 64 to col. 10, line 7, "user interactions may include providing various information related to a subscription request (e.g., user identification, group affiliation, [...] etc.) […] service 114 may also provide functionality to allow users to specify one or more access policies to control access to computing-related resources by the subscribed-to software application on behalf of the users").
Regarding claim 18, Cavage-Wel discloses the computing apparatus of claim 11, wherein when the result of the determination indicates that the access is to be granted to the third user, the processor is further configured to authenticate an identification of the third user and grant the access to the third user in response to a successful authentication (col. 10, lines 57-65, "functionality to authenticate subscribed users. For example, in some embodiments, the User Subscription and Authentication Service may verify that a user is subscribed to use a particular software application, such as based on a request from the software application").
Regarding claim 20, Cavage-Wel discloses the computing apparatus of claim 11, wherein the processor is further configured to: receive, from at least one of the first user and the second user via the communication interface, a request that relates to a proposed access rule change (col. 25, lines 45-49, "perform one or more other indicated operations as appropriate. For example, a user may make a request to modify an existing subscription, such as to cancel the subscription or to change one or more access policies associated with the subscription"); and 
adjust the at least one rule based on the received request (Fig. 5, 560, "perform other indicated operation as appropriate").



Claims 6-7 and 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cavage-Wel, and further in view of Waters (US 20080307055 A1).
Regarding claim 6, Cavage-Wel discloses the method of claim 1.
Cavage-Wel does not disclose validating the result of the determining by performing an access management certification.
Waters discloses validating the result of the determining by performing an access management certification (¶[0062], "A user 104 may be authorized for one or more of the data sources that are available to the agency of which the user is a member, again, depending on policies, and certifications. A certification is granted to an end user who is qualified for access to various functions within the system").
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Cavage-Wel in view of Waters for validating the result of the determining by performing an access management certification.
One of ordinary skill in the art would have been motivated because it would allow secure, intuitive access for authorized personnel to data (see Waters, ¶[0011]).
Regarding claim 7, the combined system of Cavage-Wel and Waters discloses the invention substantially as applied to claim 6, above, wherein the access management certification includes at least one of a policy certification, a role certification, an exception certification, a segregation of duty certification, and an access termination certification (Waters, ¶[0062], "A user 104 may be authorized for one or more of the data sources that are available to the agency of which the user is a member, again, depending on policies, and certifications. A certification is granted to an end user who is qualified for access to various functions within the system").
Regarding claim 16, Cavage-Wel discloses the computing apparatus of claim 11.
Cavage-Wel does not disclose that the processor is further configured to validate the result of the determining by performing an access management certification.
Waters discloses validating the result of the determining by performing an access management certification (¶[0062], "A user 104 may be authorized for one or more of the data sources that are available to the agency of which the user is a member, again, depending on policies, and certifications. A certification is granted to an end user who is qualified for access to various functions within the system").
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Cavage-Wel in view of Waters so that the processor is further configured to validate the result of the determining by performing an access management certification.
One of ordinary skill in the art would have been motivated because it would allow secure, intuitive access for authorized personnel to data (see Waters, ¶[0011]).
Regarding claim 17,  the combined system of Cavage-Wel and Waters discloses the invention substantially as applied to claim 16, above, wherein the access management certification includes at least one of a policy certification, a role certification, an exception certification, a segregation of duty certification, and an access termination certification (Waters, ¶[0062], "A user 104 may be authorized for one or more of the data sources that are available to the agency of which the user is a member, again, depending on policies, and certifications. A certification is granted to an end user who is qualified for access to various functions within the system").

Claims 9 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cavage-Wel, and further in view of Zhuge et al. (US 7783666 B1, hereinafter Zhuge).
Regarding claim 9, Cavage discloses the method of claim 1.
Cavage-Wel does not disclose storing, in a memory, information that relates to a record of the access grant; and adjusting the at least one rule based on the stored information.
Zhuge discloses storing, in a memory, information that relates to a record of the access grant (col. 19, lines 66-67, "The access quota accounting includes a number that gets incremented each time that a quota-sensitive data access request occurs" and col. 20, lines 7-11, "access quota policy database 42 may be used to store information for the global quota (e.g., current access pattern, a number representative of the total number of data access requests by the user)"); and 
adjusting the at least one rule based on the stored information (col. 20, 43-48, "If the guest group of users meets or exceeds the access quota of 200, by accessing the node 2 or 52, 200 or more times in the working day, then a system rule, such as access denial, can be executed to prevent the guest group of users from accessing storage resources on node 2 or 52" - or col. 19, lines 57-61, "a user A has an access quota that limits the user from performing a directory listing more than 3 times per second. The access quota also specifies that future data access requests will be throttled in response to violation of the access quota").
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Cavage-Wel in view of Zhuge for storing, in a memory, information that relates to a record of the access grant; and adjusting the at least one rule based on the stored information.
One of ordinary skill in the art would have been motivated because it would prevent users from over-utilizing system resources (Zhuge, col. 3, lines 39-41).
Regarding claim 19, Cavage-Wel discloses the computing apparatus of claim 11.
Cavage-Wel does not disclose that the processor is further configured to: store, in the memory, information that relates to a record of the access grant; and adjust the at least one rule based on the stored information.
Zhuge discloses storing, in a memory, information that relates to a record of the access grant (col. 19, lines 66-67, "The access quota accounting includes a number that gets incremented each time that a quota-sensitive data access request occurs" and col. 20, lines 7-11, "access quota policy database 42 may be used to store information for the global quota (e.g., current access pattern, a number representative of the total number of data access requests by the user)"); and 
adjusting the at least one rule based on the stored information (col. 20, 43-48, "If the guest group of users meets or exceeds the access quota of 200, by accessing the node 2 or 52, 200 or more times in the working day, then a system rule, such as access denial, can be executed to prevent the guest group of users from accessing storage resources on node 2 or 52" - or col. 19, lines 57-61, "a user A has an access quota that limits the user from performing a directory listing more than 3 times per second. The access quota also specifies that future data access requests will be throttled in response to violation of the access quota").
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Cavage-Wel in view of Zhuge so that the processor is further configured to: store, in the memory, information that relates to a record of the access grant; and adjust the at least one rule based on the stored information.
One of ordinary skill in the art would have been motivated because it would prevent users from over-utilizing system resources (Zhuge, col. 3, lines 39-41).
Conclusion
Any inquiry concerning communications from the examiner should be directed to Michael Keller at (571)270-3863 or michael.keller@uspto.gov.  If attempts to reach the examiner are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached on 571-272-7952.  
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL A KELLER/
Primary Patent Examiner, Art Unit 2446