DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/3/2022 has been entered.
As per instant Amendment, claims 1 and 12 have been amended; claims 21 and 22 have been newly added; claim 1 is independent claim. Claims 1-8 and 11-22 have been examined and are pending. This Action is made Non-Final. 
The examiner notes the IDS filed on 6/3/2022 has been considered.


Response to Arguments
Applicant’s arguments in the Amendment, filed on 6/3/2022 with respect to the 35 U.S.C. 103 rejection, have been fully considered but they are not persuasive.
Applicant Argues: “Applicant respectfully submits that the cited references do not teach all the claimed elements recited in amended independent claim 1. For example, with respect to amended independent claim 1, the cited references do not teach or suggest the claimed system comprising "one or more processors configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising... determining if qualifications indicated by the first user object satisfy the first qualification specified by the first qualification object, the first qualification object being a control object linked to the first charter object, wherein the first qualification is a credential the first user needs to achieve before gaining access to a computer resource associated with the first charter...." 
In rejecting claim 1, the Office Action acknowledges Bartlett and Xie do not teach or disclose "transmitting data to the first user indicating how to obtain the qualification" and instead cites to a third reference, Burns, for this feature. However, Burns merely discloses a system where a fee / subscription is needed to obtain a search, and teaches providing a link to learn how to obtain the document as illustrated in Figure 3 (Burns)
...
Nowhere does Burns (or Bartlett or Xie) teach or disclose) "determining if qualifications indicated by the first user object satisfy the first qualification specified by the first qualification object, the first qualification object being a control object linked to the first charter object, wherein the first qualification is a credential the first user needs to achieve before gaining access to a computer resource associated with the first charter; in response to determining that the qualifications indicated by the first user object do not satisfy the first qualification specified by the first qualification object, deny providing the first user access to the first computer resource, and transmit data to the first user indicating how to obtain the first qualification.”
Examiner’s Response: The examiner respectfully disagrees.  The examiner respectfully notes it is the combination of Bartlett in view of Xie and Burns that teach the aforementioned features.   With respect to the newly proposed amendment Bartlett teaches wherein the first qualification is a credential the first user needs to achieve before gaining access to a computer resource associated with the first charter.  More specifically Bartlett states in [0040] - Each security access profile may include information regarding the associated user, such as login information (e.g., username and password) and group membership information (as described in further detail below) and further in [0046] - For example, an administrator may create a user by generating login information (e.g., a username and password) for the user and further in  [0060] -  For example, a user of user system 102 may login to DMS server 106/DMS database 108 by providing login credentials, and document management application 154 may validate the provided login credentials by determining if the provided login credentials correspond to the login credentials of an authorized user stored in DMS database 108 (e.g., in a security access profile 148 stored in DMS database 108). In response to validating the login credentials provided by the user, document management application 154 may access the security access profile 148 of the user and compare the accessed security access profile 148 of the user with security labels 144 corresponding to documents 142 stored in DMS database 108 to determine those objects 142 for which the user is authorized to view a link).  Thus as constructed the login credential represents a qualification that is achieved as it is generated by an administrator (i.e., an approval by a data owner that the first user needs to obtain, see newly presented Claim 22) before gaining access to computer resource associated with the first charter as the administrator is able to manage users and create one or more groups in which the administrator may be able to assign the created user to one or more groups, see [0044]-[0046].  Thus as constructed the user needs to obtain from the administrator a user login that is able to be assigned to specific group in order to be authorized to view such objects, thus reading on the concept of a credential the first user needs to achieve before gaining access to a computer resources associated with the first charter. The examiner further notes Burns teaches concepts of deny[ing] providing the first user access to the first computer resource (FIG. 4-5 and FIG. 7 and [0132]-[0133] - Furthermore, in determining whether a user is authorized to access the IRM-protected object 142, IRM application 158 may compare IRM wrapper ACL 182 with the security access profile of a requesting user (in addition to or in lieu of IRM profile 178) and [0152]-[0155] - denied).  The examiner sought to combine Burns to teach deny providing the first user access to the first computer resource, and transmit data to the first user indicating how to obtain the first qualification... (Burns, FIG. 3 – How to obtain [a] document and [0025] - Link 318, for example, can be an identifier presented to a requester that when accessed provides options and alternative methods for accessing the protected content within the search result that the affiliated institution is not authorized to access.).  The examiner respectfully notes Burns teaches in general a concept of denying access and transmitting to the user indicating how to obtain a qualification (i.e., how to obtain a document).  Thus, such concepts can be applied to the first qualification and denying of Bartlett. Therefore, the examiner finds this argument not persuasive.  
	Regarding Claims 12, 21, and 22 the examiner notes newly found references have been found to teach such aforementioned features, except for Claim 22.  Therefore those arguments are moot.  With respect to Claim 22, Bartlett teaches wherein the first qualification is an approval by a data owner that the first user needs to obtain before gaining access to the computer resource associated with the first charter, see [0044] - Document management application 154 of DMS server 106 may be operable to provide an administrator (e.g., a user of administrative system 104) with the ability to manage users of system 100 and DMS database 108 (as illustrated in FIG. 2) and [0045] - For example, document management application 154 may allow an administrator to manage users of system 100 by creating one or more groups. As a particular example, in a national defense context an administrator may create a number of clearance groups (e.g., TOP-SECRET clearance group, SECRET clearance group, and CONFIDENTIAL clearance group) and [0046] - For example, an administrator may create a user by generating login information (e.g., a username and password) for the user.  Furthermore, the administrator may be able to assign the created user to one or more groups.).  As noted above constructed the login credential represents a qualification that is achieved as it is generated by an administrator (i.e., an approval by a data owner that the first user needs to obtain) before gaining access to computer resource associated with the first charter as the administrator is able to manage users and create one or more groups in which the administrator may be able to assign the created user to one or more groups, see [0044]-[0046].  Thus as constructed the user needs to obtain from the administrator a user login that is able to be assigned to specific group in order to be authorized to view such objects, thus reading on the concept of a credential the first user needs to achieve before gaining access to a computer resources associated with the first charter.  Therefore the examiner finds this argument not persuasive. 











Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 7-8, 11, 17, 20, and 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartlett et al. (US 2009/0319529 A1) in view of Xie et al. (US 2018/0077542 A1) and Burns et al. (US 2007/0233685 A1).

Regarding Claim 1;
Bartlett discloses a computer system comprising: 
one or more computer readable storage devices configured to store (FIG. 1): 
a plurality of charter objects each associated with respective charters, the plurality of charter objects including at least a first charter object associated with a first charter having a first group of one or more markings, each charter object linked to at least one control object associated with a control for a user operating in a session under the charter, each of the at least one control object associated with a user based on least one marking of the first group of one or more markings (FIG. 1 and FIG. 4 – IRM Wrapper and Security Label ACL and FIG. 5 and [0007] and [0132] - IRM-protected object 142 of DMS database 108 may also have a corresponding IRM wrapper 146 (i.e., charter) stored in DMS database 108. In embodiments in which multiple IRM servers 110 are present, IRM profile 178 may include a specification of a particular IRM server 110 responsible for determining whether a decryption key 152 associated with the corresponding IRM-protected object 142 should be communicated to a user requesting access to the IRM-protected object 142. Additionally, IRM profile 178 may include one or more IRM profile components. The one or more IRM profile components may be compared with the security access profile of a user requesting to access the IRM-protected object 142 by IRM application 158 in order to determine whether the requesting user is authorized to access the IRM-protected object 142, as described above. Although IRM wrapper 146 is depicted and primarily described as including particular components (i.e., IRM profile 178 and IRM permission sets 180), the present invention contemplates security label 144 including any other suitable components, according to particular needs and [0133] - In certain embodiments, all or part of IRM profile 178 (i.e., charter object)  and/or IRM permission sets 180 (i.e., charter object) of IRM wrapper 146 corresponding to the IRM-protected object 142 may be stored as part of an IRM wrapper ACL 182 (i.e., control object) corresponding to the IRM-protected object 142. Furthermore, in determining whether a user is authorized to access the IRM-protected object 142, IRM application 158 may compare IRM wrapper ACL 182 with the security access profile of a requesting user (in addition to or in lieu of IRM profile 178). Additionally, having determined that a user is authorized to access the IRM-protected object 142, IRM application 158 may access security label ACL in order to apply the appropriate permission sets (in addition to or in lieu of permission sets 180)); 
a plurality of resource objects representing computer resources including a first resource object representing a first computer resource, the first resource object linked to at least the first charter object (FIG. 4-5 – Document Encrypted Data and [0007] and [0133]);
 a first qualification object specifying a first qualification (FIG. 4-5 - Security Label ACL w/ (Security Label) and [1030] - Security label 144 may include a clearance component, a secondary security component, and a handling component, as described above. One or more of the components of the security label 144 corresponding to the IRM-protected object 142 may be compared with the security access profile of a user by document management application 154 to determine whether a user is authorized to view a link associated with IRM-protected object 144, as described above and [0133])
a first user object representing a first user, the first user object including one or more markings associated with the first user (FIG. 1 – User Profile and [0133]); and 
a plurality of computer readable instructions (FIG. 1); and 
one or more processors configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising (FIG. 1):
 receiving an authentication credential provided by the first user (FIG. 8 – Login with Credentials);
authenticating the first user for a session based at least in part on the authentication credential (FIG. 8 – Validate Credentials);
... one or more charters based on the one or more markings of the first user object, the one or more charters including the first charter (FIG. 1 and FIG. 4-5 [0007] - In certain embodiments, the generation of a security label corresponding to an object (e.g., a document) stored in a DMS database of an entity may allow the entity to manage access to the object according to distinct security levels such that only users having particular security credentials may request access to the object from DMS database (e.g., by selecting a link associated with the object) and [0040] - DMS database 108 may additionally store plurality security access profiles 148, each security access profile 148 associated with a user of system 100 (e.g., a user of user system 102). Each security access profile may include information regarding the associated user, such as login information (e.g., username and password) and group membership information (as described in further detail below and [0045] and [0049] and [0078] and [0085] and [0132]-[0133]).
...
determining controls associated with at least one control object linked to the first charter object (FIG. 4-5 – IRM Wrapper and [0007] and [0132]-[0133] – IRM Wrapper ACL)
determining if qualifications indicated by the first user object satisfy the first qualification specified by the first qualification object, the first qualification object being a control object linked to the first charter object (FIG. 4-5 and [0133] - In certain embodiments, all or part of IRM profile 178 (i.e., charter object)  and/or IRM permission sets 180 (i.e., charter object) of IRM wrapper 146 corresponding to the IRM-protected object 142 may be stored as part of an IRM wrapper ACL 182 (i.e., control object) corresponding to the IRM-protected object 142. Furthermore, in determining whether a user is authorized to access the IRM-protected object 142, IRM application 158 may compare IRM wrapper ACL 182 with the security access profile of a requesting user (in addition to or in lieu of IRM profile 178). Additionally, having determined that a user is authorized to access the IRM-protected object 142, IRM application 158 may access security label ACL in order to apply the appropriate permission sets (in addition to or in lieu of permission sets 180)) wherein the first qualification is a credential the first user need to achieve before gaining access to a computer resource associated with the first charter ([0040] - Each security access profile may include information regarding the associated user, such as login information (e.g., username and password) and group membership information (as described in further detail below) and [0046] - For example, an administrator may create a user by generating login information (e.g., a username and password) for the user and [0060] -  For example, a user of user system 102 may login to DMS server 106/DMS database 108 by providing login credentials, and document management application 154 may validate the provided login credentials by determining if the provided login credentials correspond to the login credentials of an authorized user stored in DMS database 108 (e.g., in a security access profile 148 stored in DMS database 108). In response to validating the login credentials provided by the user, document management application 154 may access the security access profile 148 of the user and compare the accessed security access profile 148 of the user with security labels 144 corresponding to documents 142 stored in DMS database 108 to determine those objects 142 for which the user is authorized to view a link); -2-Application No.: 16/563,133Filing Date:September 6, 2019
in response to determining that the qualifications indicated by the first user object do not satisfy the first qualification specified by the first qualification object (FIG. 4-5 and FIG. 7 and [0132]-[0133] - Furthermore, in determining whether a user is authorized to access the IRM-protected object 142, IRM application 158 may compare IRM wrapper ACL 182 with the security access profile of a requesting user (in addition to or in lieu of IRM profile 178));, 
deny providing the first user access to the first computer resource (FIG. 4-5 and FIG. 7 and [0132]-[0133] - Furthermore, in determining whether a user is authorized to access the IRM-protected object 142, IRM application 158 may compare IRM wrapper ACL 182 with the security access profile of a requesting user (in addition to or in lieu of IRM profile 178) and [0152]-[0155] - denied);
in response to determining that the qualifications indicated by the first user object satisfy the first qualification specified by the first qualification object, providing the first user access to the first computer resource to operate in accordance with a set of controls associated with the first charter (FIG. 4-5 and FIG. 7 and [0132]-[0133] - Furthermore, in determining whether a user is authorized to access the IRM-protected object 142, IRM application 158 may compare IRM wrapper ACL 182 with the security access profile of a requesting user (in addition to or in lieu of IRM profile 178) [0152]-[0155]);
Bartlett fails to explicitly disclose: 
providing to the first user a selection of one or more charters...; 
receiving, from the first user, an indication of a selection of the first charter;
...
deny providing the first user access to the first computer resource, and transmit data to the first user indicating how to obtain the first qualification....
However, in an analogous, Xie teaches 
providing to the first user a selection of one or more charters... (FIG. 4-5 and FIG. 9A and [0014] - The method may also comprise the step of, upon modifying the record associated with the first user to indicate the first user's membership in the group associated with the physical location, granting, to the first user, access to one or more resources associated with the subgroup and selected from the group consisting of a group shared file storage space, a group calendar, a group to-do list, a group task assignment, a group task progress tracker, and a group synchronized voice meeting system) 
receiving, from the first user, an indication of a selection of the first charter (FIG. 4-5 and FIG. 9A and [0014] - The method may also comprise the step of, upon modifying the record associated with the first user to indicate the first user's membership in the group associated with the physical location, granting, to the first user, access to one or more resources associated with the subgroup and selected from the group consisting of a group shared file storage space, a group calendar, a group to-do list, a group task assignment, a group task progress tracker, and a group synchronized voice meeting system)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Xie to the charters of Bartlett to include providing to the first user a selection of one or more charters... receiving, from the first user, an indication of a selection of the first charter;
One would have been motivated to combine the teachings of Xie to Bartlett to do so as it provides / allows facilitate group interaction... based on division of the enterprise (Xie, [0016]). 
Further, in an analogous, Burns teaches 
deny providing the first user access to the first computer resource, and transmit data to the first user indicating how to obtain [a] qualification... (Burns, FIG. 3 and [0025] - Link 318, for example, can be an identifier presented to a requester that when accessed provides options and alternative methods for accessing the protected content within the search result that the affiliated institution is not authorized to access.)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Burns to the first qualification and denying of providing.... access to the computer resource of Bartlett and Xie to include deny providing the first user access to the first computer resource, and transmit data to the first user indicating how to obtain [a] qualification.
One would have been motivated to combine the teachings of Burns to Bartlett and Xie  to do so as it provides / allows informing on how to obtain access rights (Burns, Claim 19). 

Regarding Claim 2;
Bartlett and Xie and Burns teach the method to Claim 1.
	Bartlett further discloses wherein the plurality of computer readable instructions the one or more processors are configured to execute include providing ... a plurality of charters based at least in part on the first group of one or more markings of the first charter and the one or more markings associated with the first user (FIG. 1 and FIG. 4-5 and [0040] – group member information and [0045] and [0049] and [0078] and [0085] – groups of users may... be stored... in the IRM Wrapper).
Xie teaches providing to the first user a selection of a plurality of charters (FIG. 5 and [0014])
Similar rationale and motivation is noted for the combination of Xie to Bartlett and Xie and Burns, as per Claim 1, above.

Regarding Claim 3;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses wherein at least a portion of the first group of markings control access to resources under the first charter based on parameters of the first user's session on at the time the first user is trying to access the first computer resource (FIG. 8 – user’s session and [0132] - IRM-protected object 142 of DMS database 108 may also have a corresponding IRM wrapper 146 (i.e., charter) stored in DMS database 108. In embodiments in which multiple IRM servers 110 are present, IRM profile 178 may include a specification of a particular IRM server 110 responsible for determining whether a decryption key 152 associated with the corresponding IRM-protected object 142 should be communicated to a user requesting access to the IRM-protected object 142. Additionally, IRM profile 178 may include one or more IRM profile components. The one or more IRM profile components may be compared with the security access profile of a user requesting to access the IRM-protected object 142 by IRM application 158 in order to determine whether the requesting user is authorized to access the IRM-protected object 142, as described above. Although IRM wrapper 146 is depicted and primarily described as including particular components (i.e., IRM profile 178 and IRM permission sets 180), the present invention contemplates security label 144 including any other suitable components, according to particular needs and [0133] - In certain embodiments, all or part of IRM profile 178 (i.e., charter object)  and/or IRM permission sets 180 (i.e., charter object) of IRM wrapper 146 corresponding to the IRM-protected object 142 may be stored as part of an IRM wrapper ACL 182 (i.e., control object) corresponding to the IRM-protected object 142. Furthermore, in determining whether a user is authorized to access the IRM-protected object 142, IRM application 158 may compare IRM wrapper ACL 182 with the security access profile of a requesting user (in addition to or in lieu of IRM profile 178). Additionally, having determined that a user is authorized to access the IRM-protected object 142, IRM application 158 may access security label ACL in order to apply the appropriate permission sets (in addition to or in lieu of permission sets 180)).

Regarding Claim 7;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses wherein the first computer resource is at least one of. a file, a folder, a dataset, a database, a memory, a processor, a drive, a storage device, a computer, a laptop, or a phone (FIG. 4-5 – Document).

Regarding Claim 8;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses wherein the authentication credential includes a username and password (FIG. 8 and [0159] - In certain embodiments, the login credentials include a username and password; however, the present invention contemplates the use of any suitable login credentials).

Regarding Claim 11;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses wherein the one or more processors are further configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising: receiving, from the first user, qualification information relating to the first qualification ([0045] - For example, document management application 154 may allow an administrator to manage users of system 100 by creating one or more groups. As a particular example, in a national defense context an administrator may create a number of clearance groups (e.g., TOP-SECRET clearance group, SECRET clearance group, and CONFIDENTIAL clearance group). The clearance groups may be arranged in a vertical hierarchy such that, for example, a member of the TOP-SECRET clearance group would also, by default, be a member of all lesser groups (i.e., SECRET and CONFIDENTIAL clearance groups in this example). As another particular example, an administrator may create one or more secondary security groups (e.g., each clearance group described in the example above may have a DALLAS OFFICE group, a Washington D.C. office group, and a NEW YORK OFFICE group) and [0049] - The security label 144 corresponding to an object 142 may be generated independent of input received from the user (e.g., the security label 144 may be created by document management application 154) or in response to input received from the user (i.e., the user may create the security label 144 by specifying the one or more components of the security label, as described below)); determining, based at least in part on the qualification information, that the qualifications of the first user satisfy the first qualification specified by the first qualifications object that is associated with the first charter object (FIG. 7 and [0045] and [0049] and [0132]-[0133] and [0148]-[0150] - At step 710, IRM application 158 may determine whether the requesting user is authorized to access the requested object 142 based on a comparison of the IRM profile of the IRM wrapper 146 corresponding to the requested object 142 with the security access profile 148 of the requesting user); and providing the first user access to the first computer resource based at least in part on the determination that the qualifications of the first user satisfy the first qualification (FIG. 7 and [0152]-[0153]))





Regarding Claim 17;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses herein the one or more computer readable storage devices are further configured to store a second resource object associated with a second computer resource associated with the first charter (FIG. 4-5 and [0038 - DMS database 108 may store a plurality of objects 142. An object 142 may include a spreadsheet, a text document, an e-mail, a web page, program source code, an image file, or any other suitable type of electronic object. In certain embodiments, one or more objects 142 stored in DMS database 108 are encrypted.  As reasonably constructed the second resource object could have the same charter arrangement as a first resource object), the second resource object linked to the first charter object, and wherein a control associated with a first control object linked to the first charter object controls the operations of the first user when accessing the first and second resource objects during the session (FIG. 4-5 and [0038 - DMS database 108 may store a plurality of objects 142. An object 142 may include a spreadsheet, a text document, an e-mail, a web page, program source code, an image file, or any other suitable type of electronic object. In certain embodiments, one or more objects 142 stored in DMS database 108 are encrypted.  As reasonably constructed the second resource object could have the same first charter objects and control/first control objects arrangement as a first resource object).





Regarding Claim 20;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses at least one of the first group of one or more markings indicate a purpose of the charter ([0045] – national defense context... Top-Secret, Secret, Confidential... As reasonably constructed purposes).

Regarding Claim 22;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further wherein the first qualification is an approval by a data owner that the first user needs to obtain before gaining access to the computer resource associated with the first charter ([0044] - Document management application 154 of DMS server 106 may be operable to provide an administrator (e.g., a user of administrative system 104) with the ability to manage users of system 100 and DMS database 108 (as illustrated in FIG. 2) and [0045] - For example, document management application 154 may allow an administrator to manage users of system 100 by creating one or more groups. As a particular example, in a national defense context an administrator may create a number of clearance groups (e.g., TOP-SECRET clearance group, SECRET clearance group, and CONFIDENTIAL clearance group) and [0046] - For example, an administrator may create a user by generating login information (e.g., a username and password) for the user.  Furthermore, the administrator may be able to assign the created user to one or more groups.).

Claims 4-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartlett et al. (US 2009/0319529 A1) in view of Xie et al. (US 2018/0077542 A1) and Burns et al. (US 2007/0233685 A1) and further in view of Mankovskii (US 2016/0112397 A1).

Regarding Claim 4;
Bartlett and Xie and Burns teach the method to Claim 3.
Bartlett and Xie and Burns fails to explicitly disclose wherein at least a portion of the first group of markings control access to resources under the first charter based on a geographic location of the session of the first user.
However, in an analogous art, Mankovskii teaches wherein at least a portion of the first group of markings control access to resources under the first charter based on a geographic location of the session of the first user (Mankovskii, [0004] - In some embodiments, an access control system may acquire a request for access to a protected resource within a computing environment, identify a username associated with the request, authenticate the username, acquire contextual information associated with the request for access (e.g., the contextual information may comprise an identification of the device making the request, an identification of the operating system used by the device making the request, a location of the device making the request, a time of day associated with the location of the device making the request, or whether a particular cookie is stored on the device making the request)... and [0020]).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Mankovskii to the markings of Bartlett and Xie and Burns to include wherein at least a portion of the first group of markings control access to resources under the first charter based on a geographic location of the session of the first user
One would have been motivated to combine the teachings of Mankovskii to Bartlett and Xie and Burns to do so as it provides / allows access to resources and detecting anomalies related to access control events (Mankovskii, [0003]). 

Regarding Claim 5;
Bartlett and Xie and Burns teach the method to Claim 3.
Bartlett and Xie and Burns fails to explicitly disclose wherein at least a portion of the first group of markings control access to resources under the first charter based on the time of the session of the first user.
However, in an analogous art, Mankovskii teaches wherein at least a portion of the first group of markings control access to resources under the first charter based on the time of the session of the first user (Mankovskii, [0004] - In some embodiments, an access control system may acquire a request for access to a protected resource within a computing environment, identify a username associated with the request, authenticate the username, acquire contextual information associated with the request for access (e.g., the contextual information may comprise an identification of the device making the request, an identification of the operating system used by the device making the request, a location of the device making the request, a time of day associated with the location of the device making the request, or whether a particular cookie is stored on the device making the request)... and [0020])
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Mankovskii to the markings of Bartlett and Xie and Burns to include wherein at least a portion of the first group of markings control access to resources under the first charter based on the time of the session of the first user.
One would have been motivated to combine the teachings of Mankovskii to Bartlett and Xie and Burns to do so as it provides / allows access to resources and detecting anomalies related to access control events (Mankovskii, [0003]). 

Regarding Claim 6;
Bartlett and Xie and Burns teach the method to Claim 3.
Bartlett and Xie and Burns fails to explicitly disclose wherein at least a portion of the first group of markings control access to resources under the first charter based on identification of a computer being used by the first user for the session.
However, in an analogous art, Mankovskii teaches wherein at least a portion of the first group of markings control access to resources under the first charter based on identification of a computer being used by the first user for the session (Mankovskii, [0004] - In some embodiments, an access control system may acquire a request for access to a protected resource within a computing environment, identify a username associated with the request, authenticate the username, acquire contextual information associated with the request for access (e.g., the contextual information may comprise an identification of the device making the request, an identification of the operating system used by the device making the request, a location of the device making the request, a time of day associated with the location of the device making the request, or whether a particular cookie is stored on the device making the request)... and [0020]).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Mankovskii to the markings of Bartlett and Xie and Burns to include wherein at least a portion of the first group of markings control access to resources under the first charter based on identification of a computer being used by the first user for the session.
One would have been motivated to combine the teachings of Mankovskii to Bartlett and Xie and Burns to do so as it provides / allows access to resources and detecting anomalies related to access control events (Mankovskii, [0003]). 

Claims 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartlett et al. (US 2009/0319529 A1) in view of Xie et al. (US 2018/0077542 A1) and Burns et al. (US 2007/0233685 A1 further in view of Loevenguth et al. (US 2011/0251906 A1).

Regarding Claim 12;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses ...the qualification... the first user must “achieve” before gaining access to the computer resource associated with the first charter (Bartlett, [0044]-[0046]).
Bartlett and Xie and Burns ...wherein the qualification is training the first user must complete before gaining access to the computer resource....
However, in an analogous art, Loevenguth teaches ...wherein the qualification is training the first user must complete before gaining access to the computer resource (Loevenguth, [0027] -  The mobile POS application can also be adapted to train agents, providing the agent with up-to-date information via the mobile device without the need for in-person training. According to some embodiments, the mobile POS application can include the functionality to conduct real-time and/or phone-based training on how to complete transactions, how to identify and stop fraud, how to complete KYC requirements, and more. For a mobile device having telephone functionality, the mobile POS device can be adapted to utilize these features to conduct a call for phone-based training. The mobile POS application can further utilize other features of a mobile device for real-time training, such as SMS, instant messaging, VoIP, or other types of real-time communication. The mobile POS application can be further adapted to download training materials comprising video, audio, text, or any combination thereof. Some training may be required prior to allowing the user to transfer money.)  As constructed training required before allowing the user to transfer money represents a qualification is training the first user must complete before gaining access to the computer resource (i.e., transferring money). 
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Loevenguth to the qualification of Bartlett and Xie and Burns to include ...wherein the qualification is training the first user must complete before gaining access to the computer resource 
One would have been motivated to combine the teachings of Loevenguth to Bartlett and Xie and Burns to do so as it provides / allows training... without the need for in-person training (Loevenguth, [0027]).




Claims 13-16 and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartlett et al. (US 2009/0319529 A1) in view of Xie et al. (US 2018/0077542 A1) and Burns et al. (US 2007/0233685 A1 further in view of Hughes (US 2007/0220479 A1).

Regarding Claim 13;
Bartlett and Xie and Burns teach the method to Claim 1.
	Bartlett discloses “concepts of” to store a first authorization object that represent an agreement ([0044]-[0046] - As a particular example, in a national defense context an administrator may create a number of clearance groups (e.g., TOP-SECRET clearance group, SECRET clearance group, and CONFIDENTIAL clearance group). The clearance groups may be arranged in a vertical hierarchy such that, for example, a member of the TOP-SECRET clearance group would also, by default, be a member of all lesser groups (i.e., SECRET and CONFIDENTIAL clearance groups in this example... login information).
Bartlett and Xie and Burns fail to explicitly disclose wherein the one or more computer readable storage devices are further configured to store a first authorization object specifying a first agreement. 
However, in an analogous art, Hughes teaches wherein the one or more computer readable storage devices are further configured to store a first authorization object specifying a first agreement. (Hughes, [0162]-[1063] - Referring to FIG. 9, in some embodiments, some registrations will require the user to sign particular agreements such as a non-disclosure agreement... The signed or assented-to agreement is stored (STEP 914) in a database associated with the project and the user, along with the agreement details (i.e., when the agreement was assented to, log or trail information, and so on). When appropriate agreements are in place, the user may then have access to all project details for which the agreement is associated). As constructed signing an agreement and storing (i.e., have in place) represents an authorization object specifying a first agreement.
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Hughes to the qualification of Bartlett and Xie and Burns to include wherein the one or more computer readable storage devices are further configured to store a first authorization object specifying a first agreement.
One would have been motivated to combine the teachings of Hughes to Bartlett and Xie and Burns to do so as it provides / allows “ensuring” that the requirement(s) are met (Hughes, [0162]-[0163]).

Regarding Claim 14;
Bartlett and Xie and Burns and Hughes teach the method to Claim 13.
Bartlett further discloses wherein the one or more processors are further configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising determining if the authorizations of the first user satisfy ... the first authorization object that is linked to the first charter object ([0045] - For example, document management application 154 may allow an administrator to manage users of system 100 by creating one or more groups. As a particular example, in a national defense context an administrator may create a number of clearance groups (e.g., TOP-SECRET clearance group, SECRET clearance group, and CONFIDENTIAL clearance group). The clearance groups may be arranged in a vertical hierarchy such that, for example, a member of the TOP-SECRET clearance group would also, by default, be a member of all lesser groups (i.e., SECRET and CONFIDENTIAL clearance groups in this example). As another particular example, an administrator may create one or more secondary security groups (e.g., each clearance group described in the example above may have a DALLAS OFFICE group, a Washington D.C. office group, and a NEW YORK OFFICE group) and [0049] - The security label 144 corresponding to an object 142 may be generated independent of input received from the user (e.g., the security label 144 may be created by document management application 154) or in response to input received from the user (i.e., the user may create the security label 144 by specifying the one or more components of the security label, as described below)), and in response to determining that the authorizations of the first user do not ... deny providing the first user access to the first computer resource (FIG. 7 and [0045] and [0049] and [0132]-[0133] and [0148]-[0150] - At step 710, IRM application 158 may determine whether the requesting user is authorized to access the requested object 142 based on a comparison of the IRM profile of the IRM wrapper 146 corresponding to the requested object 142 with the security access profile 148 of the requesting user and [0152]-[0155] – denied access))
Burns teaches concepts of deny providing the first user access to the first computer resource, transmit data to the first user indicating how to obtain the first “access” (Burns, FIG. 3 and [0025] - Link 318, for example, can be an identifier presented to a requester that when accessed provides options and alternative methods for accessing the protected content within the search result that the affiliated institution is not authorized to access.)
Similar rationale and motivation is noted for the combination of Burns to Bartlett and Xie and Burns and Hughes, as per Claim 1, above.
Hughes further teaches concepts determining if ...authorizations of the first user satisfy the first agreement... in response to determining that the authorizations of the first user do not include the first agreement, deny providing the first user access to the first computer resource... (Hughes, [0162]-[1063] - Referring to FIG. 9, in some embodiments, some registrations will require the user to sign particular agreements such as a non-disclosure agreement... The signed or assented-to agreement is stored (STEP 914) in a database associated with the project and the user, along with the agreement details (i.e., when the agreement was assented to, log or trail information, and so on). When appropriate agreements are in place, the user may then have access to all project details for which the agreement is associated). As constructed signing an agreement and storing (i.e., have in place) represents an authorization object specifying a first agreement and until they are in place a user would not be given access.
Similar rationale and motivation is noted for the combination of Hughes to Bartlett and Xie and Burns and Hughes, as per Claim 13, above.

Regarding Claim 15;
Bartlett and Xie and Burns and Hughes teach the method to Claim 13.
Bartlett further discloses wherein the one or more processors are further configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising: receiving, from the first user, authorization information relating to the first authorization (FIG. 8 – Log-In with Credentials and Retrieve User Security Credentials)); determining, based at least in part on the authorization information, that the authorizations of the first user satisfy the first authorization indicated by the first authorization object associated with the first charter object (FIG. 8 and [0045] - For example, document management application 154 may allow an administrator to manage users of system 100 by creating one or more groups. As a particular example, in a national defense context an administrator may create a number of clearance groups (e.g., TOP-SECRET clearance group, SECRET clearance group, and CONFIDENTIAL clearance group). The clearance groups may be arranged in a vertical hierarchy such that, for example, a member of the TOP-SECRET clearance group would also, by default, be a member of all lesser groups (i.e., SECRET and CONFIDENTIAL clearance groups in this example). As another particular example, an administrator may create one or more secondary security groups (e.g., each clearance group described in the example above may have a DALLAS OFFICE group, a Washington D.C. office group, and a NEW YORK OFFICE group) and [0049] - The security label 144 corresponding to an object 142 may be generated independent of input received from the user (e.g., the security label 144 may be created by document management application 154) or in response to input received from the user (i.e., the user may create the security label 144 by specifying the one or more components of the security label, as described below)), and providing the first user access to the first computer resource based at least in part on the determination that the authorizations of the first user satisfy the first authorization ([0045] - For example, document management application 154 may allow an administrator to manage users of system 100 by creating one or more groups. As a particular example, in a national defense context an administrator may create a number of clearance groups (e.g., TOP-SECRET clearance group, SECRET clearance group, and CONFIDENTIAL clearance group). The clearance groups may be arranged in a vertical hierarchy such that, for example, a member of the TOP-SECRET clearance group would also, by default, be a member of all lesser groups (i.e., SECRET and CONFIDENTIAL clearance groups in this example). As another particular example, an administrator may create one or more secondary security groups (e.g., each clearance group described in the example above may have a DALLAS OFFICE group, a Washington D.C. office group, and a NEW YORK OFFICE group) and [0049] - The security label 144 corresponding to an object 142 may be generated independent of input received from the user (e.g., the security label 144 may be created by document management application 154) or in response to input received from the user (i.e., the user may create the security label 144 by specifying the one or more components of the security label, as described below)).

Regarding Claim 16;
Bartlett and Xie and Burns teach the method to Claim 13.
	Bartlett discloses ...wherein the first authorization is a condition specified by the first authorization object ... before being granted access to the first computer resource associated with the first resource object during a session ([0044]-[0046]).
Bartlett and Xie and Burns fail to explicitly discloses wherein the ... authorization is a condition specified ... that the first user must agree to before being granted access to the first computer resource.
However, in an analogous art, Hughes teaches wherein the ... authorization is a condition specified ... that the first user must agree to before being granted access to the first computer resource. (Hughes, [0162]-[1063] - Referring to FIG. 9, in some embodiments, some registrations will require the user to sign particular agreements such as a non-disclosure agreement... The signed or assented-to agreement is stored (STEP 914) in a database associated with the project and the user, along with the agreement details (i.e., when the agreement was assented to, log or trail information, and so on). When appropriate agreements are in place, the user may then have access to all project details for which the agreement is associated). As constructed signing an agreement represents a qualification as the first user must complete signing before gaining access to the computer resource. 
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Hughes to the qualification of Bartlett and Xie and Burns to include wherein the ... authorization is a condition specified ... that the first user must agree to before being granted access to the first computer resource.
One would have been motivated to combine the teachings of Hughes to Bartlett and Xie and Burns to do so as it provides / allows “ensuring” that the requirement(s) are met (Hughes, [0162]-[0163]).

Regarding Claim 21;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett further discloses ...the qualification... the first user must “achieve” before gaining access to the computer resource associated with the first charter (Bartlett, [0044]-[0046]).
Bartlett and Xie and Burns ...wherein the qualification is an agreement the first user needs to sign before gaining access to the computer resource....
However, in an analogous art, Hughes teaches ...wherein the qualification is an agreement the first user needs to sign before gaining access to the computer resource....
(Hughes, [0162]-[1063] - Referring to FIG. 9, in some embodiments, some registrations will require the user to sign particular agreements such as a non-disclosure agreement... The signed or assented-to agreement is stored (STEP 914) in a database associated with the project and the user, along with the agreement details (i.e., when the agreement was assented to, log or trail information, and so on). When appropriate agreements are in place, the user may then have access to all project details for which the agreement is associated). As constructed signing an agreement is a qualification is the first user must complete signing before gaining access to the computer resource.
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Hughes to the qualification of Bartlett and Xie and Burns to include ...wherein the qualification is training the first user must complete before gaining access to the computer resource 
One would have been motivated to combine the teachings of Hughes to Bartlett and Xie and Burns to do so as it provides / allows “ensuring” that the requirement(s) are met (Hughes, [0162]- [0163]).









Claims 18 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartlett et al. (US 2009/0319529 A1) in view of Xie et al. (US 2018/0077542 A1) and Burns et al. (US 2007/0233685 A1 further in view of Linga et al. (US 2016/0283406 A1)

Regarding Claim 18;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett and Xie and Burns fails to explicitly disclose wherein the operations of the first user when accessing the first and second resource objects during a session are constrained by a control object linked to the first charter object to prohibit combining information from the first computer resource and the second computer resource into the first computer resource, the second computer resource or a third computer resource 
However, in an analogous art, Linga teaches wherein the operations of the first user when accessing the first and second resource objects during a session are constrained by a control object linked to the first charter object to prohibit combining information from the first computer resource and the second computer resource into the first computer resource, the second computer resource or a third computer resource (Linga, [0073]-[0074] - There are three states that can be enabled regarding copy/paste options, including protected docs, all docs and disabled. Protected docs restricts copy/paste options only between secure data. All docs permits copy/paste options between secure data and non-secure data as well as secure data and other secure data. Disabled restricts copy/paste options altogether. All restrictions are handled on the copy side. Disabled means that when the user attempts to copy data, no data is copied to the clipboard. Protected docs means that the when the user attempts to copy data, encrypted data is copied to the clipboard. If the user attempts to paste into a non-secure data space nothing is pasted. If the user attempts to paste into a secure data space, the data decrypted is successfully pasted. ‘All docs’ means that when the user attempts to copy data, the data is copied to the clipboard as normal and can be pasted anywhere (secure or non-secure data).)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Linga to the accessing of Bartlett and Xie and Burns to include wherein the operations of the first user when accessing the first and second resource objects during a session are constrained by a control object linked to the first charter object to prohibit combining information from the first computer resource and the second computer resource into the first computer resource, the second computer resource or a third computer resource
One would have been motivated to combine the teachings of Linga to Bartlett and Xie and Burns to do so as it provides / allows applying security to data and managing the data remotely to enforce policies associated with the data (Linga, [0002]).

Regarding Claim 19;
Bartlett and Xie and Burns teach the method to Claim 1.
Bartlett and Xie and Burns fails to explicitly disclose wherein the first charter object is associated with audit rules that are applied to resource objects linked to the first charter object, the audit rules controlling data collecting and retention for work conducted by a user under the first charter.
However, in an analogous art, Linga teaches wherein the first charter object is associated with audit rules that are applied to resource objects linked to the first charter object, the audit rules controlling data collecting and retention for work conducted by a user under the first charter (Linga, [0046] - Other examples of user initiated commands may be copy, delete, adding text, etc. All of those user input commands may be captured by an audit agent that begins operation once the policy has been enacted. The policy enactment may begin whenever a policy is discovered and linked to a particular user and/or the particular data being accessed.)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Linga to the markings of Bartlett and Xie and Burns to include wherein at least a portion of the first group of markings control access to resources under the first charter based on identification of a computer being used by the first user for the session.
One would have been motivated to combine the teachings of Linga to Bartlett and Xie and Burns to do so as it provides / allows applying security to data and managing the data remotely to enforce policies associated with the data (Linga, [0002]).


 Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439