Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	This communication is in response to the application filed on 12/11/2020.
	Claims 1-20 are pending.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a first one or more electronic devices to implement user resources…” and “a second one or more electronic devices to implement an intent-based…” in claim 13.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim limitations “a first one or more electronic devices to implement user resources…” and “a second one or more electronic devices to implement an intent-based…” in claim 13 are unsupported by Applicant’s disclosure. Therefore, claim 13 is rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph. Dependent claims 14-20 are rejected 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph due to their dependence on a rejected base claim.
Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim limitations “a first one or more electronic devices to implement user resources…” and “a second one or more electronic devices to implement an intent-based…” in claim 13 invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, claim 13 is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph. Dependent 14-20 are rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph due to their dependence on a rejected base claim. 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Objections
Claims 7 and 9-12 are objected to because of the following informalities:  
	Claim 7 is objected to because it depends on claim 5 while reciting elements from claim 6. Claim 7 should be amended to depend on claim 6 instead of claim 5. 
	Claim 9 is objected to because it depends on claim 7 while reciting elements from claim 8. Claim 9 should be amended to depend on claim 8 instead of claim 7.
	Claim 10 is objected to because it depends on claim 8 while reciting elements from claim 9. Claim 10 should be amended to depend on claim 8 instead of claim 9.
	Claim 11 is objected to because it depends on claim 7 while reciting elements from claim 8. Claim 11 should be amended to depend on claim 8 instead of claim 7.
	Claim 12 is objected to because it depends on claim 7 while reciting elements from claim 8. Claim 12 should be amended to depend on claim 8 instead of claim 7.
	Appropriate correction is required.
Examiner will interpret claim 7 as depending on claim 6; claim 9 as depending on claim 8; claim 10 as depending on claim 9; and claims 11 and 12 as depending on claim 8. 
Claim Rejections - 35 U.S.C. § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. § 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 4-5, 8, 12-13, 16 and 20 are rejected under 35 U.S.C. § 102(a)(1) as being anticipated by Sidebottom (Pat. No. US 7,962,633 B1).

Regarding claim 4, Sidebottom teaches computer-implemented method comprising: receiving, via a user interface (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”) of an intent-based governance service (Sidebottom Fig. 2 service development device 4 & Fig. 1, service provider 6 includes service development device & column 2, lines 26-29, “FIG. 1 is a block diagram illustrating an exemplary system 2 in which a service provider 6 employs a Service Deployment Device ("SDD") 4 to deploy business policies of service provider 6.”), one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”; see also column 3, lines 18-32, service provider 6 controls access to resources used by customers); compiling the one or more intent statements into at least one access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules); and associating the at least one access control policy with the user resources (Sidebottom column 6, lines 55-65, actions descriptors are associated with processor descriptor; see also Fig. 3 and column 8, lines 20-33, regarding processor classes, which include user defined processor classes, service activation proxy and database proxy).

Regarding claim 5, Sidebottom teaches the computer-implemented method of claim 4. Sidebottom furthermore teaches wherein each intent statement of the one or more intent statements are expressed in a domain specific language and describe a governance strategy for at least one intent defined by the domain specific language (Sidebottom column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language [domain specific language]”; see also column 3, lines 18-32, service provider 6 controls access to resources used by customers; see also column 3, lines 34-40 & 59-62, rule specification language is high level and related to business level information making it a domain specific language [business level/policies domain]).

Regarding claim 8, Sidebottom teaches the computer-implemented method of claim 4. Sidebottom furthermore teaches receiving an event from a service of the provider network indicating at least one change to the provider network (Sidebottom Fig. 2, events are received by event translator 24 & column 8, lines 34-50, “Because the methods of database proxy 50 may change what services should be available to a subscriber, database proxy 50 may generate a new event. Database proxy 50 may then send the new event to event translator 24”).

Regarding 12, Sidebottom teaches the computer-implemented method of claim 8. Sidebottom furthermore teaches wherein the service of the provider network is an area status service, and wherein the at least one change is a new area of the provider network being brought online (Sidebottom column 8, lines 34-50, “Because the methods of database proxy 50 may change what services should be available [a new are of the provider network being brought online] to a subscriber, database proxy 50 may generate a new event. Database proxy 50 may then send the new event to event translator 24”; see also column 8, lines 51-66 regarding service activation proxy allowing access to the internet to a subscriber).

Regarding claim 13, Sidebottom teaches a system comprising: a first one or more electronic devices to implement user resources in a multi-tenant provider network (Sidebottom Fig. 1, service provider 6 is comprised of one or more electronic devices to implement user resources & column 3, lines 18-32); and a second one or more electronic devices to implement an intent-based governance service in the multi-tenant provider network (Sidebottom Fig. 1, Service Deployment Device 4 & column 3, lines 18-32), the intent-based governance service including instructions that upon execution cause the intent-based governance service to: receive, via a user interface (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”) of the intent-based governance service (Sidebottom column 2, lines 26-29, “FIG. 1 is a block diagram illustrating an exemplary system 2 in which a service provider 6 employs a Service Deployment Device ("SDD") 4 to deploy business policies of service provider 6.”), one or more intent statements associated with the user resources, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”; see also column 3, lines 18-32, service provider 6 controls access to resources used by customers); compile the one or more intent statements into at least one access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules); and associate the at least one access control policy with the user resources (Sidebottom column 6, lines 55-65, actions descriptors are associated with processor descriptor; see also Fig. 3 and column 8, lines 20-33, regarding processor classes, which include user defined processor classes, service activation proxy and database proxy).

Sidebottom teaches all the limitations of claims 16 and 20 as asserted above with regard to claims 8 and 12, respectively.
Claim Rejections - 35 U.S.C. § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA  35 U.S.C. §§ 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. § 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Gracyk (Pub. No. US 2004/0221022 A1) and further in view of Tautschnig (Pat. No. US 10,652,266 B1).

Regarding claim 1, Sidebottom teaches a computer-implemented method comprising: receiving, via a user interface (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”) of an intent-based governance service of a provider network (Sidebottom Fig. 2 service development device 4 & Fig. 1, service provider 6 includes service development device & column 2, lines 26-29, “FIG. 1 is a block diagram illustrating an exemplary system 2 in which a service provider 6 employs a Service Deployment Device ("SDD") 4 to deploy business policies of service provider 6.”), one or more intent statements written in a domain specific language from a customer expressing security intent for customer resources (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules [intent statements] drafted in a rule description language [domain specific language]”; see also column 3, lines 18-32, service provider 6 controls access to resources used by customers; see also column 3, lines 34-40 & 59-62, rule specification language is high level and related to business level information making it a domain specific language [business level/policies domain]); parsing the one or more intent statements and compiling the parsed one or more intent statements into at least one access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules; see also claim 21, which shows how the rule compiler processes/parses rules; see also column 5, lines 24-39, event translator parses rules to determine a source event attribute and a translation attribute; see also column 5, lines 63-67, regarding the rules engine parsing rules); associating the at least one access control policy with the customer resources based on the one or more intent statements (Sidebottom column 6, lines 55-65, actions descriptors are associated with processor descriptor; see also Fig. 3 and column 8, lines 20-33, regarding processor classes, which include user defined processor classes, service activation proxy and database proxy).
Sidebottom does not explicitly teach utilizing a provider network model to parse a policy, detecting a change to the provider network based on a static code analysis of one or more services of the provider network; updating the provider network model based on the change to the provider network; and recompiling the parsed one or more intent statements into an updated at least one access control policy, the updated at least one access control policy applying to at least the one or more services of the provider network that have changed.
However, Gracyk teaches parsing the one or more intent statements based on a provider network model (Gracyk Fig. 1 and ¶¶ [0011]-[0013], WMI model used to parse out intent statements in the service definition such as “PolicyGroup = ExchangePolicies” (Fig. 1, 116) and “PackageGuid=ExchangeFM” (Fig. 1, 120) and associate the intent statements with a service), detecting a change to the provider network based on an analysis of one or more services of the provider network (Gracyk ¶ [0011], “the discovery agent 102 discovers a service 106 [detects a change to the provider network] in the node A, for example a service named ‘Microsoft Exchange’.”); updating the provider network model based on the change to the provider network (Gracyk Fig. 1 and ¶ [0012] “The discovery agent 102 sends the information on what services have been discovered to the discovery server 112 which then writes the services to the network model 114” – by writing the discovered service to the network model the network model is updated based on the change to the provider network); and recompiling the parsed one or more intent statements into an updated at least one access control policy, the updated at least one access control policy applying to at least the one or more services of the provider network that have changed (Gracyk Fig. 1 and ¶ [0017], the new exchange policies 108 are deployed based on the instance 116 in the model).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom with the teachings of Gracyk because this is merely combining prior art elements (receiving policies in a domain specific language and parsing/compiling/enforcing them) according to known methods (utilizing a network model to parse policies, updating the network model and accordingly updating the policies) to yield predictable results (allowing for the automated updating of policies when the network configuration changes). MPEP 2143(I). Furthermore, utilizing a model is a known technique that is applied to known devices (network devices) ready for improvement to yield predictable results (creation and enforcement of network policies). MPEP 2143(I). See also Gracyk ¶ [0030], about adding packages/policies on the fly without having to write or compile code.  
Gracyk does not explicitly teach detecting a change to the provider network based on a static code analysis of one or more services of the provider network.
However, Tautschnig teaches detecting a change to the provider network based on a static code analysis of one or more services of the provider network (Tautschnig Fig. 1 and column 16, lines 32-38, source code analysis engine detects changes to source code of a service to determine a change in the service provider network).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom and Gracyk with the teachings of Tautschnig (source code analysis of a service) because it allows for automated identification and mitigation of violations of security policies in an environment where users and developers dynamically modify the source code of a service to change functionality of a service. Tautschnig column 1, lines 25-34 and column 3, lines 32-47.

Regarding clam 2, Sidebottom, Gracyk and Tautschnig teach the computer-implemented method of claim 1.  Sidebottom furthermore teaches wherein the security intent includes limiting access to the customer resources from one or more regions of the provider network (Sidebottom column 3, lines 18-23, access is limited from a region of the provider network).

Regarding clam 3, Sidebottom, Gracyk and Tautschnig teach the computer-implemented method of claim 1.  Sidebottom furthermore teaches wherein the security intent includes limiting sharing of the customer resources to the customer's organization (Sidebottom column 3, lines 3-12, subscriber is authenticated which limits sharing of resources to non-authenticated individuals).

Claims 6-7 and 14-15 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Nedbal (Pub. No. US 2021/0126948 A1).

Regarding claim 6, Sidebottom teaches the computer-implemented method of claim 4. 
Sidebottom does not explicitly teach: sending a request to a resource activity service to compare the at least one access control policy to an activity history associated with the user resources and receiving a response indicating that the at least one access control policy would restrict recent activity associated with the user resources.
However, Nedbal teaches sending a request to a resource activity service to compare the at least one access control policy to an activity history associated with the user resources and receiving a response indicating that the at least one access control policy would restrict recent activity associated with the user resources (Nedbal ¶ [0086], a recommendation to disable a security policy is made based on activity associated with the security policy).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom and Nedbal to teach recommending that a security policy be disabled or set to monitoring mode based on analyzing an network activity because it allows for optimizing use of network resources, Nedbal ¶ [0019].  

Regarding claim 7, Sidebottom and Nedbal teach the computer-implemented method of claim 6. Sidebottom furthermore teaches a user interface for receiving at least one updated intent statement (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 supply custom business logic rules drafted in a rule description language”); and compiling the at least one updated intent statement into at least one updated access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules).
Sidebottom does not explicitly indicating the recent activity that would be restricted by the at least one access control policy.
However, Nedbal teaches indicating the recent activity that would be restricted by the at least one access control policy (Nedbal ¶ [0086], “a security policy having a number of violations less than a predefined threshold may be recommended to be disabled”; see also ¶ [0092] about classifying activity and indicating that it would be restricted by the access control policy, “the security microservice identifies or records 20,000 violations, all related to the rendering farm. In other words, the violations or security policies/rules are asymmetrically clustered to a particular member or type of member of the “application tier” network set. In this example, the security microservice can identify that all of the security policy violations are from the rendering farm”).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom and Nedbal to teach indicating recent activity that would be restricted by the access policy because it allows for optimizing use of network resources, Nedbal ¶ [0019]. 

Claims 14-15 are rejected by Sidebottom and Nedbal as asserted above with regard to claim 6-7.

Claims 9-10 and 17-18 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Gracyk (Pub. No. US 2004/0221022 A1).

Regarding claim 9, Sidebottom teaches the computer-implemented method of claim 8.
Sidebottom does not explicitly teach updating a model of the provider network based on the at least one change.
However, Gracyk teaches updating a model of the provider network based on the at least one change (Gracyk Fig. 1 and ¶ [0012] “The discovery agent 102 sends the information on what services have been discovered to the discovery server 112 which then writes the services to the network model 114” – by writing the discovered service to the network model the network model is updated based on the change to the provider network). 
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom with the teachings of Gracyk because this is merely combining prior art elements  according to known methods (updating a network model according to configuration changes) to yield predictable results (allowing for the automated updating of policies when the network configuration changes). MPEP 2143(I). Furthermore, utilizing a model is a known technique that is applied to known devices (network devices) ready for improvement to yield predictable results (creation and enforcement of network policies). MPEP 2143(I). See also Gracyk ¶ [0030], about adding packages/policies on the fly without having to write or compile code.  

Regarding claim 10, Sidebottom teaches the computer-implemented method of claim 9.
Sidebottom does not explicitly recompiling the one or more intent statements using the updated model to generate at least one updated access control policy which applies to the at least one change to the provider network.
However, Gracyk recompiling the one or more intent statements using the updated model to generate at least one updated access control policy which applies to the at least one change to the provider network (Gracyk Fig. 1 and ¶ [0012] “The discovery agent 102 sends the information on what services have been discovered to the discovery server 112 which then writes the services to the network model 114”; see also ¶ [0017], the new exchange policies 108 are deployed based on the instance 116 in the model)
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom with the teachings of Gracyk because this is merely combining prior art elements (receiving policies in a domain specific language and parsing/compiling/enforcing them) according to known methods (utilizing a network model to parse policies, updating the network model and accordingly updating the policies) to yield predictable results (allowing for the automated updating of policies when the network configuration changes). MPEP 2143(I). Furthermore, utilizing a model is a known technique that is applied to known devices (network devices) ready for improvement to yield predictable results (creation and enforcement of network policies). MPEP 2143(I). See also Gracyk ¶ [0030], about adding packages/policies on the fly without having to write or compile code.  

Sidebottom and Gracyk teach all the limitations of claims 17 and 18 as asserted above with regard to claims 9-10, respectively. 

Claims 11 and 19 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of and further in view of Tautschnig (Pat. No. US 10,652,266 B1).

Regarding claim 11, Sidebottom teaches the computer-implemented method of claim 8.
Sidebottom does not explicitly teach wherein the service of the provider network is a static code analysis service, and wherein the at least one change is a new feature of a second service of the provider network identified based on a static code analysis.
However, Tautschnig teaches wherein the service of the provider network is a static code analysis service, and wherein the at least one change is a new feature of a second service of the provider network identified based on a static code analysis (Tautschnig Fig. 1 and column 16, lines 32-38, source code analysis engine detects changes to source code of a service; see also column 1, lines 25-34, users make changes to network-based services).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom with the teachings of Tautschnig (source code analysis of a service) because it allows for automated identification and mitigation of violations of security policies in an environment where users and developers dynamically modify the source code of a service to change functionality of a service. Tautschnig column 1, lines 25-34 and column 3, lines 32-47.

Sidebottom and Tautschnig teach all the limitations of claim 19 as asserted above with regard to claim 11.
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure.
A (Pat. No. US 11,283,691) teaches “Model Driven Intent Policy Conflict Detection And Resolution Through Graph Analysis”. A Title. 
Fan (Pub. No. US 2021/0286638 A1) teaches that “the resource mapper and optimizer 113 may leverage the policy module 115 and the resource topology model 116 to determine the right deployment model”. Fan ¶ [0038].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY P TOLCHINSKY whose telephone number is (571)270-0599. The examiner can normally be reached m-f (9:30-6:30PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/G.P.T./Examiner, Art Unit 2456


/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2456