DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 62/923,381 as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994)
The disclosure of the prior-filed application, Application No. 62/923,381, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph for one or more claims of this application.  
The disclosure of the prior-filed application fails to provide adequate support of the claimed invention recited in claims 1-20 of this application. Accordingly, claims 1-20 are not entitled to the benefit of the prior application.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on February 11, 2021, November 3, 2021, and May 17, 2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: 
The specification includes “shema” multiple times. As best understood, there are typographical error and should read as “schema”.  
The specification includes “at least one of the asset, the asset type, the asset value” multiple times. As best understood, there are typographical error and should read as “at least one of the asset, the asset type, and the asset value”.  
Appropriate correction is required.

Claim Objections
Claims 1-6, 8-13, and 15-19  are objected to because of the following informalities: 
Claims 1, 3, 8, 10, and 15 recite “shema.” As best understood, there are typographical error and should read as “schema”; and   
Claims 1-6, 8-13, and 15-19  recite “at least one of the asset, the asset type, the asset value.” As best understood, there are typographical error and should read as “at least one of the asset, the asset type, and the asset value”.  
Appropriate correction is required.	

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-6, 8-13, and 15-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kahn (US Patent No. 7,185,192, hereinafter “Kahn”). 
Regarding claim 1, Kahn discloses a method for enterprise-wide fine-grained role-based access control to a plurality of organizational assets [ a method of providing access control; column 6, lines 4-12], the method comprising: 
receiving, via an authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], identification of an asset for fine-grained role-based access control from an organization [Fig. 4, item 362; The object label field 362 identifies the actual resource which this object 360 represents, ..; column 19, lines 60-64]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an asset type of the asset using the identification of the asset [The invention thus provides an access control creation environment that allows administrators to develop custom access control schemes or scenarios that might be specific to a particular type of resource that is being policed.; column 32, lines 16-19]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an asset value of the asset based on the asset type [Fig. 4, item 370; The object attributes data field 370 contains values (not specifically shown) for various attributes and/or configuration information related to the object 360 such as the resource's IP address, server hostname, departmental association(s), capacity, manufacturer, number of volumes, space available, space used, and so forth.; column 20, lines 19-24]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an organizational role with fine-grained role- based access control to at least one of the asset, the asset type, the asset value [Fig. 3, item 350-2, user groups (e.g., role identities), Requestor Role in table 1; Databases 350-1 (user accounts) and 350-2 (user groups/role identities) contain various data records used during the login process. … A user group might specify, or correspond to a departmental or role identity such as one of the role identities shown in Table 1 above.; column 18, lines 15-35]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [Permission in Table 3; As indicated in Table 3 above, the administrator of the access control system of this invention can establish permissions other that simple operating system specific permissions such as read, write and execute.; column 31, lines 59-62 ]; 
generating a fine-grained role-based access control database shema using the asset, the definition of an asset type, the definition of an asset value, the definition of an organizational role, and the permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [Fig. 3, item 350; Preferably, the managed resources database 350-5 is a set of objects (e.g., object oriented data structures) that represent the various resources or other components to which access/permissions can be granted or denied. As an example, the managed resources database 350-5 might contain one or more objects (e.g., database records, data structures, lists, or the like) for each data storage system 160, as well as for components (e.g. volumes) that make-up the data storage systems 160.; column 19, lines 41-54]; 
providing an authorization service user interface (UI) for enabling fine-grained role-based access control to the asset based on the fine-grained role-based access control database shema [The application 206, which may be any type of software application (e.g., a database server program, a web server, or data storage system device driver software), in turn accepts the access request 301 and forwards the same or a similar (e.g., translated) access request 301 to the resource server 204. … For example, an application may act to provide an access request on behalf of a user at any time.; column 16, line 67- column 17, line 18]; and 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a request for permission to access at least one of the asset, the asset type, the asset value by an authenticated user [Fig. 6, item 400; In step 400, the rule engine 315 receives the access request 301 from a requestor 120 through 124 (e.g., via the login agent 305).; column 26, line 67- column 27, line 2].  

Regarding claim 2, Kahn discloses all the limitation of claim 1 above. Kahn further discloses: 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset for fine-grained role-based access control using the identification of an asset [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55]; 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset type of the asset using the definition of the asset type of the asset [The attributes in this example are values that "relate to" a rule, and permissions that a rule "Grants" as well as attributes that a rule "specifies."; column 26, line 30-37]; 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset value of the asset using the definition of the asset value of the asset [The attributes in this example are values that "relate to" a rule, and permissions that a rule "Grants" as well as attributes that a rule "specifies."; column 26, lines 30-37]; 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an organizational role with fine-grained role-based access control to at least one of the asset, the asset type, the asset value [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55]; and 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55].  

Regarding claim 3, Kahn discloses all the limitation of claim 2 above. Kahn further discloses: 
fine-grained role-based access evaluating the request for permission to access the asset from the authenticated user using the fine-grained role-based access control database shema [Fig. 6, item 401, 402; Next, in step 402, the rule engine 315 performs rule operation processing (e.g., as explained above) on the selected set of rules.; column 27, lines 49-55]; 
generating a fine-grained role-based access decision regarding the request for permission to access the asset, the asset type, the asset value by the authenticated user based on the fine-grained role-based access evaluating [Fig. 6, item 405; In step 405, the access control decision 302-1 is complete and consists of the various permission(s) granted to the requestor as determined by what rule operations were performed in step 402.; column 28, lines 43-46]; and 
replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user, via the authorization service client Application Programing Interface (API), the fine-grained role- based access decision regarding the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user [Fig. 6, item 405; In step 405, the access control decision 302-1 is complete and consists of the various permission(s) granted to the requestor as determined by what rule operations were performed in step 402.; column 28, lines 43-46].  

Regarding claim 4, Kahn discloses all the limitation of claim 3 above. Kahn further disclose that the replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user comprises granting permission to access at least one of the asset, the asset type, the asset value by the authenticated user [The system of the invention will thus provide or grant a particular requestor (e.g., a computer user acting in a role identity) certain permissions if there is at least one rule that is applicable as determined by filter operations and if there is a rule operation that grants a permission to that requestor within that rule.; column 31, lines 6-11].  

Regarding claim 5, Kahn discloses all the limitation of claim 3 above. Kahn further discloses that the replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user comprises denial of permission to access at least one of the asset, the asset type, the asset value by the authenticated user [Such custom permissions might be application specific, and application developers that are aware of such rules and custom permissions can create software applications that provide access requests (e.g., via an application programming interface (API), for example) that require the access control system 300 to grant and return an access control decision 302-1 that includes the custom permissions or else access to the resource will be denied to users of the application.; column 32, lines 4-12].  

Regarding claim 6, Kahn discloses all the limitation of claim 2 above. Kahn further disclose that the receiving, via the authorization service user interface (UI), the selection input of the organizational role with fine-grained role-based access control to at least one of the asset, the asset type, the asset value comprises multiple organizational roles [Role-based access control according to this invention can account for the different roles that may be required when a requestor (e.g., a user or a program acting on behalf of a user) requests access to a resource, … .; column 12, lines 21-30].  

Regarding claim 8, Kahn discloses a system for enterprise-wide fine-grained role-based access control to a plurality of organizational assets [Fig. 2, item 200; a resource server], the system comprising: 
at least one processor [Fig. 2, item 220; a processor]; and 
a memory [Fig. 2, item 208; a memory] storing processor-executable instructions, wherein the at least one processor is configured to implement the following operations upon executing the processor-executable instructions: 
receiving, via an authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], identification of an asset for fine-grained role- based access control from an organization [Fig. 4, item 362; The object label field 362 identifies the actual resource which this object 360 represents, ..; column 19, lines 60-64]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an asset type of the asset using the identification of the asset [The invention thus provides an access control creation environment that allows administrators to develop custom access control schemes or scenarios that might be specific to a particular type of resource that is being policed.; column 32, lines 16-19]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an asset value of the asset based on the asset type [Fig. 4, item 370; The object attributes data field 370 contains values (not specifically shown) for various attributes and/or configuration information related to the object 360 such as the resource's IP address, server hostname, departmental association(s), capacity, manufacturer, number of volumes, space available, space used, and so forth.; column 20, lines 19-24]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an organizational role with fine-grained role- based access control to at least one of the asset, the asset type, the asset value [Fig. 3, item 350-2, user groups (e.g., role identities), Requestor Role in table 1; Databases 350-1 (user accounts) and 350-2 (user groups/role identities) contain various data records used during the login process. … A user group might specify, or correspond to a departmental or role identity such as one of the role identities shown in Table 1 above.; column 18, lines 15-35]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [Permission in Table 3; As indicated in Table 3 above, the administrator of the access control system of this invention can establish permissions other that simple operating system specific permissions such as read, write and execute.; column 31, lines 59-62 ]; 
generating a fine-grained role-based access control database shema using the asset, the definition of an asset type, the definition of an asset value, the definition of an organizational role, and the permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [Fig. 3, item 350; Preferably, the managed resources database 350-5 is a set of objects (e.g., object oriented data structures) that represent the various resources or other components to which access/permissions can be granted or denied. As an example, the managed resources database 350-5 might contain one or more objects (e.g., database records, data structures, lists, or the like) for each data storage system 160, as well as for components (e.g. volumes) that make-up the data storage systems 160.; column 19, lines 41-54]; 
providing an authorization service user interface (UI) for enabling fine- grained role-based access control to the asset based on the fine-grained role- based access control database shema [The application 206, which may be any type of software application (e.g., a database server program, a web server, or data storage system device driver software), in turn accepts the access request 301 and forwards the same or a similar (e.g., translated) access request 301 to the resource server 204. … For example, an application may act to provide an access request on behalf of a user at any time.; column 16, line 67- column 17, line 18]; and 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a request for permission to access at least one of the asset, the asset type, the asset value by an authenticated user [Fig. 6, item 400; In step 400, the rule engine 315 receives the access request 301 from a requestor 120 through 124 (e.g., via the login agent 305).; column 26, line 67- column 27, line 2].  

Regarding claim 9, Kahn discloses all the limitation of claim 8 above. Kahn further discloses that the at least one processor is further configured to implement the following operations upon executing the processor-executable instructions: 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset for fine-grained role-based access control using the identification of an asset [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55]; 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset type of the asset using the definition of the asset type of the asset [The attributes in this example are values that "relate to" a rule, and permissions that a rule "Grants" as well as attributes that a rule "specifies."; column 26, line 30-37]; 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset value of the asset using the definition of the asset value of the asset [The attributes in this example are values that "relate to" a rule, and permissions that a rule "Grants" as well as attributes that a rule "specifies."; column 26, lines 30-37]; 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an organizational role with fine-grained role-based access control to at least one of the asset, the asset type, the asset value [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55]; and 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55].  

Regarding claim 10, Kahn discloses all the limitation of claim 9 above. Kahn further discloses that the at least one processor is further configured to implement the following operations upon executing the processor-executable instructions: 
fine-grained role-based access evaluating the request for permission to access the asset from the authenticated user using the fine-grained role-based access control database shema [Fig. 6, item 401, 402; Next, in step 402, the rule engine 315 performs rule operation processing (e.g., as explained above) on the selected set of rules.; column 27, lines 49-55]; 
generating a fine-grained role-based access decision regarding the request for permission to access the asset, the asset type, the asset value by the authenticated user based on the fine-grained role-based access evaluating [Fig. 6, item 405; In step 405, the access control decision 302-1 is complete and consists of the various permission(s) granted to the requestor as determined by what rule operations were performed in step 402.; column 28, lines 43-46]; and 
replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user, via the authorization service client Application Programing Interface (API), the fine-grained role- based access decision regarding the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user [Fig. 6, item 405; In step 405, the access control decision 302-1 is complete and consists of the various permission(s) granted to the requestor as determined by what rule operations were performed in step 402.; column 28, lines 43-46].  

Regarding claim 11, Kahn discloses all the limitation of claim 10 above. Kahn further disclose that the replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user comprises granting permission to access at least one of the asset, the asset type, the asset value by the authenticated user [The system of the invention will thus provide or grant a particular requestor (e.g., a computer user acting in a role identity) certain permissions if there is at least one rule that is applicable as determined by filter operations and if there is a rule operation that grants a permission to that requestor within that rule.; column 31, lines 6-11].  

Regarding claim 12, Kahn discloses all the limitation of claim 10 above. Kahn further discloses that the replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user comprises denial of permission to access at least one of the asset, the asset type, the asset value by the authenticated user [Such custom permissions might be application specific, and application developers that are aware of such rules and custom permissions can create software applications that provide access requests (e.g., via an application programming interface (API), for example) that require the access control system 300 to grant and return an access control decision 302-1 that includes the custom permissions or else access to the resource will be denied to users of the application.; column 32, lines 4-12].  

Regarding claim 13, Kahn discloses all the limitation of claim 9 above. Kahn further disclose that the receiving, via the authorization service user interface (UI), selection input of an organizational role with fine-grained role-based access control to at least one of the asset, the asset type, the asset value comprised multiple organizational roles [Role-based access control according to this invention can account for the different roles that may be required when a requestor (e.g., a user or a program acting on behalf of a user) requests access to a resource, … .; column 12, lines 21-30].  

Regarding claim 15, Kahn discloses a non-transitory computer readable medium having embodied thereon instructions being executable by at least one processor to perform operations for enterprise-wide fine-grained role-based access control to a plurality of organizational assets [a computer program product having a computer readable medium including computer program logic encoded thereon to provide the access control and authorizations systems of this invention and its associated operation; column 9, lines 15-19], the operations comprising: 
receiving, via an authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], identification of an asset for fine-grained role- based access control from an organization [Fig. 4, item 362; The object label field 362 identifies the actual resource which this object 360 represents, ..; column 19, lines 60-64]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an asset type of the asset using the identification of the asset [The invention thus provides an access control creation environment that allows administrators to develop custom access control schemes or scenarios that might be specific to a particular type of resource that is being policed.; column 32, lines 16-19]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an asset value of the asset based on the asset type [Fig. 4, item 370; The object attributes data field 370 contains values (not specifically shown) for various attributes and/or configuration information related to the object 360 such as the resource's IP address, server hostname, departmental association(s), capacity, manufacturer, number of volumes, space available, space used, and so forth.; column 20, lines 19-24]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a definition of an organizational role with fine-grained role- based access control to at least one of the asset, the asset type, the asset value [Fig. 3, item 350-2, user groups (e.g., role identities), Requestor Role in table 1; Databases 350-1 (user accounts) and 350-2 (user groups/role identities) contain various data records used during the login process. … A user group might specify, or correspond to a departmental or role identity such as one of the role identities shown in Table 1 above.; column 18, lines 15-35]; 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [Permission in Table 3; As indicated in Table 3 above, the administrator of the access control system of this invention can establish permissions other that simple operating system specific permissions such as read, write and execute.; column 31, lines 59-62 ]; 
generating a fine-grained role-based access control database shema using the asset, the definition of an asset type, the definition of an asset value, the definition of an organizational role, and the permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [Fig. 3, item 350; Preferably, the managed resources database 350-5 is a set of objects (e.g., object oriented data structures) that represent the various resources or other components to which access/permissions can be granted or denied. As an example, the managed resources database 350-5 might contain one or more objects (e.g., database records, data structures, lists, or the like) for each data storage system 160, as well as for components (e.g. volumes) that make-up the data storage systems 160.; column 19, lines 41-54]; 
providing an authorization service user interface (UI) for enabling fine- grained role-based access control to the asset based on the fine-grained role- based access control database shema [The application 206, which may be any type of software application (e.g., a database server program, a web server, or data storage system device driver software), in turn accepts the access request 301 and forwards the same or a similar (e.g., translated) access request 301 to the resource server 204. … For example, an application may act to provide an access request on behalf of a user at any time.; column 16, line 67- column 17, line 18]; and 
receiving, via the authorization service client Application Programing Interface (API) [Fig. 2, item 300-1, vertical arrows; a role-rule authorization module; column 16, lines 58-62, column 17, lines 9-10], a request for permission to access at least one of the asset, the asset type, the asset value by an authenticated user [Fig. 6, item 400; In step 400, the rule engine 315 receives the access request 301 from a requestor 120 through 124 (e.g., via the login agent 305).; column 26, line 67- column 27, line 2].  

Regarding claim 16, Kahn discloses all the limitation of claim 15 above. Kahn further discloses: 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset for fine-grained role-based access control using the identification of an asset [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55]; 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an asset type of the asset using the definition of the asset type of the asset [The attributes in this example are values that "relate to" a rule, and permissions that a rule "Grants" as well as attributes that a rule "specifies."; column 26, line 30-37]; 
receiving, via the authorization service user interface (UI), selection input of an asset value of the asset using the definition of the asset value of the asset [The attributes in this example are values that "relate to" a rule, and permissions that a rule "Grants" as well as attributes that a rule "specifies."; column 26, lines 30-37];
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of an organizational role with fine-grained role-based access control to at least one of the asset, the asset type, the asset value [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55]; and 
receiving, via the authorization service user interface (UI) [Fig. 2, item 206; application], selection input of permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, the asset value [The general content or syntax of an example access request 301 is shown in FIG. 3 below the login agent 305 as the tuple 301 (REQUESTOR, ACCESS, RESOURCE). This example access request 301 specifies an identity or role of the requestor ("REQUESTOR"), a type of access that is being requested ("ACCESS"), and an identity of a resource to which access is being requested ("RESOURCE").; column 18, lines 49-55].  

Regarding claim 17, Kahn discloses all the limitation of claim 16 above. Kahn further discloses that the operations further comprise: 
fine-grained role-based access evaluating the request for permission to access the asset from the authenticated user using the fine-grained role-based access control database shema [Fig. 6, item 401, 402; Next, in step 402, the rule engine 315 performs rule operation processing (e.g., as explained above) on the selected set of rules.; column 27, lines 49-55]; 
generating a fine-grained role-based access decision regarding the request for permission to access the asset, the asset type, the asset value by the authenticated user based on the fine-grained role-based access evaluating [Fig. 6, item 405; In step 405, the access control decision 302-1 is complete and consists of the various permission(s) granted to the requestor as determined by what rule operations were performed in step 402.; column 28, lines 43-46]; and 
replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user, via the authorization service client Application Programing Interface (API), the fine-grained role- based access decision regarding the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user [Fig. 6, item 405; In step 405, the access control decision 302-1 is complete and consists of the various permission(s) granted to the requestor as determined by what rule operations were performed in step 402.; column 28, lines 43-46].  

Regarding claim 18, Kahn discloses all the limitation of claim 17 above. Kahn further disclose that the replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user comprises granting permission to access at least one of the asset, the asset type, the asset value by the authenticated user [The system of the invention will thus provide or grant a particular requestor (e.g., a computer user acting in a role identity) certain permissions if there is at least one rule that is applicable as determined by filter operations and if there is a rule operation that grants a permission to that requestor within that rule.; column 31, lines 6-11].  

Regarding claim 19, Kahn discloses all the limitation of claim 17 above. Kahn further discloses that the replying to the request for permission to access at least one of the asset, the asset type, the asset value by the authenticated user comprises denial of permission to access at least one of the asset, the asset type, the asset value by the authenticated user [Such custom permissions might be application specific, and application developers that are aware of such rules and custom permissions can create software applications that provide access requests (e.g., via an application programming interface (API), for example) that require the access control system 300 to grant and return an access control decision 302-1 that includes the custom permissions or else access to the resource will be denied to users of the application.; column 32, lines 4-12].  

Claim Rejections - 35 USC § 103
20. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kahn in view of Buehler et al. (US Patent No. 9,032,076, hereinafter “Buehler”).

Regarding claim 7, Kahn discloses the limitation 2 above. However, Kahn does not appear to explicitly discloses that the receiving, via the authorization service user interface (UI), the selection input of the organizational role is a root user; and the receiving, via the authorization service user interface (UI), selection input of permissions for fine-grained role-based access by the root user includes permissions to access all asset types and asset values. 
However, Buehler discloses that the receiving, via the authorization service user interface (UI), the selection input of the organizational role is a root user [Hierarchical tree 10 shows in a highest level a resource called "root". … In general, a role type is defined based on a set of actions that are permitted to be carried out by a user or a group of users assigned to role instances of that role type.; column 6, line 61- column 7, line 8 of Buehler]; and 
the receiving, via the authorization service user interface (UI), selection input of permissions for fine-grained role-based access by the root user includes permissions to access all asset types and asset values [Therefore, it is possible that one super role contains all permissible actions necessary to fulfill a specific task within the system.; column 8, lines 5-7 of Buehler].  
Kahn and Buehler are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kahn to incorporate the teachings of Buehler since both systems provides a role-based access control to resources based on a role of the organization in the enterprise computer system. The motivation to do so is to define a super role by grouping a set of role instances and provide a highest level in a hierarchical data domain, root, includes all permissible actions necessary to fulfill a specific task within the system (obvious to one skilled in the art, Buehler, Abstract).

Regarding claim 14, Kahn discloses the limitation 9 above. However, Kahn does not appear to explicitly discloses that the receiving, via the authorization service user interface (UI), the selection input of the organizational role is a root user; and the receiving, via the authorization service user interface (UI), selection input of permissions for fine-grained role-based access by the root user includes permissions to access all asset types and asset values. 
However, Buehler discloses that the receiving, via the authorization service user interface (UI), the selection input of the organizational role is a root user [Hierarchical tree 10 shows in a highest level a resource called "root". … In general, a role type is defined based on a set of actions that are permitted to be carried out by a user or a group of users assigned to role instances of that role type.; column 6, line 61- column 7, line 8 of Buehler]; and 
the receiving, via the authorization service user interface (UI), selection input of permissions for fine-grained role-based access by the root user includes permissions to access all asset types and asset values [Therefore, it is possible that one super role contains all permissible actions necessary to fulfill a specific task within the system.; column 8, lines 5-7 of Buehler].  
Kahn and Buehler are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kahn to incorporate the teachings of Buehler since both systems provides a role-based access control to resources based on a role of the organization in the enterprise computer system. The motivation to do so is to define a super role by grouping a set of role instances and provide a highest level in a hierarchical data domain, root, includes all permissible actions necessary to fulfill a specific task within the system (obvious to one skilled in the art, Buehler, Abstract).

Regarding claim 20, Kahn discloses the limitation 16 above. However, Kahn does not appear to explicitly discloses that the receiving, via the authorization service user interface (UI), the selection input of the organizational role is a root user; and the receiving, via the authorization service user interface (UI), selection input of permissions for fine-grained role-based access by the root user includes permissions to access all asset types and asset values. 
However, Buehler discloses that the receiving, via the authorization service user interface (UI), the selection input of the organizational role is a root user [Hierarchical tree 10 shows in a highest level a resource called "root". … In general, a role type is defined based on a set of actions that are permitted to be carried out by a user or a group of users assigned to role instances of that role type.; column 6, line 61- column 7, line 8 of Buehler]; and 
the receiving, via the authorization service user interface (UI), selection input of permissions for fine-grained role-based access by the root user includes permissions to access all asset types and asset values [Therefore, it is possible that one super role contains all permissible actions necessary to fulfill a specific task within the system.; column 8, lines 5-7 of Buehler].
Kahn and Buehler are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kahn to incorporate the teachings of Buehler since both systems provides a role-based access control to resources based on a role of the organization in the enterprise computer system. The motivation to do so is to define a super role by grouping a set of role instances and provide a highest level in a hierarchical data domain, root, includes all permissible actions necessary to fulfill a specific task within the system (obvious to one skilled in the art, Buehler, Abstract).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEONGSOOK YI whose telephone number is (571) 272-9407. The examiner can normally be reached Monday-Friday 8:00 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/J.Y./Examiner, Art Unit 2496                                                                                                                                                                                                        

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496