Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the communication and claim amendment filed on 05/11/2022; Claims 2, 10, and 18 were canceled; Claims 1, 3, 5-7, 9, 11, 13-15, 17, and 19-20 have been amended; Claims 21-23 have been added. Claims 1, 9, and 17 are independent claims.  Claims 1, 3, 5-7, 9, 11, 13-15, 17, 19-20, and 21-23 have been examined and are pending. 
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. IPPOLITO, DOMENICO (Reg. No.: 66058) has agreed and authorized the Examiner to amend claims 1, 9, and 17; Claims 8 and 16 canceled; New claims 24-25 have been added.
Examiner’s Amendments
Claims
Replacing claims 1-23 as following:
1. (Currently Amended) A method comprising:
receiving, by a cloud computing environment from a client, a request to access an application executing in the cloud computing environment, the request encapsulating an X.509 certificate;
translating the X.509 certificate into an authorization graph descriptor, wherein the authorization graph descriptor is an abstract, hierarchical and stable authorization identifier for a single leaf node of a certificate authorization graph to be matched against authorization requirements for incoming requests;
traversing [[a]] the certificate authorization graph using the authorization graph descriptor to identify a match within a certificate repository;
requesting, in response to the identification of the match, an access token including the authorization graph descriptor; and
encapsulating the access token in the request and forwarding the request to an authentication service which provides access to the application if there is a match of the authorization graph descriptor against pre-defined authorization requirements.
2.	(Canceled) 
3.	(Previously Presented) The method of claim 1, wherein the request is on a Transport Level Security (TLS) layer.
4.	(Original) The method of claim 1, wherein the translating comprises: constructing a runtime object as a rooted directed graph to translate the certificate into an abstract representation.
5.	(Previously Presented) The method of claim 1 further comprising: caching a copy of the access token in a certificate authorization component.
6.	(Previously Presented) The method of claim 5, wherein the received request is enhanced with the cached copy of the access token and proxied to an endpoint executing business logic.
7.	(Previously Presented) The method of claim 6, wherein the access token comprises an abstraction of the pre-defined authorization requirements for use by the business logic executing on the endpoint.
8.	(Canceled) 
9.	(Currently Amended) A system comprising:
at least one data processor; and
memory storing instructions which, when executed by the at least one data processor, result in operations comprising:
receiving, by a cloud computing environment from a client, a request to access an application executing in the cloud computing environment, the request encapsulating an X.509 certificate;
translating the X.509 certificate into an authorization graph descriptor, wherein the authorization graph descriptor is an abstract, hierarchical and stable authorization identifier for a single leaf node of a certificate authorization graph to be matched against authorization requirements for incoming requests;
traversing [[a]] the certificate authorization graph using the authorization graph descriptor to identify a match within a certificate repository;
requesting, in response to the identification of the match, an access token including the authorization graph descriptor; and
encapsulating the access token in the request and forwarding the request to an authentication service which provides access to the application if there is a match of the authorization graph descriptor against pre-defined authorization requirements.
10.	(Canceled) 
11.	(Previously Presented) The system of claim 9, wherein the request is on a Transport Level Security (TLS) layer.
12.	(Original) The system of claim 9, wherein the translating comprises: constructing a runtime object as a rooted directed graph to translate the certificate into an abstract representation.
13.	(Previously Presented) The system of claim 12, wherein the operations further comprise: caching a copy of the access token in a certificate authorization component.
14.	(Previously Presented) The system of claim 13, wherein the received request is enhanced with the cached copy of the access token and proxied to an endpoint executing business logic.
15.	(Previously Presented) The system of claim 14, wherein the access token comprises an abstraction of the pre-defined authorization requirements for use by the business logic executing on the endpoint.
16.	(Canceled) 
17.	(Currently Amended) A non-transitory computer program product storing instructions which, when executed by at least one computing device, result in operations comprising:
receiving, by a cloud computing environment from a client, a request to access an application executing in the cloud computing environment, the request encapsulating an X.509 certificate;
translating the X.509 certificate into an authorization graph descriptor, wherein the authorization graph descriptor is an abstract, hierarchical and stable authorization identifier for a single leaf node of a certificate authorization graph to be matched against authorization requirements for incoming requests;
traversing [[a]] the certificate authorization graph using the authorization graph descriptor to identify a match within a certificate repository;
requesting, in response to the identification of the match, an access token including the authorization graph descriptor; and
encapsulating the access token in the request and forwarding the request to an authentication service which provides access to the application if there is a match of the authorization graph descriptor against pre-defined authorization requirements.
18.	(Canceled) 
19.	(Previously Presented) The non-transitory computer program product of claim 17, wherein the operations further comprise:
constructing a runtime object as a rooted directed graph to translate the certificate into an abstract representation; and
caching a copy of the access token in a certificate authorization component.
20.	(Previously Presented) The non-transitory computer program product of claim 19, wherein the received request is enhanced with the cached copy of the access token and proxied to an endpoint executing business logic.
21.	(Previously Presented) The non-transitory computer program product of claim 17, wherein the certificate authorization graph comprises a root layer corresponding to the application.
22.	(Previously Presented) The non-transitory computer program product of claim 17, wherein the certificate authorization graph comprises an intermediate layer with nodes corresponding to a plurality of tenants.
23.	(Previously Presented) The non-transitory computer program product of claim 22, wherein the certificate authorization graph comprises a second intermediate layer with nodes corresponding to a plurality of clients.
24.	(New) The system of claim 9, wherein the certificate authorization graph comprises a root layer corresponding to the application.
25.	(New) The system of claim 9, wherein the certificate authorization graph comprises an intermediate layer with nodes corresponding to a plurality of tenants.



Examiner's Statement of reason for Allowance
Claims 1, 3-7, 9, 11-15, 17, 19-23, and 24-25 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The invention is directed a method, system, non-transitory computer program product involves receiving a request from a client. The request relates to access of an application executing in the cloud computing environment and it encapsulates a certificate. This certificate is then translated into an authorization graph descriptor which, in turn, is used to traverse a certificate authorization graph to identify a match within a certificate repository. In response to the identification of the match, an access token is requested including the authorization graph descriptor. The access token is then encapsulated in the request which is then forwarded to an authentication service which provides access to the application if there is a match of the authorization graph descriptor against pre-defined authorization requirements.
The closest prior arts Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017), Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015), Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), Carter et al. (“Carter,” US 2017/0212930, published Jul. 27, 2017), and BAR-EL et al. (“BAR-EL” US 20130305392, published, Nov. 14, 2013) are generally directed to various aspect of involves receiving a request to access an application executed in a cloud computing environment by a cloud computing environment from a client. The request is configured to encapsulate a certificate. The certificate is translated into an authorization graph descriptor. A certificate authorization graph is traversed using the authorization graph descriptor to identify a match within a certificate repository. An access token included with the authorization graph descriptor is requested in response to the identification of the match. The access token in the request is encapsulated and the request is forwarded to an authentication service which is configured to provide access to the application if there is a match of the authorization graph descriptor against pre-defined authorization requirements.
However, none of Wu, Bocanegra, Narayanan, Carter, and BAR-EL teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims 1, 9, and 17.  For examples, it failed to teach “translating the X.509 certificate into an authorization graph descriptor, wherein the authorization graph descriptor is an abstract, hierarchical and stable authorization identifier for a single leaf node of a certificate authorization graph to be matched against authorization requirements for incoming requests;” and  “requesting, in response to the identification of the match, an access token including the authorization graph descriptor; and encapsulating the access token in the request and forwarding the request to an authentication service which provides access to the application if there is a match of the authorization graph descriptor against pre-defined authorization requirements”.
This feature in light of other features, when considered as a whole, in the independent claims 1, 9, and 17 are allowable over the prior arts of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380.  The examiner can normally be reached on Monday-Friday: 6:00 AM-3:30 PM, other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Canh Le/
Examiner, Art Unit 2439
July 13th, 2022


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439