DETAILED ACTION
Claims 1-20 are pending in this action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Da Palma (US PGPUB No. 2013/0067598) in view of Dumont et al. (US Patent No. 9,286,482) [hereinafter “Dumont”].

As per claim 1, Da Palma teaches a method for managing access by end-users to features of an application (Abstract, sentry component controlling access to application feature and commands by end-users), the method comprising: receiving, from an application provider, a first policy ([0006], receiving end-user license agreement (EULA), i.e. policy); receiving, from the application provider, a first selection of a first feature of an application ([0020], receiving configuration commands directed to web services residing on computing appliance, i.e. application); linking, in response to the first selection, the first policy to the first feature ([0020], linking acceptance of EULA to unlocking of particular features of web services and capabilities of computing appliance); creating a first rule that requires acceptance of the first policy in order to obtain access to the first feature ([0045], requirements, i.e. rules, whereby the EULA must be accepted to unlock particular commands and features); and executing the first rule, via an API manager for the application, such that access by a first end-user to the first feature is enabled only if the first policy is accepted by the first end-user (Abstract, software application launches network interface for user to review and accept end user license agreement to make all configuration commands operational).
	Da Palma does not explicitly teach wherein the first end-user is associated with a second end-user and access by the second end-user to the first feature is enabled when access by the first end-user to the first feature is enabled. Dumont teaches wherein the first end-user is associated with a second end-user and access by the second end-user to the first feature is enabled when access by the first end-user to the first feature is enabled (Col. 3, lines 26-49, grouping users of a device and applications on the device wherein one user is associated to another based on access rights to features on the device and/or applications on the device).
	At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma with the teachings of Dumont, wherein the first end-user is associated with a second end-user and access by the second end-user to the first feature is enabled when access by the first end-user to the first feature is enabled, to all application features to be shared by groups of users.
 
As per claim 3, the combination of Da Palma and Dumont teaches the method of claim 1, wherein the first end-user is associated with a device and access by another end-user to the first feature using the device is enabled when access by the first end-user to the first feature is enabled (Dumont; Col. 3, lines 30-40, when access to a feature on the device is enabled for a member of a group like a family, it will be enabled for all members of the group).

As per claim 8, the combination of Da Palma and Dumont teaches the method of claim 1, further comprising receiving, from the application provider, a selection indicating that acceptance of the first policy is mandatory in order to access the service (Da Palma; [0047], indication requiring acceptance of license agreement before selected command can be accessed).

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Da Palma and Dumont in view of Studer et al. (CA 3066238 A1) [hereinafter “Studer”].

As per claim 2, the combination of Da Palma and Dumont teaches the method of claim 1.
The combination of Da Palma and Dumont does not explicitly teach presenting, to the application provider, a user interface for inputting a plurality of text; receiving, via the user interface, a first textual content that corresponds to the first policy; and storing an editable version of the first textual content until final approval of the first policy is received from the application provider. Studer teaches presenting, to the application provider, a user interface for inputting a plurality of text ([0003], integrated user interface for requesting, examining and storing rulesets in a repository); receiving, via the user interface, a first textual content that corresponds to the first policy ([0003], requesting and storing rulesets in the repository); and storing an editable version of the first textual content until final approval of the first policy is received from the application provider ([0004], rulesets can be labeled “draft” which indicates it is still being edited).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Dumont with the teachings of Studer, presenting, to the application provider, a user interface for inputting a plurality of text; receiving, via the user interface, a first textual content that corresponds to the first policy; and storing an editable version of the first textual content until final approval of the first policy is received from the application provider, to allow for registering and updating versions of the terms provided to end-users which reflects current concerns and laws.

Claims 4, 5 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Da Palma and Dumont in further view of Yang et al. (US PGPUB No. 2020/0396058) [hereinafter “Yang”].

As per claim 4, the combination of Da Palma and Dumont teaches the method of claim 1.
The combination of Da Palma and Dumont does not explicitly teach wherein the first policy includes a consent to permit access of a specific data resource associated with the first end-user by a third party external to the application provider. Yang teaches wherein the first policy includes a consent to permit access of a specific data resource associated with the first end-user by a third party external to the application provider ([0010]-[0011], user consent to access personal data).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Dumont with the teachings of Yang, wherein the first policy includes a consent to permit access of a specific data resource associated with the first end-user by a third party external to the application provider, to efficiently tie together consents to personal data to application functions that might require such access.

As per claim 5, the combination of Da Palma, Dumont and Yang teaches the method of claim 4, wherein the first policy further includes an attribute that indicates whether the consent is recurring (Yang; [0010], requiring user consent on a daily basis depending on request).

As per claim 7, the combination of Da Palma, Dumont and Yang teaches the method of claim 4, wherein the first policy further includes an attribute that indicates an action that may be taken with respect to the specific data resource (Yang; [0104], policy requires user permission to use user information while providing a service).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Da Palma, Dumont and Yang in further view of Karjala et al. (US PGPUB No. 2009/0271847) [hereinafter “Karjala”].

As per claim 6, the combination of Da Palma, Dumont and Yang teaches the method of claim 4.
The combination of Da Palma, Dumont and Yang does not explicitly teach wherein the first policy further uses an HTTP authorization header to permit access of the specific data. Karjala teaches wherein the first policy further uses an HTTP authorization header to permit access of the specific data ([0071], putting access information in an HTTP authorize header for accessing data, i.e. photos).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma, Dumont and Yang with the teachings of Karjala, wherein the first policy further uses an HTTP authorization header to permit access of the specific data, to use well known HTTP protocol features to elicit access authorization.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Da Palma and Dumont in further view of Gomez et al. (US PGPUB No. 2008/0141339) [hereinafter “Gomez”].

As per claim 9, the combination of Da Palma and Dumont teaches the method of claim 8, as well as requiring acceptance of the first policy in order to enable access to the first feature ([0045], requirements, i.e. rules, whereby the EULA must be accepted to unlock particular commands and features).
The combination of Da Palma and Dumont does not explicitly teach transmitting a signal to the API manager to create an XACML policy. Gomez teaches transmitting a signal to the API manager to create an XACML policy ([0066], creating an XACML policy combined with the policy rule requiring acceptance of a EULA before unlocking features - taught in Da Palma see above citation – a creation signal would be generated at some point).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Dumont with the teachings of Gomez, transmitting a signal to the API manager to create an XACML policy, to provide further standardized tools for transferability of policies and ease of use.

Claims 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Da Palma and Dumont in view of Grigera (US PGPUB No. 2018/0203984) [as cited in IDS dated 6/30/2020].

As per claim 10, the combination of Da Palma and Dumont teaches the method of claim 1.
The combination of Da Palma and Dumont does not explicitly teach receiving, from the application provider, a second policy and a third policy; receiving, from the application provider, a second selection of a second feature of the first application; linking, in response to the second selection, the second policy and the third policy to the second feature; creating a second rule that requires acceptance of both the second policy and the third policy in order to obtain access to the second feature; and executing the second rule, via the API manager, such that access by the first end- user to the second feature is enabled only if the second policy and third policy are accepted by the first end-user. Grigera teaches receiving, from the application provider, a second policy and a third policy ([0029], receiving requirements for user permissions for a particular feature or features of an application, i.e. permissions are policies); receiving, from the application provider, a second selection of a second feature of the first application (Abstract, permissions and consents can be linked to more than one feature of the application); linking, in response to the second selection, the second policy and the third policy to the second feature ([0029], linking multiple “core” capabilities or features to allow a particular functionality); creating a second rule that requires acceptance of both the second policy and the third policy in order to obtain access to the second feature ([0029], obtaining the permissions collectively as a requirement, i.e. rule); and executing the second rule, via the API manager, such that access by the first end-user to the second feature is enabled only if the second policy and third policy are accepted by the first end-user ([0029], access to functionality is only permitted if consent/permission is given to the capabilities and features).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Dumont with the teachings of Grigera, receiving, from the application provider, a second policy and a third policy; receiving, from the application provider, a second selection of a second feature of the first application; linking, in response to the second selection, the second policy and the third policy to the second feature; creating a second rule that requires acceptance of both the second policy and the third policy in order to obtain access to the second feature; and executing the second rule, via the API manager, such that access by the first end-user to the second feature is enabled only if the second policy and third policy are accepted by the first end-user, to provide customizable consent management for varying applications with different functions and capabilities.

As per claim 11, the combination of Da Palma, Dumont and Grigera teaches the method of claim 10, further comprising: receiving, from the first end-user, a request to access the first feature and the second feature (Grigera; [0029]-[0030], user requests to use one of many functionalities); determining the first end-user has accepted the first policy and rejected the second policy (Grigera; [0055], [0056] and [0058], all permissions are checked before access is given to user for all requested functions); automatically presenting to the first end-user, in response to the determination, the second policy (Grigera; [0062], prompting user for consent when a functionality is requested); receiving a rejection of the second policy (Grigera; [006] and [0062], if consent is not given); and automatically enabling access by the first end-user to the first feature and denying access to the second feature (Grigera; [0056] and [0060], functionality will be provided if all required consents have been obtained, otherwise it will not be provided).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Da Palma in view of Miltonberger et al. (WO-2005086681-A2) [hereinafter “Miltonberger”].

As per claim 12, Da Palma teaches a system for managing access by end-users to features of an application (Abstract, sentry component controlling access to application feature and commands by end-users), the system comprising: a processor; machine-readable media including instructions which, when executed by the processor, cause the processor to: receive, from the application provider, a first selection of a first feature of an application ([0020], receiving configuration commands directed to web services residing on computing appliance, i.e. application); link, in response to the first selection, the first policy to the first feature ([0020], linking acceptance of EULA to unlocking of particular features of web services and capabilities of computing appliance); create a first rule that requires acceptance of the first policy in order to obtain access to the first feature ([0045], requirements, i.e. rules, whereby the EULA must be accepted to unlock particular commands and features); and execute the first rule, via an API manager for the application, such that access by the first end-user to the first feature is enabled only if the first policy is accepted by the first end-user (Abstract, software application launches network interface for user to review and accept end user license agreement to make all configuration commands operational).
Da Palma does not explicitly teach determine a country of a first end-user; receive, from an application provider, a first policy based on the country of the first end-user. Miltonberger teaches determine a country of a first end-user (Page 16, lines 25-30, determining country user is located in); receive, from an application provider, a first policy based on the country of the first end-user (Page 16, lines 5-12, one or more polices applied by gaming application based on user’s location, i.e. country see Page 16, lines 28-30) see also (Page 2, lines 22-25, server application and client application work are in communication to implement all policies).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma with the teachings of Miltonberger, determine a country of a first end-user; receive, from an application provider, a first policy based on the country of the first end-user, to tailor access rights based on differences in commerce and governmental zones.

Claims 13 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Da Palma and Miltonberger in view of Grigera.

As per claim 13, the combination of Da Palma and Miltonberger teaches the system of claim 12.
The combination of Da Palma and Miltonberger does not explicitly teach wherein the instructions further cause the processor to: generate a user profile for the first end-user of the application; receive, from the first end-user, a request to access the first feature; determine there is no record of first end-user accepting the first policy; automatically present to the first end-user, in response to the determination, the first policy; receive an acceptance of the first policy by the first end-user; and enable access of the first end-user to the first feature. Grigera teaches wherein the instructions further cause the processor to: generate a user profile for the first end-user of the application ([0032], user consents and permissions are stored by the system – since the consents are inherently associated with the user, this is considered a “user profile”); receive, from the first end-user, a request to access the first feature (Abstract, request for a function by user); determine there is no record of first end-user accepting the first policy (Abstract, determining there is no consent stored in the system); automatically present to the first end-user, in response to the determination, the first policy (Abstract, prompting user for consent); receive an acceptance of the first policy by the first end-user (Abstract, receiving consent); and enable access of the first end-user to the first feature (Abstract, allowing function).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Miltonberger with the teachings of Grigera, wherein the instructions further cause the processor to: generate a user profile for the first end-user of the application; receive, from the first end-user, a request to access the first feature; determine there is no record of first end-user accepting the first policy; automatically present to the first end-user, in response to the determination, the first policy; receive an acceptance of the first policy by the first end-user; and enable access of the first end-user to the first feature, to provide customizable consent management for varying applications with different functions and capabilities.
As per claim 16, the combination of Da Palma, Miltonberger and Grigera teaches the system of claim 13, wherein the instructions further cause the processor to: receive, from the application provider, a modification to the first policy (Grigera; [0038], new version of application includes updated consent requirements); and automatically disable access of the first end-user to the first feature until the modified first policy has been accepted by the first end-user (Grigera; [0038], new consents are required for use of functionality – see abstract).

Claims 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Da Palma and Miltonberger in view of Dumont.

As per claim 14, the combination of Da Palma and Miltonberger teaches the system of claim 12.
The combination of Da Palma and Miltonberger does not explicitly teach wherein the first end-user is associated with a second end-user and access by the second end-user to the first feature is enabled when access by the first end-user to the first feature is enabled. Dumont teaches wherein the first end-user is associated with a second end-user and access by the second end-user to the first feature is enabled when access by the first end-user to the first feature is enabled (Col. 3, lines 26-49, grouping users of a device and applications on the device wherein one user is associated to another based on access rights to features on the device and/or applications on the device).
	At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Miltonberger with the teachings of Dumont, wherein the first end-user is associated with a second end-user and access by the second end-user to the first feature is enabled when access by the first end-user to the first feature is enabled, to all application features to be shared by groups of users.

As per claim 15, the combination of Da Palma and Miltonberger teaches the system of claim 12.
The combination of Da Palma and Miltonberger does not explicitly teach wherein the first end-user is associated with a device and access by another end-user to the first feature using the device is enabled when access by the first end-user to the first feature is enabled. Dumont teaches wherein the first end-user is associated with a device and access by another end-user to the first feature using the device is enabled when access by the first end-user to the first feature is enabled (Col. 3, lines 30-40, when access to a feature on the device is enabled for a member of a group like a family, it will be enabled for all members of the group).
	At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Miltonberger with the teachings of Dumont, wherein the first end-user is associated with a device and access by another end-user to the first feature using the device is enabled when access by the first end-user to the first feature is enabled, to all application features to be shared by groups of users.

Claims 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Da Palma in view of Grigera.

As per claim 17, Da Palma teaches a non-transitory computer-readable medium storing software comprising instructions executable by at least one processor which, upon such execution, cause the at least one processor to: present the first policy to the corresponding end-user ([0021], policy is displayed to the user for acceptance) by: receiving, from an application provider, a first selection of a first feature of an application ([0020], receiving configuration commands directed to web services residing on computing appliance, i.e. application), linking, in response to the first selection, the first policy to the first feature ([0020], linking acceptance of EULA to unlocking of particular features of web services and capabilities of computing appliance), creating a first rule that requires acceptance of the first policy in order to obtain access to the first feature ([0045], requirements, i.e. rules, whereby the EULA must be accepted to unlock particular commands and features), and executing the first rule, via an API manager for the application, such that access by the corresponding end-user to the first feature is enabled only if the first policy is accepted by the corresponding end-user (Abstract, software application launches network interface for user to review and accept end user license agreement to make all configuration commands operational).
	Da Palma does not explicitly teach receive a document including a list of policies and their acceptance status with respect to a group of end-users; process the list of policies to determine a first policy in need of a response for which a corresponding end-user exists. Grigera teaches receive a document including a list of policies and their acceptance status with respect to a group of end-users (Examiner Note: a document and a list is interpreted to be generic forms of a collection of data or information and is considered nonfunctional descriptive material which is not given patentable weight see MPEP 2111.05) ([0032], all policies/rules are stored with consent status, i.e. acceptance status) also ([0036], these are associated with one or more users by their first or last name); process the list of policies to determine a first policy in need of a response for which a corresponding end-user exists (Abstract, determining from the stored information that a consent from user for accessing a particular feature has not been obtained and is needed for access).
	At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma with the teachings of Grigera, receive a document including a list of policies and their acceptance status with respect to a group of end-users; process the list of policies to determine a first policy in need of a response for which a corresponding end-user exists, to track and log the status of multiple users across a network thus centralizing management for ease and efficiency.

As per claim 19, the combination of Da Palma and Grigera teaches the non-transitory computer-readable medium storing software of claim 17, wherein the instructions further cause the at least one processor to output an output file including a result of the presenting the first policy (Da Palma; [0004] and [0022], printing policies that are displayed in user interface).

As per claim 20, the combination of Da Palma and Grigera teaches the non-transitory computer-readable medium storing software of claim 17, wherein the instructions further cause the at least one processor to store an acceptance status of the first policy in a policy content repository (Grigera; [0032] and [0033], storing consent along with rule, i.e. policy) see also (Grigera; [0043], consents can be stored in databases).

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Da Palma and Grigera in view of Arnold et al. (US PGPUB No. 2004/0243692) [hereinafter “Arnold”].

As per claim 18, the combination of Da Palma and Grigera teaches the non-transitory computer-readable medium storing software of claim 17.
The combination of Da Palma and Grigera does not explicitly teach validate the list of policies to exclude incorrect and incomplete requests from the processing. Arnold teaches validate the list of policies to exclude incorrect and incomplete requests from the processing ([0027], validating submitted policies and excluding conversion of incorrect policies).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Da Palma and Grigera with the teachings of Arnold, validate the list of policies to exclude incorrect and incomplete requests from the processing, to ensure that the policies are correct and ready for processing.

Response to Arguments
Applicant’s arguments with respect to the rejection of claims 1-20 under 35 U.S.C. 103 have been considered but are moot because the new ground of rejection provide citations to new references as well as new portions of previously cited references.

To expedite prosecution, Examiner is open to conducting an after-final interview to discuss claim amendments to overcome the current rejection and/or place the application in condition for allowance.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Francis et al. (US PGPUB No. 2009/0327296), Glogau (WO 9825373 A2), Louie et al. (US PGPUB No. 2013/0211987), Nakamura et al. (JP 2018156312 A), Upadhyay et al. (US PGPUB No. 2020/0117824), Maler ("Extending the Power of Consent with User-Managed Access: A Standard Architecture for Asynchronous, Centralizable, Internet-Scalable Consent", IEEE, doi: 10.1109/SPW.2015.34, 2015, pp. 175-179) and Neisse et al. ("An agent-based framework for Informed Consent in the internet of things", IEEE, doi: 10.1109/WF-IoT.2015.7389154, 2015, pp. 789-794) all discuss obtaining consent from end-users before allowing access to application functionality and features. Lohn et al. (US PGPUB No. 2009/0070627), Hu et al. (US PGPUB No. 2012/0259970) and Liao et al. (CN-1249590-A) individually or combination also describe some of the new features introduced in the amendments dated 5/31/2022.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER C SHAW whose telephone number is (571)270-7179. The examiner can normally be reached Max Flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PETER C SHAW/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        July 16, 2022