Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the amendment filed on 03/15/2022; Claims 1, 8, and 15 have been amended; and claims 1, 8, and 15 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.
Response to Arguments
Applicants’ arguments with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-7, 8, 13-14, 15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (“Roth’749, US 9,083,749, published Jul. 14, 2015), in view of Roth et al. “Roth’001,” US 9,854,001, published Dec. 26, 2017), further in view of Crew et al. (“Crews,” US 7,496,191, published Feb. 24, 2009).
Regarding claim 1, Roth’749 discloses an access management system for providing access to computing environments based on a multi-environment policy, the system comprising: 
one or more processors (Roth’749: fig. 5, Col. 9, lines 32-37); and 
one or more computer storage media (Roth’749: fig. 5, Col. 10, lines 24-29), storing computer-useable instructions that, when used by the one or more processors, cause the one or more processors to execute: 
an access control manager configure for: 
receiving request values of a request associated with a computing environment, wherein the computing environment is associated with a multi- environment policy (Roth’749:  abstract, allow request to access this resources or services when those requests satisfy at one security policy associate with the customer; Col. 8, lines 4-13, The policy evaluation engine can also determine information 408 such as the source of the request, an identifier of a user  associated with the request, information about the customer account tied to the resources for the request, or other such information. Based at least in part upon the version or representation for the request, and any relevant identifying information, a determination can be made 410 as to determine the appropriate security policy and whether a representation of the security policy that is supported by the evaluation engine is available. In at least some embodiments, this can include a parameterized matching function that analyzes various parameters to determine whether a policy representation matches the request),
based on the request values, determining whether the request is for a appropriate policy (Roth’749: Col. 8, lines 4-13, The policy evaluation engine can also determine information 408 such as the source of the request, an identifier of a user associated with the request, information about the customer account tied to the resources for the request, or other such information. Based at least in part upon the version or representation for the request, and any relevant identifying information, a determination can be made 410 as to determine the appropriate security policy and whether a representation of the security policy that is supported by the evaluation engine is available. In at least some embodiments, this can include a parameterized matching function that analyzes various parameters to determine whether a policy representation matches the request), computing environments associated with parameters of access vectors (Roth’749: fig. 2, Col. 5, lines 28-31, two different sub-environments 210, 218 of the distributed environment; Col. 8, lines 4-13), wherein the request values correspond to policy parameters of the multi-environment policy (Roth’749:  Col. 8, lines 4-13); 
based on the multi-environment policy, communicating approval-request parameters of an approval-request to receive approval-request response values (Roth’749: fig. 4, step 414, Col. 8, lines 12-16, parameterized matching function that analyze various parameters to determine whether a policy representation matches the request) wherein the approval-request parameters are associated with the computing environments  (Roth’749:  fig. 2, computing environment (210), computing environment (218); Col. 5, lines 28-31 two different sub-environments 210, 218 of the distributed environment), wherein the approval-request parameters are defined based on access vectors (Roth’749:  fig. 2, computing environment (210), computing environment (218); Col. 5, lines 28-31 two different sub-environments 210, 218 of the distributed environment);
receiving the approval-request response values for the approval-request (Roth’749: Col. 8, lines 25-29, Based at least in part upon the analysis, the request can be allowed 418 if at least one representation is determined to explicitly allow access, or denied 420 if none of the representations allow access); and 
based on receiving the approval-request response values, communicating a request response indicating approval or denial of the request (Roth’749: Col. 8, lines 25-29, Based at least in part upon the analysis, the request can be allowed 418 if at least one representation is determined to explicitly allow access, or denied 420 if none of the representations allow access).
Roth’749 discloses receiving request values of a request associated with a computing environment, wherein the computing environment is associated with a multi-environment policy but does not explicitly disclose wherein the multi-environment policy is configurable to define rules for approving access to provider-controlled computing environments and customer-controlled computing environments.
However, in an analogous art, Roth’001 discloses
wherein the multi-environment policy is configurable to define rules for approving access to provider-controlled computing environments and customer-controlled computing environments (Roth’001: Col. 2, lines 30-42; … a computing environment maintains policies that, when applicable to requests for access to computing resources are evaluated to determine whether to fulfill the requests. In some examples, the policies are maintained by a service provider (e.g., computing resource service provider, as discussed in more detail below) that maintains a plurality of customer accounts. One or more may be maintained for each of at least some of the customers to control access to resources hosted by the service provider on behalf of the customers; Col. 4, lines 63 to Col. 5, line 8, user 102 may be an employee of the customer. The user 102 may by administrator).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Roth’001 with the method and system of Roth’749 to include wherein the multi-environment policy is configurable to define rules for approving access to provider-controlled computing environments and customer-controlled computing environments. One would have been motivated to enable the control over visibility to policies in a system that enforces the policies as part of its access control (Roth’001).
The combination of Roth’749 and Roth’001 discloses receiving request values of a request associated with a computing environment, wherein the computing environment is associated with a multi- environment policy, wherein the multi-environment policy is configurable to define rules for approving access to provider-controlled computing environments and customer-controlled computing environments but does not explicitly disclose wherein the rules are defined based on access vectors having grouped computing environment aspects for control and visibility associated with provider parameters and customer parameters for accessing selected computing environments; 
However, in an analogous art, Crews discloses wherein the rules are defined based on access vectors having grouped computing environment aspects for control and visibility associated with provider parameters and customer parameters for accessing selected computing environments (Crews: fig. 2, Col. 12; lines 20-33, These entities might be the service provider itself, the customer, and a third-party vendor, which, in FIG. 2, might correspond to roles 262, 264, and 266, respectively. A rule stating that the service provider is always allowed access to data in the customer data category might correspond to rule 231 stating that role 262 is always allowed access to data category 200. A rule stating that the customer is allowed access to data in the customer data category only with the permission of the service provider might correspond to rule 233 stating that role 264 is allowed access to data category 200 only with the permission of the service provider….).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Crews with the method and system of Roth’749 and Roth’001 to include “wherein the rules are defined based on access vectors having grouped computing environment aspects for control and visibility associated with provider parameters and customer parameters for accessing selected computing environments.”  One would have been motivated to manage the privacy rules that restrict access to customer data (Crews: Col. 1, lines 24-27).
Regarding claim 6, the combination of Roth’749, Roth’001, and Crews discloses the system of claim 1. Roth’001 further discloses , further comprising an approval manager configured for: generating a graphical user interface for monitoring access provisioning operations based on the grouped computing environment aspects for control and visibility associated with accessing the computing environments (Roth’001: Col. 2, lines 44-54; Col. 16, line 53-56, The console interface may be a graphical user interface (GUI) with various GUI controls that allow users to perform various actions in connection with the management of policy; Col. 28, lines 34-50).
Regarding claim 7, the combination of Roth’749, Roth’001, and Crews discloses the system of claim 1.  The combination of Roth’749, Roth’001, and Crews further discloses, further comprising an approval manager configured for:
based on the approval-request parameters, receiving approval-request response values (Roth’749: Col. 8, lines 25-29), where the approval response values include one or more of the following:
a first value to approve or deny the approval-request (Roth’749: Col. 8, lines 25-29);
a second value to selectively reduce or expand the scope of the approval request; and 
a third value to indicate a request for human intervention for identifying additional values for one or more approval-request parameters.
Regarding claim 8, claim 8 is directed to one or more computer storage media (Roth’749: Col. 9, lines 37-41; Roth’001. Col. 40, lines 4-8) having computer-executable instructions embodied thereon that, when executed, by one or more processors, cause the one or more processors to perform a method for providing access to computing environments based on a multi-environment policy associated with the method claimed in claim 1; claim 8 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 13, claim 13 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 14, claim 14 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 is directed to a computer-implemented method for providing access to computing environments based on a multi-environment policy associated with the method claimed in claim 1; claim 15 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 19, claim 19 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 20, claim 20 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (“Roth’749, US 9,083,749, published Jul. 14, 2015), in view of Roth et al. “Roth’001,” US 9,854,001, published Dec. 26, 2017), further in view of Crew et al. (“Crews,” US 7,496,191, published Feb. 24, 2009), and Gebremariam et al. (“Gebremariam,” US 10,025,813, published Jul. 17, 2018).

Regarding claim 2, the combination of Roth’749, Roth’001, and Crews discloses the system of claim 1. The combination of Roth’749, Roth’001, and Crews Roth further discloses comprising an access management interface (Roth’001: Col. 2, lines 44-54; Col. 16, line 53-56) configured for:
receiving the request for access to the computing environment based on request parameters, wherein the request parameters are based on the rules associated with the multi-environment policy (Roth’001: Col. 2, lines 30-42; Crews: fig. 2,  Col. 12; lines 20-33), wherein the access management interface includes graphical user interface elements associated with the access vectors (Roth’001: Col. 2, lines 44-54; Col. 16, line 53-56, The console interface may be a graphical user interface (GUI) with various GUI controls that allow users to perform various actions in connection with the management of policy; Col. 28, lines 34-50); 
communicating the request to the access control manager (Roth’001: Col. 5, lines 21-31); and 
receiving the request response comprising one or more approval-request response values, wherein the request response indicates approval or denial of access to the provider-controlled computing environment or the customer-controlled computing environment (Roth’001: Col. 5, lines 21-31, … in the form of a web service response to a computing device of the user 102. In this illustrative example, a visibility restriction on Policy 2 prevents the user 102 from obtaining information about the existence of Policy 2).
Roth’001 discloses wherein the policy parameters are based on the rules that are configured based on the access vectors, and wherein the multi-environment policy is implemented based on submitted request values of requests for access to computing environments but does not explicitly disclose receiving policy values of the policy parameters of multi-environment policy; communicating the policy values to cause generation of the multi- environment policy;
However, in an analogous art, Gebremariam discloses 
receiving policy values of the policy parameters of multi-environment policy (Gebremariam: Col. 12, lines 35-42, …Each policy parameter value of the plurality of policy parameter values may have a predefined default value that may be used when a user does not specify a value for the policy parameter using the fourth indicator. Each policy parameter value may be received using a separate indicator. For illustration, Table I below includes the plurality of policy parameter values in accordance with an example embodiment); 
communicating the policy values to cause generation of multi- environment policy (Gebremariam: Col. 12, lines 35-42).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gebremariam with the method and system of Roth’749, Roth’001, and Crews to include “receiving policy values of the policy parameters of multi-environment policy,” “communicating the policy values to cause generation of multi- environment policy”. One would have been motivated to provide analysis of distributed data and grouping of variables in support of analytics (Gebremariam: Col. 1, lines 47-48).
Regarding claim 9, claim 9 is similar in scope to claim 2, and is therefore rejected under similar rationale.



Claims 3, 10, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (“Roth’749, US 9,083,749, published Jul. 14, 2015), in view of Roth et al. “Roth’001,” US 9,854,001, published Dec. 26, 2017), further in view of Crew et al. (“Crews,” US 7,496,191, published Feb. 24, 2009), and Bermudez et al. (“Bermudez,” US 2020/0074520, published Mar. 5, 2020).
Regarding claim 3, the combination of Roth’749, Roth’001, and Crews discloses the system of claim 1.  Roth’001 discloses the access control manager but does not explicitly disclose comprising programmed instructions that define integrated access provisioning operations for combined provisioning of access to provider-controlled computing environments and customer-controlled computing environment, wherein the integrated access provisioning operations are based on a subscription classification that identifies a controlling subscriber of an identified computing environment. 
However, in an analogous art, Bermudez wherein operations are based on a subscription classification that identifies a controlling subscriber of an identified computing environment (Bermudez: par. 0031, the different groups of customers include different group identifiers, where each group identifier may be associated with customer identifiers that identify the customers in the group, third-party provider identifiers that identify the third-party providers offering the subscription, and/or subscription identifiers that identify the group-based subscriptions).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Bermudez with the method and system of Roth’749, Roth’001, and Crews to include wherein the access control manager comprises programmed instructions that define integrated access provisioning operations for combined provisioning of access to provider-controlled computing environments and customer-controlled computing environment, wherein the integrated access provisioning operations are based on a subscription classification that identifies a controlling subscriber of an identified computing environment. One would have been motivated to help in efficiently managing inventory, and predict revenue.  The flexible, scalable, and intelligent subscription management platform is provided.  The speed, and efficiency of the process is improved (Bermudez: abstract, par.0001, 0014, 0048).
Regarding claim 10, claim 10 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 16, claim 19 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Claims 4, 11, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (“Roth’749, US 9,083,749, published Jul. 14, 2015), in view of Roth et al. “Roth’001,” US 9,854,001, published Dec. 26, 2017), further in view of Crew et al. (“Crews,” US 7,496,191, published Feb. 24, 2009), and Buchholz et al. (“Buchholz,” US 2014/0181448, published Jun. 26, 2014).
 Regarding claim 4, the combination of Roth’749, Roth’001, and Crews teaches the system of claim 1. The combination of Roth’749, Roth’001, and Crews discloses access vector but does not explicitly, wherein an access vector includes a tag indicating a type of access to customer data associated with the access vector.
However, in an analogous art, Buchholz discloses wherein an access vector includes a tag indicating a type of access to customer data associated with the access vector (Buchholz: par. 00981, In another example, information contained in a tag may be used to establish access rights associated with a logical block that is written.  For example, suppose in the above example that the logical block is being written for the first time after being erased.  The tag may contain access rights information that may identify one or more entities that may access the block after the block is written.  Moreover, the tag may include information that may indicate a type of access (e.g., read, write, delete) that may be permitted).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Buchholz with the method and system of Roth’749, Roth’001, and Crews to include wherein an access vector includes a tag indicating a type of access to customer data associated with the access vector. One would have been motivated to acquire the command issued by the entity to access the block in the storage device, associating the entity with the tag e.g. default tag, and storing the information associating the tag with the block in the storage device, thus performing tagging in an efficient manner (Buchholz: abstract).
Regarding claim 11, claim 11 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Regarding claim 17, claim 17 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Claims 5, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Roth et al. (“Roth’749, US 9,083,749, published Jul. 14, 2015), in view of Roth et al. “Roth’001,” US 9,854,001, published Dec. 26, 2017), further in view of Crew et al. (“Crews,” US 7,496,191, published Feb. 24, 2009), and Ducray et al. (“Ducray,” US 2018/0227369, published Aug. 9, 2018).
Regarding claim 5, the combination of Roth’749, Roth’001, and Crews teaches the system of claim 1.  Roth’749, Roth’001, and Crews do not explicitly disclose wherein the grouped computing environment aspects explicitly expose a security boundary construct based on enumerated values of the grouped computing environment aspects to support informed and isolated access approval. 
However, in an analogous art, Ducray discloses wherein the grouped computing environment aspects explicitly expose a security boundary construct based on enumerated values of the grouped computing environment aspects to support informed and isolated access approval (Ducray: par. 0080, The cloud services infrastructure may include public, private, managed or hybrid cloud offerings and would include implementation of the appropriate network connectivity, including cloud provider firewall 436A, to support the traffic generated throughout the platform).
Therefore, it would have been obvious to one of ordinary skill in the art at before the effective filing date of the claimed invention to combine the teaching of Ducray with the method and system of Roth’749, Roth’001, and Crews to include the grouped computing environment aspects explicitly expose a security boundary construct based on enumerated values of the grouped computing environment aspects to support informed and isolated access approval. One would have been motivated to utilize an operational decision management (ODM) module to permit automation of business decisions without compromising accuracy and effectiveness of decisions, and allows definition, documentation, implementation, change and governance of repeatable decisions made during business operations (Ducray: abstract, pars. 0081).
Regarding claim 12, claim 12 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
July 5th, 2022


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439