DETAILED ACTION
This office action is in response to the correspondence filed on 07/28/2020. This application is a continuation of 15384044 filed 12/19/2016 that has a provisional application PRO 62/427,725 filed 11/29/2016. Claim 1 is pending and is examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 07/28/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 10771468 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because claim in the instant application is anticipated by the patented claims. The claim in the instant application is essentially the same while slightly broader in scope than the ones in the issued patent. The instant application has the all the same elements of managing the access control of a resource using a role associated with a registered function and redacting a log while the issued patent has the additional description of the execution code as seen in the example below in claim 1 of the instant application and claim 1 of the issued patent.

Instant Application
U.S. Patent No. 10771468 B1
1. A system, comprising:
at least one processor; and
memory storing instructions that, when executed by the at least one processor, cause the system to:
receive a request at a gateway serving as a proxy to at least one resource in a resource provider environment, the request received from a client device and intended for an endpoint associated with the at least one resource;
determine a role associated with a first registered function, the role granting access to the at least one resource in the resource provider environment, the gateway and the first registered function associated with a first account, the at least one resource associated with a second account and accessible via the endpoint by the first registered function;



determine, by the first registered function using an access control list, to provide the request to the endpoint;
provide the request to the endpoint to access to the at least one resource;
store log data associated with the request in a first data store;
execute a second registered function on the log data, the second registered function triggered by the storing of the log data in the first data store;
redact the log data by the second registered function to generate redacted log data; and 
store the redacted log data in a second data store accessible to the client device.
1. A system, comprising:
at least one processor; and
memory storing instructions that, when executed by the at least one processor, cause the system to:
receive a request at a gateway serving as a proxy to at least one resource in a resource provider environment, the request received from a client device and intended for an endpoint associated with the at least one resource;
determine a role for a first registered function comprising code for execution in the resource provider environment, the role having a set of permissions for limiting the first registered function and for granting access to the at least one resource in the resource provider environment, the gateway and the first registered function associated with a first account, the at least one resource associated with a second account and accessible via the endpoint by the first registered function;
determine, by the first registered function using an access control list, to provide the request to the endpoint;
provide the request to the endpoint to access to the at least one resource;
store log data associated with the request in a first data store;
execute a second registered function on the log data, the second registered function triggered by the storing of the log data in the first data store;
redact the log data by the second registered function to generate redacted log data; and
store the redacted log data in a second data store accessible to the client device.




Allowable Subject Matter
Claim 1 contain allowable subject matter but remain rejected under nonstatutory double patenting rejection.
The following is an examiner’s statement of reasons for allowance:
Young et al. (US Pat. No. 8898272 B1) discloses processes to analyze and filter likely personally identifiable information (PII) from session records. While Young discloses an intermediary system includes one or more data repositories for storing records; a data filtering system takes session data recorded by the intermediary system (e.g., query logs) and filters the session data to remove any personally identifiable information or other unwanted information, it fails to disclose receiving a request at a gateway to a resource at an endpoint, determining a role associated with a first registered function and the first registered function associated with a first account, the resource associated with a second account and accessible via the endpoint by the first registered function; determine, by the first registered function using an access control list, to provide the request to the endpoint; and redact log data associated with the request by a second registered function as described in the claim.
Scheifler et al. (US Pat. No. 6138238 A) discloses stack-based access control using code and executor identifiers. While Scheifler discloses a policy file that stores permissions for each of a plurality of functions that operate upon code during execution functions, the permissions authorizing types of access to a resource based on a source of the code and an executor of the code, it fails to disclose receiving a request at a gateway to a resource at an endpoint, determining a role associated with a first registered function and the first registered function associated with a first account, the resource associated with a second account and accessible via the endpoint by the first registered function; determine, by the first registered function using an access control list, to provide the request to the endpoint; and redact log data associated with the request by a second registered function as described in the claim.
Hu et al. (NPL-Guide to Attribute Based Access Control (ABAC) Definition and Considerations (Draft)) discloses using ABAC as an improvement for information sharing within organizations and between organizations while maintaining control of that information. Hu discloses a method is needed to make access control decisions without previous knowledge of the object by the subject or knowledge of the subject by the object-owner (e.g. role-based access control (RBAC)). ABAC relies upon the evaluation of attributes of the subject, attributes of the object, and the formal relationship or access control rule or policy defining the allowable operations for subject-object attribute combinations. The model enables flexibility in a large enterprise where management of access control lists or roles and groups would be time consuming and complex. While Hu discloses by relying upon the concepts of subject and object attributes consistently defined between organizations, ABAC avoids the need for explicit authorizations to be directly assigned to individual subjects prior to a request to perform an operation on the object, it fails to disclose receiving a request at a gateway to a resource at an endpoint, determining a role associated with a first registered function and the first registered function associated with a first account, the resource associated with a second account and accessible via the endpoint by the first registered function; determine, by the first registered function using an access control list, to provide the request to the endpoint; and redact log data associated with the request by a second registered function as described in the claim.
Therefore, the pending claims are allowable as the prior art of record does not disclose all the combination of features including receiving a request at a gateway to a resource at an endpoint, determining a role associated with a first registered function and the first registered function associated with a first account, the first registered function provide access to the resource associated with a second account; and redact log data associated with the request by a second registered function as described in the claim; nor would it have been obvious to one of ordinary skill in the art to further modify the prior art to include all of the deficient features, as set forth in the allowable claim. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Grigera; Alejo		US-PGPUB	US 20200226234 A1	On-demand application permissions
Saheba; Jigesh et al.	US-PGPUB	US 20170111444 A1	Dynamic Proxy Server and user role based access
Cui; Jie			US-PGPUB	US 20170063836 A1	Method for access control of a cloud hosting service
Ginter; Jonathan	US-PGPUB	US 20140101178 A1	Progressive analysis for big data

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571)272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435