Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the amendment filed 6/17/2022 for application 16/778,934.
Claims 1-11, 13, and 15-20  have been examined and are pending.  Claims 1 and 13 have been amended.  Claims 12 and 14 have been canceled.  Claims 1 is the sole independent claim.  This Action is made FINAL.
Response to Arguments
Applicant’s arguments, filed 6/17/2022, with respect to claim(s) 1-11, 13, and 15-20 have been considered but are not persuasive.
Applicant argues as follows:  Applicants respectfully traverse and request reconsideration of the rejection of claims 1- 11, 13, and 15-20 under 35 U.S.C. §103 because a prima facie case of obviousness has not been properly established with respect to the claims as amended herein, as is discussed in detail below.  Claims 1-9 stand rejected under 35 U.S.C. §103 as allegedly being unpatentable over Schincariol and Hartman. Applicants respectfully traverse the rejection of claims 1-9 and request reconsideration for at least the reasons that Schincariol and Hartman, whether viewed separately or in any combination thereof, fail to disclose or suggest each and every element recited in the amended claims at issue. Amended claim 1 recites a method for managing access to a governed object that includes, inter alia: "... identifying ... at least a first governed object in a directory database, the at least a first governed object corresponding with [an] indication of the object associated with [a] specified data set of [an] access control request; identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule; 8 U.S. Patent Application No. 16/778,934determining, by the security service, based on the at least a first rule and the access control request, that the access control request should be granted; [and] issuing, by the security service to the data service, an access control response granting access to the specified data set based on the determination..."  Emphasis added. Applicants respectfully submit that Schincariol and Hartman both fail to disclose or suggest at least these claim features, as detailed below. 
Examiner respectfully notes claims 1-9, 12, 13, and 15 are rejected by Schincariol, Hartman, and Shear.  Regarding claim 1, Schincariol discloses, in paragraphs 0041, 0027, 0029, a method for managing access to a governed object performed by a data management system comprising at least one processor and at least one non-transitory computer-readable medium storing instructions that, when executed by the at least one processor, cause the data management system to perform the method, the method comprising; paragraphs 0026, 0036, and 0074, and FIG. 7, receiving, by a data service of the data management system, an access token and a data access request from a client system, the data access request comprising an indication of a specified data set and an indication of an operation associated with at least one requested access privilege; paragraph 0036, validating the data access request by authenticating the access token; paragraphs 0039 and 0065, an indication of an object associated with the specified data set, and an indication of the at least one requested access privilege.  Hartman discloses, in paragraph 0038 and 0046, issuing, by the data service, an access control request to a security service of the data management system, the access control request comprising an indication of a subject associated with the access token; in paragraph 0160, 0057, 0193, and FIG. 6, identifying, by the security service, at least a first governed object in a directory database, the at least a first governed object corresponding with the indication of the object associated with the specified data set of the access control request; in paragraph 0160, identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule; in paragraph 0160 and 0039, determining, by the security service, based on the at least a first rule and the access control request, that the access control request should be granted; in paragraphs 0034 and 0046, issuing, by the security service to the data service, an access control response granting access to the specified data set based on the determination; in paragraph 0034 and 0062, permitting, by the data service, access to the specified data set by the client system in accordance with the access control response.  Shear discloses, in paragraphs 1901, 2527, 2534, 2482, 2393, identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule where paragraph 1901 discloses characteristics/ objects linked/ attached; paragraph 2527 discloses rules such as governance for resources/ objects; paragraph 2534 discloses depth of hierarchy, levels of services, depth and span, directory services; paragraph 2482 discloses directories; and paragraph 2393 discloses root address.  Second governed object being located about a first governed object encompasses depth of hierarchy and levels of services.
Applicant argues as follows:  The Office Action appears to cite to Hartman's disclosure of a "decision object 310" as allegedly describing similar elements to the "first governed object" recited in amended claim 1.  See Office Action at pages 18 and 19. Hartman's "decision object 310," however, is different than the claimed "first governed object." For example, Hartman describes that its "decision object 310 may act as a router or switch that dynamically routes security request information received from adapters to the appropriate mappers after the decision object 310 has determined which security services should respond to or process the security requests" using this information "to decide which security service should be used to respond to a specific security request." Hartman at paragraph [0160]. In this manner, Hartman details that its "decision object 310 ... select[s] the appropriate security service to process a given security request. Hartman at id.  In contrast to Hartman's "decision object 310," amended claim 1 recites that the "first governed object" is included in a "directory database" and is associated with "at least a first rule set" that includes "at least a first rule" specifying an associated "depth," and is related to a "second governed object" within a "root path of a directory tree" in a specific manner. Indeed, nowhere, in Hartman's disclosure of its "decision object 310" selecting an appropriate security service does the Hartman describe a "first governed object" having a specified relationship with a "second governed object" in the manner recited in the claims. 
Examiner respectfully disagrees.  The claim language in question is “at least a first governed object in a directory database”.  Hartman discloses in paragraph 0160, directory; paragraph 0057, security service directory; paragraph 0193, manager 102 stored on data storage device 360; FIG. 6 shows decision object as part of manager.
Applicant argues as follows:  The Office Action further appears to cite to aspects of Hartman's disclosure of "security administration dashboard" as allegedly describing elements similar to the "at least a first rule specifying a depth associated with the at least a first rule" recited in amended claim 1.  Nowhere in this description of Hartman's "security administration dashboard" or elsewhere, however, does the reference describe a "depth" specified in "at least a first rule" included in "at least a first rule set" used to "identify the first rule set" based on a relationship between a "first governed object" and a "second governed object" within a "root path of a directory tree in [a] directory database" in the manner specifically recited in amended claim 1. Accordingly, Hartman fails to cure the deficiencies of Schincariol acknowledged in the Office Action.   For at least the above reasons, Schincariol and Hartman, whether viewed separately or in any combination thereof, fail to or suggest each and every element required by claim 1, and therefore, do not render claim 1 obvious. Claims 2-9 depend from claim 1, and are allowable over Schincariol and Hartman for at least the same reason as claim 1. Accordingly, Applicants respectfully request reconsideration and withdrawal of the rejections of claims 1-9 under 35 U.S.C. §103. 
12Examiner respectfully notes claims 1-9, 12, 13, and 15 are rejected by Schincariol, Hartman, and Shear. Hartman discloses, in paragraph 0160, identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule.  Shear discloses, in paragraphs 1901, 2527, 2534, 2482, and 2393, identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule where paragraph 1901 discloses characteristics/ objects linked/ attached; paragraph 2527 discloses rules such as governance for resources/ objects; paragraph 2534 discloses depth of hierarchy, levels of services, depth and span, directory services; paragraph 2482 discloses directories; and paragraph 2393 discloses root address.  Second governed object being located about a first governed object encompasses depth of hierarchy and levels of services.Amendment and Response to Office Action dated March 15, 2022 
The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272 5368 to schedule an interview.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 
Claims 1-9, 13, and 15 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Schincariol (US20150227749), filed February 13, 2015, in view of Hartman (US20030154401), filed February 13, 2002, and further in view of Shear (US20160034305), filed March 14, 2014.
Regarding claim 1, Schincariol discloses a method for managing access to a governed object performed by a data management system comprising at least one processor and at least one non-transitory computer-readable medium storing instructions that, when executed by the at least one processor, cause the data management system to perform the method, the method comprising (Schincariol, paragraph 0041, computer readable storage media, instructions, processors, paragraphs 0027, 0029, the data management system encompasses data storage system 104): 
receiving, by a data service of the data management system, an access token and a data access request from a client system, the data access request comprising an indication of a specified data set and an indication of an operation associated with at least one requested access privilege (Schincariol, paragraph 0026, “In some embodiments, proxy nodes 112 may be configured to determine if a request from client devices 102 includes an access token that identifies a user with data storage system 104.”; paragraph 0036, “In some embodiments, the validation data can include non-identifying information included by the proxy server component to be used to validate the access token during subsequent requests.” --- indication of a specified data set and indication of an operation associated with at least one requested access privilege encompasses access token that identifies a user with data storage system, paragraph 0074, internal shared services 732 may be a security and identity service; paragraph 0064, cloud infrastructure system 702 --- sending to a security service encompasses communications from the client device 708 to the internal shared services 732 as shown in FIG. 7);
validating the data access request by authenticating the access token (Schincariol paragraph 0036, “In some embodiments, the validation data can include non-identifying information included by the proxy server component to be used to validate the access token during subsequent request.”);
an indication of an object associated with the specified data set, and an indication of the at least one requested access privilege (Schincariol, paragraph 0039, “As described herein, an access control list may include a list of permissions attached to the object that specifies which users are granted access to the object as well as the operations that the users may perform on the object. For instance, an access control list for a `file` object stored in data storage system may enable a first user to read and write to the file but enable a second user to only read the file.”; paragraph 0065, “These data sets can involve structured data, such as that organized in a database or otherwise according to a structured model, and/or unstructured data (e.g., emails, images, data blobs (binary large objects), web pages, complex event processing).”).
Schincariol access token, but does not explicitly disclose issuing, by the data service, an access control request to a security service of the data management system, the access control request comprising an indication of a subject associated with the access token, identifying, by the security service, at least a first governed object in a directory database, the at least a first governed object corresponding with the indication of the object associated with the specified data set of the access control request; identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule; determining, by the security service, based on the at least a first rule and the access control request, that the access control request should be granted; issuing, by the security service to the data service, an access control response granting access to the specified data set based on the determination; and permitting, by the data service, access to the specified data set by the client system in accordance with the access control response.  
However, in an analogous art, Hartman discloses issuing, by the data service, an access control request to a security service of the data management system, the access control request comprising an indication of a subject associated with the access token (Hartman, paragraph 0038, “The adapter 106 and then determine a security service 118 to process the security request.”;  paragraph 0046, indication of a subject associated with the access token encompasses a response to a security request may grant access);
identifying, by the security service, at least a first governed object in a directory database, the at least a first governed object corresponding with the indication of the object associated with the specified data set of the access control request (Hartman, paragraph 0160, “The decision object 310 will select the appropriate security service to process a given security request. For example, decisions made by the decision object 310 may be based in whole or in part on what the security request is asking for; what the decision object 310 is allowed or required to provide or select (which may be governed by one or more security or administrative policies; one or more constraints, requirements or limitations established by a system or security administrator; one or more routing rules established when an application or security service is registered with the manager 102 or recognized by the manager 102; etc.); the type of security request (e.g., authorization, authentication or attribute); the identity of the application that the security request came from or is associated with; etc” --- first rule encompasses rules; paragraph 0160, directory; paragraph 0057, security service directory; paragraph 0193, manager 102 stored on data storage device 360; FIG. 6 shows decision object 310 as part of manager 102);
identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule (Hartman, paragraph 0160, “The decision object 310 may use information in the data received from the adapter 106 and other algorithms, functions, rules, conventions, heuristics, security policies, processes, filters, routing designations, etc. (some or all of which may be stored in the resource 122 or in a security administration dashboard) to decide which security service should be used to respond to a specific security request. For example, decisions made by the decision object 310 may be based in whole or in part on what the security request is asking for; what the decision object 310 is allowed or required to provide or select (which may be governed by one or more security or administrative policies; one or more constraints, requirements or limitations established by a system or security administrator; one or more routing rules established when an application or security service is registered with the manager 102 or recognized by the manager 102; etc.); the type of security request (e.g., authorization, authentication or attribute); the identity of the application that the security request came from or is associated with; etc.” );
determining, by the security service, based on the at least a first rule and the access control request, that the access control request should be granted (Hartman, paragraph 0160, rules, request, decision object 310, security service; paragraph 0039, granted access);
issuing, by the security service to the data service, an access control response granting access to the specified data set based on the determination (Hartman, paragraph 0034, “The server 112 may allow access to the application 110 or other applications to users via user devices 114, 116. As will be discussed in more detail below, a security request associated with the application 110 may be intercepted or otherwise identified by the adapter 106 and routed via the manager 102 and one of the mappers 104 to an appropriate security service (also referred to herein as "security service module") 118 for processing. A response created by the security service regarding the security request may then be routed back via the appropriate mapper 104, manager 102 and adapter 106 to the application 110.” --- access control response granting access encompasses response created by the security service regarding the security request and response to security request may grant or deny in paragraph 0046);
permitting, by the data service, access to the specified data set by the client system in accordance with the access control response (Hartman, paragraph 0034, “The server 112 may allow access to the application 110 or other applications to users via user devices 114, 116. As will be discussed in more detail below, a security request associated with the application 110 may be intercepted or otherwise identified by the adapter 106 and routed via the manager 102 and one of the mappers 104 to an appropriate security service (also referred to herein as "security service module") 118 for processing. A response created by the security service regarding the security request may then be routed back via the appropriate mapper 104, manager 102 and adapter 106 to the application 110.”; paragraph 0062, client devices).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Hartman with the method of Schincariol to include issuing, by the data service, an access control request to a security service of the data management system, the access control request comprising an indication of a subject associated with the access token, identifying, by the security service, at least a first governed object in a directory database, the at least a first governed object corresponding with the indication of the object associated with the specified data set of the access control request; identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule; determining, by the security service, based on the at least a first rule and the access control request, that the access control request should be granted; issuing, by the security service to the data service, an access control response granting access to the specified data set based on the determination; and permitting, by the data service, access to the specified data set by the client system in accordance with the access control response. One would have been motivated to provide users with the benefits of facilitating secure in a network for different applications distributed across a network or performed by different security components (Hartman: title and paragraph 0006).
Schincariol and Hartman disclose identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule, but do not explicitly disclose identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule.
However, in an analogous art, Shear discloses identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule (Shear, paragraph 1901, characteristics/ objects linked/ attached; paragraph 2527, rules such as governance for resources/ objects; paragraph 2534, depth of hierarchy, levels of services, depth and span, directory services; paragraph 2482, directories; paragraph 2393, root address).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Shear with the method of Schincariol and Hartman to include specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule. One would have been motivated to provide users with the benefits of facilitating user purpose including discovering and utilizing resources in multiple contexts and sessions in resource management systems (Shear: paragraph 0009, 2527, 2534).

Regarding claim 2, Schincariol, Hartman, and Shear disclose the method of claim 1.  Schincariol discloses wherein authenticating the access token comprises invoking an authentication service of the data management system to validate the access token  (Schincariol, paragraph 0036, “when a proxy server receives a request from a user, the proxy server can determine whether a token is associated with the user”  “The encrypted token may include token information (e.g., expiry time, user identity information, verification and/or validation data, etc.). In some embodiments, the validation data can include non-identifying information included by the proxy server component to be used to validate the access token during subsequent requests. When the access token is provided subsequently as part of a request, the access token may be decrypted by the proxy server component and the validation data can be checked to ensure the integrity of the token This provides secure end-to-end token processing by proxy server components to validate tokens, in addition to existence checks.” --- authentication service encompasses proxy server component).

Regarding claim 3, Schincariol, Hartman, and Shear disclose the method of claim 1.  Schincariol discloses wherein authenticating the access token comprises invoking a remote authentication service to validate the access token (Schincariol, paragraph 0046, “FIG. 5 illustrates an example flow diagram showing process 500 for generating an access token for a user of a data storage system, in accordance with an embodiment of the present invention. If the user does not exist, then the process 500 may include notifying the data storage system of the failure of the user's authentication with the data storage system at 508. If the user exists in the LDAP directory and has been authenticated with the data storage system, then at 510, the process 500 may include generating an access token for the user. At 512, the process 500 may include transmitting the access token to the data storage system. In some examples, at 514, the process 500 may include identifying the set of roles associated with the access token from an access control policy database (e.g., 224). At 518, the process 500 may include transmitting the roles to the data storage system.”; paragraph 0047, “The server 612 may be communicatively coupled with the remote client computing devices 602, 604, 606, and 608 via network 610.” --- invoking a remote authentication service encompasses identifying the set of roles associated with the access token in accordance with the access control policy database shown in FIG. 2).
Regarding claim 4, Schincariol, Hartman, and Shear disclose the method of claim 1.  Schincariol discloses wherein authenticating the access token comprises determining that the access token is not expired (Schincariol, paragraph 0035, “If a match for the user identity information is found in LDAP directory service 220, in some embodiments, LDAP directory service 220 may generate an access token for the user, which the user may utilize to make subsequent requests for information stored in data storage system.  In some embodiments, the authentication successful message to the proxy server component may include token information (e.g., expiry time, user identity information, verification and/or validation data, etc.) which may be used by the proxy server component when generating the access token.” --- determining that the access token is not expired is at least implied by token information including expiry time).
Regarding claim 5, Schincariol, Hartman, and Shear disclose the method of claim 1.  Schincariol discloses wherein the method further comprises: receiving, by an authentication service of the data management system from the client system, authentication credentials (Schincariol, paragraph 0045, obtaining an access token; identifying credential information); determining, by the authentication service, that the authentication credentials are associated with a valid account; and in response to determining that the authentication credentials are associated with a valid account, generating and transmitting the access token to the client system; paragraph 0046, access token, credentials, the process 500 may begin at 502 by receiving user credentials from the data storage system (e.g., 104, 208 shown in FIG. 1 and FIG. 2 respectively)).
Regarding claim 6, Schincariol, Hartman, and Shear disclose the method of claim 1.  Schincariol discloses wherein the directory database is managed by a directory service of the data management system (Schincariol, paragraph 0032, “In certain embodiments, IDM system 218 may be configured to confirm the identity of the user by verifying the credential information provided in the request against an LDAP directory service 220. In some examples, LDAP directory service 220 may act as a central repository of user information for applications utilized by client device 202 to access information stored in data storage system 208. In an embodiment, LDAP directory service 220 may be a software application, or a set of applications that stores, among other information, identity management information necessary to authenticate requesters (e.g., users) to data storage system 208.”).
Regarding claim 7, Schincariol, Hartman, and Shear disclose the method of claim 1.  Hartman discloses wherein the permitting access to the specified data set by the client system in accordance with the access control response comprises: retrieving, by the data service, the specified data set from a data store; and transmitting, by the data service, a data access response to the client system based on the retrieved specified data set (Hartman, paragraph 0114, “ In some embodiments, the step 210 may be or include one or more of the following: receiving data in a security service dependent format and indicative of the response; receiving data indicative of whether the application 110 can perform an action indicated in the security request”; paragraph 0116, “In some embodiments, a response to the security request identified during the step 202 may include one or more of the following: data in a security service dependent format and indicative of the response; data indicative of whether the application 110 can perform an action indicated in the security request; data indicative of whether the application 110 can access a resource indicated in the security request; data indicative of a request for additional information from the application 110”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 8, Schincariol, Hartman, and Shear disclose the method of claim 7.  Hartman discloses wherein the data store comprises a local data store of the data management system (Hartman, paragraph 0191, “The processor 350 and the data storage device 360 in the device 124 each may be, for example: (i) located entirely within a single computer or other computing device”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 9, Schincariol, Hartman, and Shear disclose the method of claim 7.  Hartman discloses wherein the data store comprises a remote data store (Hartman, paragraph 0191, “The processor 350 and the data storage device 360 in the device 124 each may be, for example: (i) located entirely within a single computer or other computing device; or (ii) connected to each other by a remote communication medium, such as a serial port cable, telephone line or radio frequency transceiver. In one embodiment, the device 124 may comprise one or more computers that are connected to a remote server computer for maintaining databases.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 13, Schincariol, Hartman, and Shear disclose the method of claim 1.  Shear discloses wherein identifying the at least a first rule set comprises determining that the at least a first rule set is attached to the at least a second governed object within the depth specified in at least the first in the root path of the directory tree in the directory database (Shear, paragraph 2393, root, paragraph 2384, directory; paragraph 5013, tree; paragraph 4542, associated rules for each classification and/or levels; paragraphs 2487 and 2534, depth of hierarchy).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 15, Schincariol, Hartman, and Shear disclose the method of claim 13.  Shear discloses wherein the at least a second governed object comprises an object associated with an organization (Shear, paragraph 2300, An RMDF may also include other templates and/or statements/specifications involved in provision of those instances of objects that are specified by its operational specifications and consequent resource management operations in support of purpose unfolding. An RMDF may also interact with storage and organization structures).  The motivation is the same as that of the claim from which this claim depends.
Claims 10 and 11 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Schincariol (US20150227749), filed February 13, 2015, in view of Hartman (US20030154401), filed February 13, 2002, and Shear (US20160034305), filed March 14, 2014, and further in view of Nagasoe (US20050210212), filed May 13, 2004.
Regarding claim 10, Schincariol, Hartman, and Shear disclose the method of claim 7.
Schincariol, Hartman, and Shear do not explicitly disclose wherein the access control response comprises at least one restriction, and wherein retrieving the specified data set from the data store comprises retrieving the specified data set in accordance with the at least one restriction.  
However, in an analogous art, Nagasoe discloses wherein the access control response comprises at least one restriction, and wherein retrieving the specified data set from the data store comprises retrieving the specified data set in accordance with the at least one restriction (Nagasoe, paragraph 0218 and 0220, storage system, restriction modes, access control, response; paragraph 0223, in a case that the access attribute mode which is set for the designated logical device is the device recognition control mode, and the access operation requested by the outer unit is to read or write data from/to the designated logical device, the device recognition control means of the access control means outputs a response, restriction of reading or writing data --- at least one restriction encompasses restriction modes).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Nagasoe with the method of Schincariol, Hartman, and Shear to include wherein the access control response comprises at least one restriction, and wherein retrieving the specified data set from the data store comprises retrieving the specified data set in accordance with the at least one restriction.  One would have been motivated to provide users with the benefits of allowing copy data to be protected in the same manner as source data (Nagasoe: paragraph 0009).

Regarding claim 11, Schincariol, Hartman, Shear, and Nagasoe disclose the method of claim 10.  Nagasoe discloses wherein retrieving the specified data set in accordance with the at least one restriction comprises transmitting at least one data retrieval request issued to the data store in accordance with the at least one restriction (Nagasoe, paragraph 0223, “in a case that the access attribute mode which is set for the designated logical device is the device recognition control mode, and the access operation requested by the outer unit is to read or write data from/to the designated logical device, the device recognition control means of the access control means outputs a response having information which indicates a result of restriction of reading or writing data from/to the designated logical device, to the outer unit.” --- one data retrieval request issued encompasses a result of restriction of reading or writing).  The motivation is the same as that of the claim from which this claim depends.
Claim 16 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Schincariol (US20150227749), filed February 13, 2015, in view of Hartman (US20030154401), filed February 13, 2002, and Shear (US20160034305), filed March 14, 2014, and further in view of Hayton (US20090007021), filed June 28, 2007.
Regarding claim 16, Schincariol, Hartman, and Shear disclose the method of claim 1.
Schincariol, Hartman, and Shear do not explicitly disclose wherein the method further comprises: identifying, by the security service, at least a second rule set in the directory database, the at least a second rule set being associated with the at least a first governed object in the directory database, the at least a second rule set comprising at least a second rule; and determining, by the security service, that the first rule set has a higher indicated priority than the second rule set.  
However, in an analogous art, Hayton discloses wherein the method further comprises: identifying, by the security service, at least a second rule set in the directory database, the at least a second rule set being associated with the at least a first governed object in the directory database, the at least a second rule set comprising at least a second rule; and determining, by the security service, that the first rule set has a higher indicated priority than the second rule set (Hayton, paragraph 0123, policy engine, identifying a second rule having a lower rule priority level than the first rule priority; paragraph 0126, second rule, first rule; paragraph 0138, 0141, 0143).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Hayton with the method of Schincariol, Hartman, and Shear to include wherein the method further comprises: identifying, by the security service, at least a second rule set in the directory database, the at least a second rule set being associated with the at least a first governed object in the directory database, the at least a second rule set comprising at least a second rule; and determining, by the security service, that the first rule set has a higher indicated priority than the second rule set.  One would have been motivated to provide users with the benefits of providing identification to all resources by executing the requested resource on a machine (Hayton, paragraph 0122).
Claim 17 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Schincariol (US20150227749), filed February 13, 2015, in view of Hartman (US20030154401), filed February 13, 2002, and Shear (US20160034305), filed March 14, 2014, and further in view of Ying (US20040255137), filed January 8, 2004.
Regarding claim 17, Schincariol, Hartman, and Shear disclose the method of claim 1.
Schincariol, Hartman, and Shear do not explicitly disclose wherein determining that the access control request should be granted comprises: comparing the indication of the subject associated with the access token, the indication of the object associated with the specified data set, and the indication of the at least one requested access privilege with the at least a first rule; and determining, based on the comparison, that the subject associated with the access token is permitted the at least one requested access privilege to the object associated with the specified data set.  
However, in an analogous art, Ying discloses wherein determining that the access control request should be granted comprises: comparing the indication of the subject associated with the access token, the indication of the object associated with the specified data set, and the indication of the at least one requested access privilege with the at least a first rule; and determining, based on the comparison, that the subject associated with the access token is permitted the at least one requested access privilege to the object associated with the specified data set (Ying, paragraph 0176, categories of application in which an access token can be used, paragraph 0358, access token for reading and writing; paragraph 0222, security policy).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Hayton with the method of Schincariol, Hartman, and Shear to include wherein determining that the access control request should be granted comprises: comparing the indication of the subject associated with the access token, the indication of the object associated with the specified data set, and the indication of the at least one requested access privilege with the at least a first rule; and determining, based on the comparison, that the subject associated with the access token is permitted the at least one requested access privilege to the object associated with the specified data set.  One would have been motivated to provide users with the benefits of updating content pointed by the access token without updating the access tokens (Ying, paragraph 0175).

Claim 18 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Schincariol (US20150227749), filed February 13, 2015, in view of Hartman (US20030154401), filed February 13, 2002, and Shear (US20160034305), filed March 14, 2014, and further in view of Ih (US20070256124), filed April 13, 2006.
Regarding claim 18, Schincariol, Hartman, and Shear disclose the method of claim 1.
Schincariol, Hartman, and Shear do not explicitly disclose wherein subject associated with the access token comprises an account associated with the access token.  
However, in an analogous art, Ih discloses wherein subject associated with the access token comprises an account associated with the access token (Ih, paragraph 0036, tokens accessed by signing into an account; paragraph 0050, subject matter of token).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Ih with the method of Schincariol, Hartman, and Shear to include wherein subject associated with the access token comprises an account associated with the access token.  One would have been motivated to provide users with the benefits of sharing tokens with other users (Ih, paragraph 0036).



Claim 19 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Schincariol (US20150227749), filed February 13, 2015, in view of Hartman (US20030154401), filed February 13, 2002, and Shear (US20160034305), filed March 14, 2014, and further in view of Venkatasubramanian (US10983963), filed September 24, 2018.
Regarding claim 19, Schincariol, Hartman, and Shear disclose the method of claim 1.
Schincariol, Hartman, and Shear do not explicitly disclose wherein permitting access to the specified data set by the client system further comprises: locating the specified data set using a catalog service of the data management system.  
However, in an analogous art, Venkatasubramanian discloses wherein permitting access to the specified data set by the client system further comprises: locating the specified data set using a catalog service of the data management system (Venkatasubramanian, col. 5, lines 21-38, “System 200 of FIG. 2 represents a new service to manage, govern and secure data and workloads across multiple sources (e.g., databases, enterprise data warehouses (EDWs), clusters, data lakes), types of data (e.g., at-rest or in-motion), and tiers of data (e.g., on-premises, multiple clouds, hybrid). The dataplane service 201 includes certain platform capability components such as a data services catalog 208 that is a catalog of available services and functionality to allow for new services to be created and extend the platform, where the services 202 include the data lifecycle manager and possible extensions from organization partners.”; col. 10, lines 10-32, “The specific data it exchanges with the security service 410 is information about the policies about assets, or audit log information. This information is expected to be provided by the service using RESTful APIs over HTTPS. Likewise, the specific data it exchanges with the metadata catalog service 412 is metadata information about the assets that are stored in the cluster.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Venkatasubramanian with the method of Schincariol, Hartman, and Shear to include wherein permitting access to the specified data set by the client system further comprises: locating the specified data set using a catalog service of the data management system.  One would have been motivated to provide users with the benefits of managing, governing, and securing data and workloads across multiple sources (Venkatasubramanian, col. 5, lines 21-38).
Claim 20 is rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Schincariol (US20150227749), filed February 13, 2015, in view of Hartman (US20030154401), filed February 13, 2002, and Shear (US20160034305), filed March 14, 2014, and further in view of McFall (US20200327252), PCT filed May 2, 2017.
Regarding claim 20, Schincariol, Hartman, and Shear disclose the method of claim 1.
Schincariol, Hartman, and Shear do not explicitly disclose wherein the method further comprises: mapping the indication of the operation to the associated at least one requested access privilege.  
However, in an analogous art, McFall discloses wherein the method further comprises: mapping the indication of the operation to the associated at least one requested access privilege (McFall, paragraph 006, privilege and role mapping between authentication information about a requestor and the allowed access to a resource; paragraph 0008, table maps operations to associated authorization queries).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of McFall with the method of Schincariol, Hartman, and Shear to include wherein the method further comprises: mapping the indication of the operation to the associated at least one requested access privilege.
One would have been motivated to provide users with the benefits of allowing the identification and protection of sensitive data in multiple ways which can be combined for different workflows, data situations, or use cases (McFall, abstract).







Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368. The examiner can normally be reached 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.J.M/Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439