Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is response to communication:  response to amendments/arguments filed on 08/05/2022.
Claims 1-20 are currently pending in this application.  
No IDS was filed for this application.

Response to Arguments
Applicant’s arguments have been fully considered but are moot in view of new grounds of rejection.  See amended rejection below. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Prakash et al. US Patent Application Publication 2014/0090091 (Prakash), in view of Kawato et al. US Patent Application Publication  2009/0164649 (Kawato), and further in view of Matthieu et al. US Patent Application Publication 2018/0262597 (Matthieu).

As per claim 1, Prakash teaches a method comprising: receiving, at a data processing hardware of a device manager, an authorization request from a third party, the authorization request requesting access to a user resource managed by the device manager, the device manager managing access controls associated with a plurality of user devices, the access controls configured by a user (Figure 5; paragraph 50 with requesting access from third party application to user information; see paragraph 43 wherein the user device or receiving device enforces privacy settings; see paragraphs 18 and 19 with user devices including mobile terminal and client terminal; see paragraph 43 wherein receiving device is another user device ); determining, by the data processing hardware, that the third party is authorized to access the user resource managed by the device manager (paragraph 43, 50, 51 wherein privacy setting is checked to determine whether third party is allowed or denied access); and based on determining that the user has configured a respective access control governing the user reousrce subject to the authorization request, communicating, by the data processing hardware, a response to the authorization request based on the respective access control (paragraph 51 with granting access to third aprty based on privacy setting; see paragraphs 29, 35, and throughout with different privacy settings for each piece of information).
	Although Prakash teaches a user controlling access to their resources based on the privacy settings for different information, Prakash does not explicitly teach based on determining that the third aprty is authorized to access the user resource managed by the device manager, determining, by the data processing hardware, whether the user has configured access controls at the device manager governing the user resource subject to the authorization request.  However, determining whether a user has configured access controls at a device manager governing resources is well known in the art.  For example, see Kawato (paragraph 60, Figure 7, with finding a match rule, and if there’s a match rule, determining whether there is permission to access based on prior user permission or to request a user permission).
	At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachigns of Prakash with Kawato.  One of ordinary skill in the art would have been motivated to perform such an addition to provide more efficiency by providing access control that does not require preparation of all access control rules in advance (paragraph 8 of Kawato).
	Although the Prakash combination teaches determining whether a third party is authorized to access the user resource, Prakash as modified does not explicitly teach determining access based on a third party’s identity.  However, this would have been obvious.  For example, see Matthieu (paragraphs 129-130 with restrictions and access permisions based on UUID of user/system/device; see paragraphs 135-137 with permissions record that allows different levels of access to different parties).
	At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Matthieu with the Prakash combination.  One of ordinary skill in the art would have been motivated to perform such an addition to provide QoS among IoT devcies (paragraph 6 of Matthieu).

	As per claim 2, it would have been obvious over the Prakash combination wherein determining that the third party is authorized to access the user resource managed by the device manager based on the identity of the third party comprises determining that the whitelist authorizes the third party to access a type of resource comprising the user resource (paragraphs 136-138 of Matthieu)

	As per claim 3, the Prakash combination teaches determining, by the data processing hardware, that a second third party is not authorized to access the user resource managed by the device manager and denying by the data processing hardware, access to the user resource by the second third party (Prakash 51 with denying access).
	As per claim 4, it would have been obvious over the Prakash combination to further comprise, determining, by the data processing hardware, that he user has not configured access controls for a second third ty at the device manager governing the user resource subject to the authorization request and based on determining that the user has not configured to access controls for the second third aprty, generating, by the data processing hardware, a consent request for the user to input one or more access controls in the device manager (Kawato paragraphs 61-63 wherein no prior permission is provided, and so system requests manual control; user then provides permission information).
	As per claim 5, the Prakash combination eaches wherein the device manager comprises a user interface, the user interface comprising one or more access control selections for the user to configure a respective access control governing a respective user resource (Prakash paragraph 14, 23, and throughout with a user organizing data with privacy settings).
	As per claim 6, the Prakash combination teaches wherein the one or more access control selections represent the respective user resource in a hierarchy, the hierarchy comprising at least two of a third party, a physical structure housing the repestive user resource, a user device associated with the respective user resource, or a function associated with the user resource (paragraph 27 with functions associated with user such as public/private; see also paragraph 14; see further paragraph 29 with hierarchy of third parties with different relationship levels).
	As per claim 7, the Prakash combination teaches receiving, at the data processing hardware, an access control selection for the user (Prakash paragraph 14 with user designating privacy setting such as public/private).
	As per claim 8, the Prakash combination teaches storing, by the data processing hardware, the access control selection as a data structure in an access control list (Prakash paragraph 25 and 49-51 with storing privacy setting and utilizing it).
	As per claim 9, the Prakash combination teaches wherein the data structure comprises a tuple represented as an object, a relation, and a user (see Prakash paragraph 34 with user information, user relationship table, and paragraph 35, wherein each object/piece of information, may have a privacy setting).
	As per claim 10, the Prakash combination eaches wherein the user resource comprises user data generated by a respective user device of the plurality of user devices managed by the device manager (Prakash paragraph 24 wherein user updates/generates user information at a user device).  
	Claim 11 is rejected using the same basis of arguments used to reject claim 1 above. 
	Claim 12 is rejected using the same basis of arguments used to reject claim 2 above. 
	Claim 13 is rejected using the same basis of arguments used to reject claim 3 above.
	Claim 14 is rejected using the same basis of arguments used to reject claim 4 above. 
	Claim 15 is rejected using the same basis of argumetns used to reject claim 5 above. 
Claim 16 is rejected using the same basis of arguments used to reject claim 7 above. 
Claim 17 is rejected using the same basis of arguments used to reject claim 8 above. 
Claim 18 is rejected using the same basis of arguments used to reject claim 6 above. 
Claim 19 is rejected using the same basis of arguemnts used to reject claim 9 above. 
Claim 20 is rejected using the same basis of arguments used to reject claim 10 above. 


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431.  The examiner can normally be reached on Monda-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JASON K GEE/Primary Examiner, Art Unit 2495