DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

   1.   ACKNOWLEDGEMENT OF REFERENCES CITED BY APPLICANT
	Information Disclosure Statement
	As required by M.P.E.P. ' 609 (C), the applicant's submission of the Information Disclosure Statement, dated 3/4/21, is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. ' 609 C(2), a copy of the PTOL-1449 initialed and dated by the examiner is attached to the instant office action.

   2.   REJECTIONS BASED ON PRIOR ART
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claim Rejections - 35 USC ' 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.



Claim(s) 1-4 and 6-9 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Koorapati (US 20190207929 A1).

With respect to claim 1, the Koorapati reference teaches an information processing system comprising: 
a plurality of storage parts configured to input and output data upon receipt of an I/O request from a compute part on which software operates; (see fig. 1, content storage 142; and paragraph 82, where 1ertain software applications can access content storage 142 via an API on behalf of a user. For example, a software package such as an application running on client device 150)
an I/O control part configured to control access to the storage parts from the compute part, (see fig. 2a, content storage service 116; and paragraph 33, where content storage 142 is associated with at least one content storage service 116, which includes software or other processor executable instructions for managing the storage of content items including, but not limited to, receiving content items for storage, preparing content items for storage, selecting a storage location for the content item, retrieving content items from storage, etc)
wherein the I/O control part receives from the compute part an authentication request including ID of the software and information regarding a storage area to and from which the software performs input and output,  (paragraph 119, where content storage interface 206 can receive content requests (e.g., downloads, uploads, etc.) from client device 150, authenticate client device 150 via authentication service 212, communicate with authorization service 132 to determine if client device 150 (and/or the request from client device 150) is authorized to upload or download the content to or from content storage 142 (e.g., based on permissions in access control list 145), and interact with content storage 142 to download or upload the content associated with the content requests from client device 150; and paragraph 61, where to share a content item within content management system 110 sharing service 128 can add a user account identifier or multiple user account identifiers to a content entry in access control list database 145 associated with the content item, thus granting the added user account access to the content item)
upon authentication of the compute part, the I/O control part transmits a token to the compute part to let the compute part access the storage parts, the I/O control part further transmitting the ID of the software, the information regarding the storage region to and from which the software performs input and output, and the token to the storage part corresponding to the information regarding the storage area,  (paragraph 94, where content management system 110 (e.g., file journal interface 202, authorization service 132, or content storage interface 206) can generate a token that verifies or indicates that client device 150 is authorized to access, update, download, or upload a requested content item)
the corresponding storage part receives from the compute part the I/O request including the software ID, the information regarding the storage area to and from which the software performs input and output, and the token, the corresponding storage part further checking the I/O request against the software ID, the information regarding the storage area, and the token received from the I/O control part so as to determine whether access to the corresponding storage part is allowed, (paragraph 94, where content management system 110 (e.g., file journal interface 202, authorization service 132, or content storage interface 206) can generate a token that verifies or indicates that client device 150 is authorized to access, update, download, or upload a requested content item) and 
upon determination that the access to the corresponding storage part is allowed, the corresponding storage part processes the I/O request. (paragraph 94, where content storage interface 206 can use the token to authorize queries to storage index 210 and upload or download content items to or from content storage 142)

With respect to claim 2, the Koorapati reference teaches the information processing system according to claim 1, wherein the authentication request destined from the compute part to the I/O control part and the token destined from the I/O control part to the compute part are decryptably encrypted when transmitted, and the software ID and the information regarding the storage area included in the I/O request transmitted from the compute part to the storage parts are turned into a hash value when transmitted. (paragraph 105, where token 250 can be a key or encrypted data object that authorizes access (e.g., download) of block 220A from content storage 142. Client device 150 can provide token 250 to content storage interface 206 when requesting block 220A to demonstrate to content storage interface 206 that client device 150 is authorized to access block 220A from content storage 142; and paragraph 159, where storage cache 354 can receive put command 360 and create record 372A for the content item, including the object ID of the content item from cloud storage 350 as well as a value for the content item (e.g., a hash) for value field 374, which can identify the content item at content storage 142)

With respect to claim 3, the Koorapati reference teaches the information processing system according to claim 2, wherein the storage part converts to a hash value the software ID and the information regarding the storage area received from the I/O control part and stores the hash value in association with the token, and upon receipt of the I/O request, the storage part selects the stored token based on the hash value included in the I/O request so as to check the I/O request. (paragraph 105, where token 250 can be a key or encrypted data object that authorizes access (e.g., download) of block 220A from content storage 142. Client device 150 can provide token 250 to content storage interface 206 when requesting block 220A to demonstrate to content storage interface 206 that client device 150 is authorized to access block 220A from content storage 142; and paragraph 159, where storage cache 354 can receive put command 360 and create record 372A for the content item, including the object ID of the content item from cloud storage 350 as well as a value for the content item (e.g., a hash) for value field 374, which can identify the content item at content storage 142)

With respect to claim 4, the Koorapati reference teaches the information processing system according to claim 1, wherein the compute part has the software and an agent, the agent, upon request by the software, transmits the authentication request and stores the received token, and the software, using the stored token, transmits the I/O request to the storage part. (paragraph 119, where content storage interface 206 can receive content requests (e.g., downloads, uploads, etc.) from client device 150, authenticate client device 150 via authentication service 212, communicate with authorization service 132 to determine if client device 150 (and/or the request from client device 150) is authorized to upload or download the content to or from content storage 142 (e.g., based on permissions in access control list 145), and interact with content storage 142 to download or upload the content associated with the content requests from client device 150; and paragraph 94, where content management system 110 (e.g., file journal interface 202, authorization service 132, or content storage interface 206) can generate a token that verifies or indicates that client device 150 is authorized to access, update, download, or upload a requested content item)

With respect to claim 6, the Koorapati reference teaches the information processing system according to claim 4, wherein the compute part has, as the software, a container platform and an application operating on the container platform, when the application is operating, the agent transmits the authentication request and stores the token, and upon request by the application, the container platform transmits the I/O request. (paragraph 119, where content storage interface 206 can receive content requests (e.g., downloads, uploads, etc.) from client device 150, authenticate client device 150 via authentication service 212, communicate with authorization service 132 to determine if client device 150 (and/or the request from client device 150) is authorized to upload or download the content to or from content storage 142 (e.g., based on permissions in access control list 145), and interact with content storage 142 to download or upload the content associated with the content requests from client device 150; and paragraph 94, where content management system 110 (e.g., file journal interface 202, authorization service 132, or content storage interface 206) can generate a token that verifies or indicates that client device 150 is authorized to access, update, download, or upload a requested content item; and paragraph 228, where the components can be physical or virtual devices)

With respect to claim 7, the Koorapati reference teaches the information processing system according to claim 1, wherein 
the storage part includes a first storage part and a second storage part interconnected with each other via a network, the first storage part and the second storage part collaborating to perform data input and output, upon authentication of the compute part, the I/O control part transmits the ID of the software, the information regarding the storage region to and from which the software performs input and output, and the token to the first storage part and the second storage part, (paragraph 237, where there can be networked storage devices; and paragraph 142, where cloud storage 350 can be a storage solution implemented in addition to content storage 142. Cloud storage 350 can be a separate storage solution utilized for additional storage capabilities such as, for example, archiving, backup or redundancy, disaster recovery, replication, scalability, etc)
the first storage part and the second storage part each receive either directly or indirectly the I/O request including the ID of the software, the information regarding the storage region to and from which the software performs input and output, and the token from the compute part, the first storage part and the second storage part further checking the I/O request against the software ID, the information regarding the storage area, and the token received from the I/O control part in order to determine whether access to the first and the second storage parts is allowed, (paragraph 119, where content storage interface 206 can receive content requests (e.g., downloads, uploads, etc.) from client device 150, authenticate client device 150 via authentication service 212, communicate with authorization service 132 to determine if client device 150 (and/or the request from client device 150) is authorized to upload or download the content to or from content storage 142 (e.g., based on permissions in access control list 145), and interact with content storage 142 to download or upload the content associated with the content requests from client device 150; paragraph 61, where to share a content item within content management system 110 sharing service 128 can add a user account identifier or multiple user account identifiers to a content entry in access control list database 145 associated with the content item, thus granting the added user account access to the content item; and paragraph 94, where content management system 110 (e.g., file journal interface 202, authorization service 132, or content storage interface 206) can generate a token that verifies or indicates that client device 150 is authorized to access, update, download, or upload a requested content item) and 
upon determination that the access to the first and the second storage parts is allowed, the first and the second storage parts process the I/O request. (paragraph 94, where content storage interface 206 can use the token to authorize queries to storage index 210 and upload or download content items to or from content storage 142)
With respect to claim 8, the Koorapati reference teaches the information processing system according to claim 1, wherein, upon meeting a predetermined condition, the I/O control part transmits a request to either update or delete the token to the compute part and to the storage part, and upon receipt of the request to either update or delete the token, the compute part and the storage part either update or delete the token. (paragraph 121, where token 250 can include an expiration date or period, as previously explained, to prevent client device 150 from using token 250 to access block 220A after a threshold period of time and require client device 150 to re-authorize before accessing block 220A after the expiration date or period)
 
Claim 9 is the method implementation of claim 1, and rejected under the same rationale as claim 1 above. 

	Claim Rejections - 35 USC ' 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over in Koorapati (US 20190207929 A1) view of Bagal (US 20170034165 A1). 

	With respect to claim 5, the Koorapati reference does not explicitly teach the information processing system according to claim 4, wherein the compute part has, as the software, a hypervisor, a guest OS operating on the hypervisor, and an application operating on the guest OS, when the application is operating, the agent transmits the authentication request and stores the token, and upon request by the application, the hypervisor transmits the I/O request.
	The Bagal reference teaches it is conventional to have wherein the compute part has, as the software, a hypervisor, a guest OS operating on the hypervisor, and an application operating on the guest OS, when the application is operating, the agent transmits the authentication request and stores the token, and upon request by the application, the hypervisor transmits the I/O request. (paragraph 26, where, utilizing the security token, in response to a data I/O request by Application 148A to a LUN of storage portion 174A, guest OS 144A generates an authentication token to embed with a data I/O request to hypervisor OS 146. In an embodiment, once the data I/O request enters hypervisor OS 146, hypervisor OS 146 may generate another authentication token based on hypervisor OS 146 security token and embed the authorization token in the data I/O request sent to MTSS 170. In such an embodiment, storage management controller 171 may authenticate both authorization tokens: guest OS 144A generated authentication token and hypervisor OS 146 generated authentication token, before servicing the data I/O request against storage portion 174A of storage pool 178)


It would have been obvious to a person of ordinary skill in the art before the claimed invention was effectively filed to modify the Koorapati reference to have wherein wherein the compute part has, as the software, a hypervisor, a guest OS operating on the hypervisor, and an application operating on the guest OS, when the application is operating, the agent transmits the authentication request and stores the token, and upon request by the application, the hypervisor transmits the I/O request, as taught by the Bagal reference.
The suggestion/motivation for doing so would have been to allow logically isolating data I/O requests from different operating systems (OSes) for a same multi-tenant storage system (MTSS), which allows techniques to provide for OSes and the MTSS to obtain security tokens associated with the OSes.  (Bagal, abstract)
Therefore it would have been obvious to combine the Koorapati and Bagal references for the benefits shown above to obtain the invention as specified in the claim.

   3.   RELEVANT ART CITED BY THE EXAMINER
	The following prior art made of record and not relied upon is cited to establish the level of skill in the applicant's art and those arts considered reasonably pertinent to applicant's disclosure.  See MPEP 707.05(c).
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. These references include:
	Tomar (US 20170228532 A1), which teaches a method enables utilizing a storage management controller to initiate a secure connection with the authentication system and using identification information queries for security tokens of hypervisor OS and guest OS in security token data; and
Wieker (US 10742414 B1), which teaches systems and methods for controlling data access through the interaction of a short-range transceiver, such as a contactless card, with a client device are presented. Data access control may be provided in the context of creating and accessing a secure memory block in a client device, including handling requests to obtain create and access a secure memory block via the interaction of a short-range transceiver, such as a contactless card, with a client device such that, once the secure memory block is created in memory of the client device, personal user data may be stored in the secure memory block, and access to the stored personal user data may only be provided to users authorized to review the data. An exemplary system and method may include receiving from a client device of the user a user token and a request for a data storage key, the request generated in response to a tap action between a contactless card and the client device, the contactless card associated with the user, verifying that the user is authorized to create a secure memory data block on the client device, and transmitting to the client device the data storage key, such that the client device may create a secure memory data block in memory of the client device and encrypt the secure memory data block using the data storage key.





   4.  CLOSING COMMENTS
	Conclusion
        a.   STATUS OF CLAIMS IN THE APPLICATION
	The following is a summary of the treatment and status of all claims in the application as recommended by M.P.E.P. ' 707.07(i):
        a(1)  CLAIMS REJECTED IN THE APPLICATION
	Per the instant office action, claims 1-9 have received a first action on the merits and are subject of a first action non-final.
      b.   DIRECTION OF FUTURE CORRESPONDENCES 
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Prasith Thammavong whose telephone number is (571) 270-1040 can normally be reached on Monday through Friday, 1-9:30 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arpan Savla can be reached on (571) 272-1077.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/PRASITH THAMMAVONG/
Primary Examiner, Art Unit 2137