Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the application 17/069,376 filed on 11/04/2020. Claims 1-20 were canceled; claims 21-40 have been added. Claims 1, 32, and 40 are independent claims.  Claims 21-40 have been examined and are pending. This Action is made non-FINAL. 
This application is Continuation of application No. 16/539,082 filed on Aug 13, 2019, Pat. No. 10,848,498
Drawings
The drawings were received on 10/13/2020.  These drawings are reviewed and accepted by the Examiner.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 10/13/2022 is being considered by the examiner.

Claim Objections
Claim 29 is objected to because of the following informalities: 
Claim 29 recites “each component” in line 1.  It is suggested that claim 29 is further be amended as “each component name” to avoid potentially antecedent basis.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 21, 32, and 40 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 11, and 18 of U.S. Patent No. 10,848,498, respectively in view of Bloesch (“Bloesch,” US 2009/0276834, published Nov. 5, 2009).
Regarding to claim 21, Claim 1 of U.S. Patent No. 10,848,498 discloses all the limitations of the claim 21 except “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.”
However, in an analogous art, Bloesch discloses “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.” (Bloesch: figs.  1A & fig. 1D (claims-based security information; pars. 0045, 0065, Policy information and security claims can be configured in any of a variety of different ways. In some embodiments, base tables are used for storing claims-based security information).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bloesch with the system of claim 1 of U.S. Patent No. 10,848,498 to include “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.” One would have been motivated to secure the resource store with the claims-based security without including efforts to configure applications to match security models of different resource providers, controls the permission set of a group of users while reducing administration costs and the risk of users having an incorrect permission set, provides high performance, and high implementation of routines that return the permission sets for individual principals (Bloesch: pars. 0010-0011, 0069, 0071).
Regarding to claim 32, Claim 32 of U.S. Patent No. 10,848,498 discloses all the limitations of the claim 11 except “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.”
However, in an analogous art, Bloesch discloses “an attribute-based authorization based on one or more policies created the determine a non-role-based authorization the first user has within the application.” (Bloesch: figs.  1A & fig. 1D (claims-based security information; pars. 0045, 0065, Policy information and security claims can be configured in any of a variety of different ways. In some embodiments, base tables are used for storing claims-based security information).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bloesch the method of claim 11 of U.S. Patent No. 10,848,498 to include “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.” One would have been motivated to secure the resource store with the claims-based security without including efforts to configure applications to match security models of different resource providers, controls the permission set of a group of users while reducing administration costs and the risk of users having an incorrect permission set, provides high performance, and high implementation of routines that return the permission sets for individual principals (Bloesch: pars. 0010-0011, 0069, 0071).
Regarding to claim 40, Claim 40 of U.S. Patent No. 10,848,498 discloses all the limitations of the claim 18 except “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the user has within the application,”
However, in an analogous art, Bloesch discloses “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.” (Bloesch: figs.  1A & fig. 1D (claims-based security information; pars. 0045, 0065, Policy information and security claims can be configured in any of a variety of different ways. In some embodiments, base tables are used for storing claims-based security information).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bloesch with the non-transitory computer-accessible medium of claim 18 of U.S. Patent No. 10,848,498 to include “an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.” One would have been motivated to secure the resource store with the claims-based security without including efforts to configure applications to match security models of different resource providers, controls the permission set of a group of users while reducing administration costs and the risk of users having an incorrect permission set, provides high performance, and high implementation of routines that return the permission sets for individual principals (Bloesch: pars. 0010-0011, 0069, 0071).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 21-25, 32-35, and 37-40 are rejected under 35 U.S.C. 103 as being unpatentable over Chang et al. (“Chang,” US 2017/0337391, published Nov. 23, 2017), in view of Torman et al. (“Torman,” US 2015/0106736, published Apr. 16, 2015), and further view of Bloesch (“Bloesch,” US 2009/0276834, published Nov. 5, 2009).
Regarding claim 21, Chang discloses a system, comprising: 
a server for providing an application to users (Chang: fig. 4, Permission Server (405), Verification Server (410); fig. 1, application platform 18, pars. 0036, 0038, Application platform 18 may be a framework that allows the applications of system 16 to run, such as the hardware and/or software, e.g., the operating system.  In some implementations, application platform 18 enables creation, managing and executing one or more applications developed by the provider of the on-demand database service, users accessing the on-demand database service via user systems 12); 
an access permission database accessible by the server for storing permanent access permissions for the users, wherein the permanent access permissions are role-based authorizations that determine a level of access the users have within the application (Chang: fig. 4, Permission Database (415); par. 0034, managing a user's permissions across various sets of access controls and across types of users.  Administrators who use this tooling can effectively reduce their time managing a user's rights, integrate with external systems, and report on rights for auditing and troubleshooting purposes; par. 0039); and 
a memory that stores temporary access permissions for a first user while the application is executing, the memory being accessible by the server (Chang: fig. 2, pars. 0047-0048; memory systems);
wherein the application is configured to: 
retrieve the permanent access permissions for the first user from the access permission database (Chang: pars. 0030, 0033, 0087; the permission server may also analyze multiple permission sets that fit the criteria data.  Certain permission sets may be preferred and assigned to a user);
 provide a user interface for the first user (Chang: par. 0026, user interface); 
an authentication of the first user (Chang: par.0024, A user session may be detected after the user logs in and is authenticated by the system); 
provide an event handler that dynamically modifies at least one temporary access permission for the first user by applying to the first user (Chang: par. 0039, the users of user systems 12 may differ in their respective capacities, and the capacity of a particular user system 12 might be entirely determined by permissions (permission levels) for the current user.  For example, where a salesperson is using a particular user system 12 to interact with system 16, that user system has the capacities allotted to that salesperson.  However, while an administrator is using that user system to interact with system 16, that user system has the capacities allotted to that administrator.  In systems with a hierarchical role model, users at one permission level may have access to applications, data, and database information accessible by a lower permission level user, but may not have access to certain applications, database information, and data accessible by a user at a higher permission level.  Thus, different users will have different capabilities with regard to accessing and modifying application and database information, depending on a user's security or permission level, also called authorization) at least one selected access permission from a group of a scope limited access permission (Chang: par. 0039, the users of user systems 12 may differ in their respective capacities, and the capacity of a particular user system 12 might be entirely determined by permissions (permission levels) for the current user; See also pars. 0023, 0026, 0044) or a temporally limited access permission; and 
provide an authorization process that determines whether a request from the user interface is authorized before processing the request using the permanent access permissions, the temporary access permissions, and the at least one selected access permission (Chang: par.0024, Activation may be dependent on whether a user session is detected and whether some qualification requirements associated with the user and/or user session are satisfied. A user session may be detected after the user logs in and is authenticated by the system).
Chang does not explicitly disclose determine a set of default access permissions for the first user based on the permanent access permissions, wherein the set of default access permissions are role-based authorizations; store the set of default access permissions as the temporary access permissions in the memory.
However, in an analogous art, Torman discloses role-based present of user interface, wherein 
determine a set of default access permissions for the first user based on the permanent access permissions (Torman: par. 0116, the permissions included in the user's user profile (for example, the default set of permissions 506) can remain fixed or unchanged across users associated with a particular standard user profile, while the permissions granted to a particular one of the users at a particular time can be based on, for example, a current, new, temporary, or time-varying role, sub-role (within a larger role), set of duties, task, assignment, responsibility, or a combination of these (also referred to collectively herein as a "role"), wherein the set of default access permissions are role-based authorizations (Torman: par. 0116); and 
store the set of default access permissions as the temporary access permissions in the memory (Torman: par. 0116, the permissions included in the user's user profile (for example, the default set of permissions 506) can remain fixed or unchanged across users associated with a particular standard user profile, while the permissions granted to a particular one of the users at a particular time can be based on, for example, a current, new, temporary, or time-varying role, sub-role (within a larger role), set of duties, task, assignment, responsibility, or a combination of these (also referred to collectively herein as a "role").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Torman with the method and system of Chang to include “determine a set of default access permissions for the first user based on the permanent access permissions, wherein the set of default access permissions are role-based authorizations;” “store the set of default access permissions as the temporary access permissions in the memory.” One would have been motivated to balance the on-demand service requests between the pods can assist in improving the use of resources, increasing throughput, reducing response times, or reducing overhead (Torman: par. 0058).
Chang discloses provide an event handler that dynamically modifies at least one temporary access permission for the first user by applying to the first user at least one selected access permission from a group of a scope limited access permission or a temporally limited access permission but does not explicitly disclose wherein the selected access permission is an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application; 
However, in an analogous art, Bloesch discloses wherein selected access permission is an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application (Bloesch: figs.  1A & fig. 1D (claims-based security information; pars. 0045, 0065, Policy information and security claims can be configured in any of a variety of different ways. In some embodiments, base tables are used for storing claims-based security information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bloesch with the method and system of Chang and Torman to include “wherein selected access permission is an attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application.”. One would have been motivated to secure the resource store with the claims-based security without including efforts to configure applications to match security models of different resource providers, controls the permission set of a group of users while reducing administration costs and the risk of users having an incorrect permission set, provides high performance, and high implementation of routines that return the permission sets for individual principals (Bloesch: pars. 0010-0011, 0069, 0071).
Regarding claim 22, the combination of Chang, Torman, and Bloesch teaches the system of claim 21.  The combination of Chang, Torman, and Bloesch further discloses wherein the event handler is configured to handle an event by dynamically modifying access to functionality in the user interface based on the event the event including at least one selected from a group of (i) a change in the user's default access permissions, (ii) a scope limitation (Chang: par. 0039), (iii) a time duration limitation, (iv) rules, or (v) logic.
Regarding claim 23, the combination of Chang, Torman, and Bloesch teaches the system of claim 21.  The combination of Chang, Torman, and Bloesch further discloses wherein the scope limited access permission limits actions associated with at least one of (i) specified files, (ii) file types, (iii) file classifications, (iv) software objects, (v) variables  (Change: par. 0039, In systems with a hierarchical role model, users at one permission level may have access to applications, data, and database information accessible), (vi) data structures  (change: par. 0039, In systems with a hierarchical role model , users at one permission level may have access to applications, data, and database information accessible. 0038), (vii) functions, or (viii) state.
Regarding claim 24, the combination of Chang, Torman, and Bloesch teaches the system of claim 21. The combination of Chang, Torman, and Bloesch further teaches wherein the temporally limited access permission limits at least one action for the first user based on a control time threshold, the control time threshold being periodic or set on an as-needed basis (Chang: par. 0039, different users will have different capabilities with regard to accessing and modifying application and database information, depending on a user's security or permission level, also called authorization; See also, par. 0098)..
Regarding claim 25, the combination of Chang, Torman, and Bloesch teaches the system of claim 21. The combination of Chang, Torman, and Bloesch further teaches wherein the permanent access permissions include one or more security groups of users, the users in each security group having a same set of the access permissions Chang: par. 0098, Permission sets 605, 610, and 615 may also be assigned to a variety of users 620, 625, and 630.  The permission sets may provide a more modular form of groupings of permissions than profiles.  As such, a single user may be assigned multiple permission sets tailored to their particular access needs.  For example, permission set 605 is assigned to users 620, 625, and 630).
Regarding claim 27, the combination of Chang, Torman, and Bloesch teaches system of claim 25. The combination of Chang, Torman, and Bloesch further teaches wherein the application is further configured to dynamically modify at least one of the temporary access permissions of a user of a respective security group (Chang: par. 0103, an assignment of a permission set may be removed or revoked from a user.  For example, as discussed above, user 625 may be assigned permission sets 605 (i.e., a permission set associated with "engineers") and 610 (i.e., a permission set associated with "California").  If user 625 transfers from California to Alabama, a system administrator may desire to revoke the assignment of permission set 610 to user 625).
Regarding claim 28, the combination of Chang, Torman, and Bloesch teaches the system of claim 27.  The combination of Chang, Torman, and Bloesch further teaches wherein the application is further configured to remove the user from the security group when the dynamic modification of the temporary access permissions is inconsistent with the security group (Chang: par. 0103, an assignment of a permission set may be removed or revoked from a user.  For example, as discussed above, user 625 may be assigned permission sets 605 (i.e., a permission set associated with "engineers") and 610 (i.e., a permission set associated with "California").  If user 625 transfers from California to Alabama, a system administrator may desire to revoke the assignment of permission set 610 to user 625).
Regarding claim 29 the combination of Chang, Torman, and Bloesch teaches the system of claim 21. The combination of Chang, Torman, and Bloesch further discloses, wherein each component in the application is given a unique name that is linked to the one or more policies, the component name being used to determine access levels for the users to provide the application a dynamic way to authorize the users (Bloesch: figs. 1A & fig. 1D (claims-based security information; pars. 0045, 0065, Policy information and security claims can be configured in any of a variety of different ways. In some embodiments, base tables are used for storing claims-based security information; figs. 1A).
Regarding claim 30, the combination of Chang, Torman, and Bloesch teaches the system of claim 21.  The combination of Chang, Torman, and Bloesch further teaches wherein the application is further configured to provide the user interface including only actions that are permitted for the first user (Chang: pars. 0026, 0044, a user interface may be provided to enable the administrator to indicate that an assignment of a permission set to a user needs to be activated before the user can access the related resources…), and at least one of the actions is modified on the user interface based on a temporal limitation (Torman: par. 0116).
Regarding claim 32, Chang discloses a method, comprising: 
 storing permanent access control permissions for users of an application in a database, wherein the permanent access control permissions are role-based authorizations that determine a level of access the users have within the application (Chang: fig. 4, Permission Database (415); par. 0034, managing a user's permissions across various sets of access controls and across types of users.  Administrators who use this tooling can effectively reduce their time managing a user's rights, integrate with external systems, and report on rights for auditing and troubleshooting purposes; pars. 0039, 0087); 
providing a user interface configured to receive one or more credentials used to authenticate a first user of the users (Chang: pars. 0026, 0044, a user interface may be provided to enable the administrator to indicate that an assignment of a permission set to a user needs to be activated before the user can access the related resources.  For instance, the administrator may select an option on the user interface to block access to the resources until the assignment is activated); 
an authentication of a first user (Chang: par.0024, A user session may be detected after the user logs in and is authenticated by the system); 
providing an event handler that dynamically modifies at least one temporary access permission for the first user by applying to the first user (Chang: par. 0039, the users of user systems 12 may differ in their respective capacities, and the capacity of a particular user system 12 might be entirely determined by permissions (permission levels) for the current user.  For example, where a salesperson is using a particular user system 12 to interact with system 16, that user system has the capacities allotted to that salesperson.  However, while an administrator is using that user system to interact with system 16, that user system has the capacities allotted to that administrator.  In systems with a hierarchical role model, users at one permission level may have access to applications, data, and database information accessible by a lower permission level user, but may not have access to certain applications, database information, and data accessible by a user at a higher permission level.  Thus, different users will have different capabilities with regard to accessing and modifying application and database information, depending on a user's security or permission level, also called authorization) at least one selected access control permission from a group of a scope limited access control permission (Chang: par. 0039, the users of user systems 12 may differ in their respective capacities, and the capacity of a particular user system 12 might be entirely determined by permissions (permission levels) for the current user; See also pars. 0023, 0026, 0044); and 
providing an authorization process that determines whether a request from the user interface is authorized before processing the request, using the temporary access permissions, and the at least one selected access control permission (Chang: par.0024, Activation may be dependent on whether a user session is detected and whether some qualification requirements associated with the user and/or user session are satisfied. A user session may be detected after the user logs in and is authenticated by the system).
Chang does not explicitly disclose determining a set of temporary access permissions for the first user based on the respective permanent access control permissions, wherein the set of temporary access permissions are role-based authorizations; and a temporally limited access control permission;
However, in an analogous art, Torman discloses role-based present of user interface, wherein determining a set of temporary access permissions for the first user based on the respective permanent access control permissions (Torman: par. 0116, the permissions included in the user's user profile (for example, the default set of permissions 506) can remain fixed or unchanged across users associated with a particular standard user profile, while the permissions granted to a particular one of the users at a particular time can be based on, for example, a current, new, temporary, or time-varying role, sub-role (within a larger role), set of duties, task, assignment, responsibility, or a combination of these (also referred to collectively herein as a "role"), wherein the set of temporary access permissions are role-based authorizations (Torman: par. 0116); and a temporally limited access control permission (Torman: par. 0116, the permissions included in the user's user profile (for example, the default set of permissions 506) can remain fixed or unchanged across users associated with a particular standard user profile, while the permissions granted to a particular one of the users at a particular time can be based on, for example, a current, new, temporary, or time-varying role, sub-role (within a larger role), set of duties, task, assignment, responsibility, or a combination of these (also referred to collectively herein as a "role").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Torman with the method and system of Chang to include determining a set of temporary access permissions for the first user based on the respective permanent access control permissions, wherein the set of temporary access permissions are role-based authorizations; and a temporally limited access control permission. One would have been motivated to balance the on-demand service requests between the pods can assist in improving the use of resources, increasing throughput, reducing response times, or reducing overhead (Torman: par. 0058).
Chang does not explicitly disclose wherein the selected access control permission is an attribute-based authorization based on one or more policies created to apply a non-role-based authorization for the user within the application.
However, in an analogous art, Bloesch discloses wherein the selected access control permission is an attribute-based authorization based on one or more policies created to apply a non-role-based authorization for the user within the application (Bloesch: figs.  1A & fig. 1D (claims-based security information; pars. 0045, 0065, Policy information and security claims can be configured in any of a variety of different ways. In some embodiments, base tables are used for storing claims-based security information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bloesch with the method and system of Chang and Torman to include “wherein the selected access control permission is an attribute-based authorization based on one or more policies created to apply a non-role-based authorization for the user within the application.” One would have been motivated to secure the resource store with the claims-based security without including efforts to configure applications to match security models of different resource providers, controls the permission set of a group of users while reducing administration costs and the risk of users having an incorrect permission set, provides high performance, and high implementation of routines that return the permission sets for individual principals (Bloesch: pars. 0010-0011, 0069, 0071).
Regarding claim 33, the combination of Chang, Torman, and Bloesch teaches the method of claim 32. The combination of Chang, Tormanand Bloesch further teaches comprising: determining a default set of access control permissions for the user interface (Torman: par. 0116, the permissions included in the user's user profile (for example, the default set of permissions 506) can remain fixed or unchanged across users associated with a particular standard user profile, while the permissions granted to a particular one of the users at a particular time can be based on, for example, a current, new, temporary, or time-varying role, sub-role (within a larger role), set of duties, task, assignment, responsibility, or a combination of these (also referred to collectively herein as a "role"); and providing a login process as part of the user interface (Chang: pars. 0024, 0026 a user session may be detected after the user logs in and is authenticated by the system). 
 Regarding claim 34, the combination of Chang, Torman, and Bloesch teaches the method of claim 33. The combination of Chang, Torman, and Bloesch further discloses, wherein the login process includes limiting the user interface to what is authorized by the default set of access control permissions (Torman: par. 0116; Chang: pars. 0024, 0026).
Regarding claim 35, the combination of Chang, Torman, and Bloesch teaches the method of claim 32.  The combination of Chang, Torman, and Bloesch further teaches, wherein the dynamically modifying access to the at least one temporary access permission includes changing the access control permissions in the database (Chang: pars. 0093, 0096, permission 7 may provide “view all data” access for a database).
Regarding claim 37, the combination of Chang, Torman, and Bloesch teaches the method of claim 32. The combination of Chang, Torman, and Bloesch further teaches, wherein the application is a software development platform (Chang: par. 0038: application platform 18 enables creation, managing and executing one or more applications developed by the provider of the on-demand database service, users accessing the on-demand database service via user systems 12, or third party application developers accessing the on-demand database service via user systems 12) and the at least one selected access control permission from the group of the scope limited access control permission (Chang: par. 0039, different users will have different capabilities with regard to accessing and modifying application and database information, depending on a user's security or permission level, also called authorization) and the temporally limited access control permission is related to software development (Torman: par. 0116,Chang: 0038).
Regarding claim 38, the combination of Chang, Torman, and Bloesch teaches the method of claim 32. The combination of Chang, Torman, and Bloesch further teaches, wherein the user interface includes a user management process that provides tools for adding, updating, and deleting users (Chang: pars. 0093, 0096, permission 7 may provide “view all data” access for a database).
Regarding claim 39, the combination of Chang, Torman, and Bloesch teaches the method of claim 38. The combination of Chang, Torman, and Bloesch further teaches, wherein the user management process changes access control permissions in the database (Chang: pars. 0093, 0096, permission 7 may provide “view all data” access for a database).
Regarding claim 40, Chang discloses a non-transitory computer-accessible medium having stored thereon computer-executable instructions for dynamic and granular user access permissions, wherein upon execution by a computer arrangement comprising a processor, the instructions cause the computer arrangement to perform procedures comprising: 
providing a database interface (Chang: par. 0068, SQL management interface is equivalent to database interface; par. 0044, user interface device can be user to access data and applications hosted by system 16, and to perform searches on stored data and otherwise allow a user to interactive with various GUI, pages that may be presented to  a user..) to an access control permissions database (Chang: fig. 4, Permission Database (415); see also par. 0029) that stores at least one of roles, actions, or policies for users (Chang: par. 0088,  query permission database 415 to select a permission set associated with the criteria from user system 12);
providing a user interface for a first user of the users (Chang: par. 0026, a user interface may be provided to enable the administrators to indicate that an assignment of a permission set to a user needs to be activated before the user can access the related resources); 
providing a login process that authenticates the first user (\Chang: par. 0024, A user session may be detected after the user logs in and is authenticated by the system);
accessing permanent access control permissions for the first user using the database interface (Chang: par. 0005, users of an organization can access resources based on permissions granted to them by an administrator; See also, pars. 0025, 0026, 0044, 0068), wherein the permanent access control permissions are role-based authorizations that determine a level of access the first user has (Chang: par. 0088, permission server 405 may receive data regarding criteria, such as a geographic location, a level with an organizational hierarchy, title, an industry, a role, and/or a permission; pars. 0029, 0039, 100, 107); 
providing an event handler that dynamically modifies access to functionality in the user interface based on an event creating at least one temporary access control permission, wherein the at least one temporary access control permission is a scope limited (Chang: par. 0039, the users of user systems 12 may differ in their respective capacities, and the capacity of a particular user system 12 might be entirely determined by permissions (permission levels) for the current user; See also pars. 0023, 0026, 0044) or a temporally limited attribute-based authorization; and 
providing an authorization process that determines whether a request from the user interface is authorized before processing the request, using the permanent access control permissions from the administrator, and the at least one temporary access control permission (Chang: par.0024, Activation may be dependent on whether a user session is detected and whether some qualification requirements associated with the user and/or user session are satisfied. A user session may be detected after the user logs in and is authenticated by the system).
Chang discloses providing a login process that authenticates the first user but does not explicitly disclose and determines a default set of access control permissions for the first user for the user interface, wherein the default access control permissions are role-based authorizations.
However, in an analogous art, Torman discloses role-based present of user interface, determines a default set of access control permissions for the first user for the user interface, wherein the default access control permissions are role-based authorizations (Torman: par. 0116, the permissions included in the user's user profile (for example, the default set of permissions 506) can remain fixed or unchanged across users associated with a particular standard user profile, while the permissions granted to a particular one of the users [i.e. role] at a particular time can be based on, for example, a current, new, temporary, or time-varying role, sub-role (within a larger role), set of duties, task, assignment, responsibility, or a combination of these (also referred to collectively herein as a "role"), wherein the default access control permissions are role-based authorizations (Torman: par. 0116).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Torman with the method and system of Chang to include “determines a default set of access control permissions for the first user for the user interface, wherein the default access control permissions are role-based authorizations.” One would have been motivated to balance the on-demand service requests between the pods can assist in improving the use of resources, increasing throughput, reducing response times, or reducing overhead (Torman: par. 0058).
Chang discloses providing an event handler that dynamically modifies access to functionality in the user interface based on an event creating at least one temporary access control permission, wherein the at least one temporary access control permission is a scope limited or a temporally limited attribute-based authorization but does not explicitly disclose based on one or more policies created to determine a non-role-based authorization the user has within the application;
However, in an analogous art, Bloesch discloses wherein attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application (Bloesch: figs.  1A & fig. 1D (claims-based security information; pars. 0045, 0065, Policy information and security claims can be configured in any of a variety of different ways. In some embodiments, base tables are used for storing claims-based security information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bloesch with the method and system of Chang and Torman to include “attribute-based authorization based on one or more policies created to determine a non-role-based authorization the first user has within the application”.  One would have been motivated to secure the resource store with the claims-based security without including efforts to configure applications to match security models of different resource providers, controls the permission set of a group of users while reducing administration costs and the risk of users having an incorrect permission set, provides high performance, and high implementation of routines that return the permission sets for individual principals (Bloesch: pars. 0010-0011, 0069, 0071).
Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Chang et al. (“Chang,” US 2017/0337391, published Nov. 23, 2017), in view of Torman et al. (“Torman,” US 2015/0106736, published Apr. 16, 2015), further in view of Bloesch (“Bloesch,” US 2009/0276834, published Nov. 5, 2009), and Van Bijon et al. (“Van Bijon,” US 2012/0110651, published May 3, 2012).
Regarding claim 26, the combination of Chang, Torman, and Bloesch teaches the system of claim 25. Chang, Torman, and Bloesch do not explicitly disclose wherein at least one security group of the security groups includes one or more sub-groups that inherit the access permissions of the at least one security group.
However, in an analogous art, Van Bijon discloses wherein at least one security group of the security groups includes one or more sub-groups that inherit the access permissions of the at least one security group (Van Bijon: par. 0020, at least one subgroup of users a second set of permissions or privileges in addition to the first set of permissions or privileges inherited from the group, granting access to at least one cloud resource from a first set of resources based on the group of users, and granting access to at least one cloud resource from the first set of resources and a second set of resources to the at least one subgroup of users.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Van Bijon with the method and system of Chang, Torman, and Bloesch to include wherein at least one security group of the security groups includes one or more sub-groups that inherit the access permissions of the at least one security group. One would have been motivated to simplify different constraints with low complexity by making multiple constraints, thus allowing operation of efficient placement algorithm in the system (Van Bijon: par. 0209).
Claim 31 is rejected under 35 U.S.C. 103 as being unpatentable over Chang et al. (“Chang,” US 2017/0337391, published Nov. 23, 2017), in view of Torman et al. (“Torman,” US 2015/0106736, published Apr. 16, 2015), further in view of Bloesch (“Bloesch,” US 2009/0276834, published Nov. 5, 2009), and Claux et al. (“Claux,” US 2013/0198627, published Aug. 1, 2013).
Regarding claim 31, the combination of Belgum, Torman, and Bloesch teaches the system of claim 21. Belgum, Torman, and Bloesch do not explicitly disclose wherein the application includes an administration application configured to dynamically manage authorization for the first user based on administration group membership and/or additional settings associated with the first user that is determined by an application administrator role.
However, in an analogous art, Claux discloses wherein the application includes an administration application configured to dynamically manage authorization for the first user based on administration group membership and/or additional settings associated with the first user that is determined by an application administrator role (Claux: par. 0024, Extension management application 130 may be operative to provide information technology (IT) administrators with a centralized interface for managing extension settings and access permissions on a per-user, user group, and/or organization wide basis.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Claux with the method and system of Belgum, Torman, and Bloesch to include wherein the application includes an administration application configured to dynamically manage authorization for the first user based on administration group membership and/or additional settings associated with the first user that is determined by an application administrator role. One would have been motivated to provide the display rule is associated with a meta-data element of the document and the user preference is updated according to the modification, and thus reducing the extension clutter and optimizing the experience of the user (Claux: pars 0014, 0027).
Claim 36 is rejected under 35 U.S.C. 103 as being unpatentable over Chang et al. (“Chang,” US 2017/0337391, published Nov. 23, 2017), in view of Torman et al. (“Torman,” US 2015/0106736, published Apr. 16, 2015), further in view of Bloesch (“Bloesch,” US 2009/0276834, published Nov. 5, 2009), and Schlesinger et al. (“Schlesinger,” US 2017/0328725, published Nov. 16, 2017).
Regarding claim 36, the combination of Chang, Torman, and Bloesch teaches the method of claim 32. Chang, Torman, and Bloesch do not explicitly disclose, wherein the request from the user interface is a routing request.
However, in an analogous art, Schlesinger discloses wherein the request from the user interface is a routing request (Schlesinger: par. 0125, routing engine 260 can receive a routing request from a user provided from a user interface of a route planning application).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Schlesinger with the method and system of Chang, Torman, and Bloesch to include wherein the request from the user interface is a routing request. One would have been motivated to utilize estimated times to more accurately determine the route preference subscores, thus improving the accuracy of the route scores. Enhances user efficiency in route planning using user preferences by effectively evaluating and predicting optimal routes for users (Schlesinger: pars. 0005, 0018).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
August 23rd, 2022



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439