Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 24 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The term “enough” in claim 24 is a relative term which renders the claim indefinite. The term “enough” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. In claim 24, the term “enough” in limitation “the security object is secure enough” renders the limitation ambiguous because the degree to which the security object is secure is not defined. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-24 are rejected under 35 U.S.C. 103 as being unpatentable over Melchione et al. (hereafter referred to as Melchione US 20020091819 A1) in view of Lortz (US 20030018786) 

As per claim 1:
Melchione discloses Non-transitory computer-readable media comprising computer-readable instructions such that, when executed, causes one or more processors to:
restructure a policy hierarchy comprising ([0012]: A policy orchestrator server in communication with the network directory, the policy orchestrator server being adapted to determine a hierarchical tree structure containing the nodes based upon location of each node in the network topology, determine a policy for each node in the hierarchical tree structure, and communicate said policy to the corresponding node, and an agent corresponding to each device in the network of devices. The agent is in communication with the policy orchestrator server and the resources corresponding to the device and is adapted to receive data from the policy orchestrator server and to enforce the policies corresponding to the resources. The policies corresponding to the resources of each device are selectively inherited along the hierarchical tree structure).
a plurality of nodes by switching a child node of the plurality of nodes from being a child of a first parent node of the plurality of nodes to being a child of a second parent node of the plurality of nodes ([0046]: By utilizing the network directory, the network managed by the policy orchestrator system 100 may be self-healing when modifications to the network are made. For example, if a local client device is moved from one site to another, the local client device searches up the network control directory tree for the closest administrator or administrative user. That closest administrator is typically the one most closely associated with the physical site being managed. Once the local client device locates its closest administrator, the applicable properties, policies, scheduled tasks, and the like may be enforced and implemented upon the local client device by the policy orchestrator system 100 (--a local client device is considered as a child node and the closest administrator associated with the physical site in the directory tree structure-LDAP is considered as a parent node. [0058]: The LDAP directory of the LDAP server 104 contains entries making up components of the network under management. Each LDAP directory entry may be categorized as a group, user, or computer. The network administrator may configure the LDAP directory to represent the corporate network. In one example, each group may contain any combination of users, computers, and/or other groups as its child nodes. Each user may contain computers and computer are the leaf nodes with no child. The scope pane may display various nodes such as the policy orchestrator root, the directory root, group, user, computer, software root, software node, and/or software package.
each of the plurality of nodes is associated with one or more policies, wherein each of the one or more policies are used to evaluate whether one or more security objects ([0042]:  To ensure the security of the policy orchestrator system 100, each agent 108 preferably generates its public and private key pair at its first execution and sends the public key to the policy orchestrator server 102. The policy orchestrator server 102 stores the agent's public key in the LDAP server 104 and when the agent 108 sends a package to the policy orchestrator server 102, the policy orchestrator server 102 verifies the key signature of the packet using the public key stored in the LDAP, as is known in the art. [0072]: Policy Management Module; [0073]: The policy management module of the management console 106 facilitates the administrator in managing the policies to be enforced upon the point products by the agents 108. In particular, the policy management module allows the network administrator to define the policy for each point product such that the defined policies can be enforced over the entire or a selective portion of the network or over one or more individual computers. Policies are inherited and, at each level, a decision can be made whether to enforce a given policy at that level. In other words, by default, policies are inherited top down from the parent but a decision can be made not to enforce the policy below a certain level or only at a given level. Policies for each point product can be configured for each user, group, or computer. After a policy is configured, the policy orchestrator server 102 and agent 108 enforce the policy at the client device. Modifications to a policy may be made by selecting a group, user, or computer and modifying the necessary attributes for the specified application via the management console 106. [0107] The agent property policy management module 164 may generally include various sub-modules such as agent public key management, create computer entry, update properties, create policy/task/site information files, package request response, uninstall agent, forward agent events sub-modules. [0111] To determine inheritance for users, the control values or settings of the network tree are first determined for the local client device. The device control values are then overlaid that with the inheritance of the user. Typically, the device inheritance includes settings for the device and settings pertaining to users in the device's container. In the absence of other policies, the policy in effect at the device would also apply to the users. However, if a different policy for the user or somewhere on the user path exists, that different policy will override the corresponding components of the device's policies as necessary).
after restructuring the policy hierarchy,
determine a set of policies by including the one or more policies associated with the second parent node and the one or more policies associated with the child node ([0044] The policy orchestrator system 100 utilizes the network directory such as one provided by an NDS (Network Directory Services) or the LDAP server 104 to provide a tree structure for inheriting policies such as configuration or control settings and/or scheduled tasks. In other words, the network directory provides a tree structure for inheriting control settings down to the individual applications on local client devices. Inheritance generally refers to a hierarchy of properties and settings in which the setting closer to the object being managed but higher than the object itself in the hierarchy have a higher priority than those further away. Thus a task setting set high in the directory tree can be replaced by a closer/lower setting. This hierarchy may be utilized to implement management by exception on the network in which the administrator may set general rules and then set more specific rules on a case by case basis. [0045] Thus, by using inheritance and utilizing the actual network directory, any setting can be established at any level in the directory tree. By setting a new value at a lower level, a higher, more general policy can be overridden. By setting a policy higher in the tree, it applies to more of the network. At the same time, higher level policies can be easily changed without accidentally disturbing finer controls established closer to the point of applications because lower level policies overlay corresponding portions of high level policies).

Melchione does not explicitly disclose the evaluated objects are cryptographic attributes of the security object used to encrypt data is secure; and determine an acceptability of the security object based on the set of policies. Lortz, in analogous art however, discloses the evaluated objects are cryptographic attributes of the security object used to encrypt data is secure ([0017, 19-20]: Policy manager use public/private key cryptography to provide access control to device policy data structure. Each principal entry can be identified by a key information attribute containing the public/private key information associated with the principal entry. The key information attribute manages access to the device policy data structure and allows secure communication with authorization device. A principal uses the private key corresponding to the key information attribute to sign a request digitally and then send the digitally signed request to the authorization device. The authorization device authenticates the received digitally signed request to determine whether to grant the principal access to the resource and the device policy data structure. Each resource name attribute can include an access control list (ACL) attribute. Each ACE attribute can include a subject attribute specifying the public/private key information associated with a particular principal identified by the first portion and who may be permitted to access a resource identified in a resource name attribute.  [0021-0022]: ACE attribute includes an access permission level attribute that can be set to one of four access levels of permission in decreasing order of authority: (1) "owner" level which is the highest level of access, "editor" level which allows access for editing, "reviewer" level which allows access for reading only, and "none" level which denies all access. The permission level attribute can be arranged to provide a hierarchy of permission levels. Resource names can be hierarchically structured to allow inheritance of an access permission level from a parent node in the hierarchy and determine an acceptability of the security object based on the set of policies ([0032-0034] Once the policy manager has received the policy data, the policy manager authenticates the resource owner. Such authentication can include determining whether to accept a request to add the policy data or to accept a request to edit the policy data already stored in the centralized policy data structure. The policy manager then determines whether to accept the policy data based on the results of authenticating the resource owner. [0040-0042] The policy manager evaluates the policy data found during the search process to determine whether the policy data grants the client access to the resource based on the client credentials and the access permission level. If the results of the evaluation reveal that the policy data does not grant the client access to the resource, then the policy manager performs an additional search for a user policy data structure associated with the resource name).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitation of the evaluated objects and security objects disclosed by Melchione to include the evaluated objects are cryptographic attributes of the security object used to encrypt data is secure; and determine an acceptability of the security object based on the set of policies. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire provide policy management system to allow resource owner to be able to participate in definition and administration of policy data related to resources associated with a resource device as suggested by Lortz (0001-0003).

As per claim 2:
Lortz discloses wherein the set of policies further comprises the one or more policies associated with a parent node of the child node (0022-0023: policy data corresponding to inheritance structure; 0027-0029).

As per claim 3:
Melchione discloses wherein the one or more processors are further configured to: build a policy cache comprising the one or more policies associated with the first parent node and the one or more policies associated with the child node; and in response to restructuring the policy hierarchy, rebuild the policy cache to comprise the set of policies ([0106]: software architecture of the policy orchestrator server 102. The policy orchestrator server 102 generally comprises a main server module 150, a server event log 152, an initialize and import LDAP data module 154, a server cache 156, a SPIPE communication layer 158, a LDAP ping thread 160, an update agent install package 162, an agent property and policy management module 164, console request/agent installation module 166, and an LDAP client interface 168. The LDAP ping thread 160 periodically checks the LDAP server 104 to determine if site information has changed and to confirm that the LDAP server 104 is running. As noted above, the console request/agent installation module 166 may achieve installation of an agent and/or any suitable point products at the client device by transmitting the installation package in an electronic mail transmission or by a push installation; The server cache with an agent property and policy management module using update agent to rebuild policy.)

As per claim 4:
Melchione discloses wherein restructuring the policy hierarchy comprises deleting the first parent node ([0063]: Modifying the LDAP directory by adding and/or deleting groups, users, and/or computers from the network, configuring the LDAP, managing software, configuring point products by setting and enforcing policies and properties, scheduling tasks to be performed, setting up software or silent installations, monitoring events and setting tasks over the network. [0094] The administrator configuration module of the management console 106 allows the policy orchestrator administrator to add, modify, and/or remove users from the system. The agent rollout module of the management console 106 allows the administrator to select one or more users, computer, or groups via the management console 106 for agent rollout).

As per claim 5:
Melchione discloses wherein restructuring the policy hierarchy comprises moving the first parent node away from being a parent of the child node (([0046]: By utilizing the network directory/Hierarchy, the network managed by the policy orchestrator system 100 may be self-healing when modifications to the network are made. For example, if a local client device is moved from one site to another, the local client device searches up the network control directory tree for the closest administrator or administrative user. That closest administrator is typically the one most closely associated with the physical site being managed).

As per claim 6:
Melchione discloses wherein restructuring the policy hierarchy comprises inserting the second parent node as a parent of the child node ([0063]: Modifying the LDAP directory by adding and/or deleting groups, users, and/or computers from the network, configuring the LDAP, managing software, configuring point products by setting and enforcing policies and properties, scheduling tasks to be performed, setting up software or silent installations, monitoring events and setting tasks over the network. [0094]).

As per claim 7:
Melchione discloses wherein restructuring the policy hierarchy comprises moving the child node away from being a child of the first parent node to being a child of the second parent node (([0046]: By utilizing the network directory/Hierarchy, the network managed by the policy orchestrator system 100 may be self-healing when modifications to the network are made. For example, if a local client device is moved from one site to another, the local client device searches up the network control directory tree for the closest administrator or administrative user).

As per claim 8:
Melchione discloses wherein the security object is allowed to encrypt the data in response to determining the acceptability of the security object based on the set of policies ([0040]: The policy orchestrator server 102 preferably communicates with the LDAP server 104 using LDAP v3 APIs, the console or user interface 106 using HTTP, and the agents 108 using SPIPE (secure pipes) based on HTTP.  [0041] SPIPE is a proprietary method for transmitting information in a secure manner using PGP (pretty good privacy) digital authentication methodology. It is to be understood that any other suitable method for transmitting information, preferably in a secure manner, may be utilized)

As per claim 9:
Melchione discloses wherein one of the set of policies is used to evaluated a size of the security object or a string length of the security object ([0047]: A single set of entries at the top of the management structure effects protection for the entire network tree. A local administrator can make adjustments to the policy set by the network administrator or by any administrator higher up in the directory tree as necessary and/or allowable by the network security limits. Typically, network security is managed within the network rather than within the user or management console of the product being managed).

As per claim 10:
Melchione discloses one or more processors are further configured to: determine that a first policy of the set of policies is in conflict with a second policy of the set of policies, wherein the first policy is associated with the child node, and the second policy is associated with the second parent node; and removing both the first policy and the second policy from the set of policies (([0063]: Modifying the LDAP directory by adding and/or deleting groups, users, and/or computers from the network, configuring the LDAP, managing software, configuring point products by setting and enforcing policies and properties, scheduling tasks to be performed, setting up software or silent installations, monitoring events and setting tasks over the network. [0109-0010]: An inheritance determination method, the determination result (i.e., the control store) is first initialized to null. The control values or settings of the network tree are then read starting at the root and ending at the node being managed. At each node where control entries are found, these control values are written into the control store. In writing the most recently found control values, previously written conflicting control values in the control store are typically overwritten. After the determination is complete, the result is a cumulative inheritance of the object. This method of determining the inheritance is relatively simple to implement).

As per claims 11-15:
Claims 11-15 are directed to a method having substantially similar claimed limitation corresponding to claims 1-3, 8 and 9 respectively and therefore claims 11-15 are rejected with the same rationale given above to reject corresponding limitations of claims 1-3, 8 and 9 respectively.

As per claims 16-20:
Claims 16-20 are directed to a system, comprising: a memory; and a processor configured to have substantially similar claimed limitation corresponding to claims 1-3, 8 and 9 respectively and therefore claims 16-20 are rejected with the same rationale given above to reject corresponding limitations of claims 1-3, 8 and 9 respectively.

As per claim 21:
Lortz discloses wherein to determine an acceptability of the security object based on the set of policies comprises determining whether a value corresponding to an attribute of the security object is acceptable ([0021] The interpretation of the values specified in the access permission level attribute can depend on the particular resource device. The permission level attribute can be arranged to provide a hierarchy of permission levels. For example, a principal with a high access permission level also may be granted the privileges associated with a lower access permission level. [0050] A trust relationship can be established between the resource owner and the authorization device using public key cryptography techniques. A unique identifier (e.g., cryptographic hash value) of a public key can be incorporated into the policy data to also function as a global identifier. The use of public key cryptography can reduce the likelihood of collisions between resource owners when accessing the policy data stored in the centralized policy data structure).

As per claim 22:
Lortz discloses wherein to determine an acceptability of the security object based on the set of policies comprises determining whether-a value corresponding to an attribute of the security object is within an acceptable range of values ([0021] the ACE attribute  can include an access permission level attribute that can be set to one of four access levels of permission in decreasing order of authority: "owner" level; editor" level "reviewer" level  "none" level; a principal with a high access permission level may be granted the privileges associated with a lower access permission level). 

As per claim 23:
Lortz discloses wherein to determine an acceptability of the security object based on the set of policies comprises determining whether at least one attribute of the security object meets the set of policies ([0022-023] inheritance attribute corresponding to policy data defined policies).

As per claim 24:
Lortz discloses wherein the computer-readable instructions, when executed, further causes the one or more processors to receive a security object and at least one attribute associated with the security object; and wherein to determine an acceptability of the security object based on the set of policies comprises determining acceptability based on security and cryptographic considerations as to whether the security object is secure enough (0047-0050: policy manager evaluates and enforcing policy data  and establish trust relationship).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior art.

Applicant's submission of an information disclosure statement under 37 CFR 1.97(c) with the fee set forth in 37 CFR 1.17(p) on March 25, 2022 prompted the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 609.04(b).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494