DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Remarks
	In Remarks filed on 5/10/2022, no claims were cancelled; claims 1, 5-7, 10, 14-20 were amended; no new claims were added. As a result claims 1-20 are pending, of which claims 1, 10, and 17 are in independent form.
	Amendment to Specification, para. [0038] obviates previous objection to Drawings.
	Applicant’s argument regarding Abstract objection is persuasive and previous Specification objection is withdrawn.
	Amendment to Specification obviates previous objection to Specification.
Response to Arguments
Applicant’s arguments in view of amendment of claims have been considered carefully and respectfully in regard to 35 USC 102 rejection but they are moot in view of a new ground of rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 4, 6, 7, 10, 11, 13, 15-18 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gershfield et al. (U.S. 6578029B2) hereinafter Gershfield, in view of Beredimas et al. (US 2021/0006596 A1) hereinafter Beredimas. 
As to claim 1, Gershfield teaches a system comprising:
a first computing device configured to: 
receive a request for data for an application for a user from a second computing device (see Fig. 1, Col. 2 Lines 63-67, Col. 3 Lines 1-12 provide for computer 5 representing a first computing device and computers 18, 21 or 24 representing second computing device to request data for an application by accessing the first computing device.; see Fig. 3 Step 210 and Col. 11 Lines 41-48 provide for the user input representing the “request” for data for an application from the first computing device.);
obtain, from a database, an attribute-based control policy for the application, where the attribute-based control policy defines permissions for the application based on a plurality of attributes (see Fig. 1, Col. 2 Lines 15-23, 63-67, Col. 3 Lines 1-12 provide for the attributes retrieval for the users to give access to an application based on a plurality of attributes representing the control policy); and
transmit the configuration data to the second computing device in response to the request (see Abstract, Col 2 Lines 19-23 provide for the attributes retrieval for the second device representing the control policy.; see Fig 3 Step 215, Col. 11 Lines 49-53 and Col. 12 Lines 1-65 provide for the transmission of the relevant attributes representing the “attribute-based control policy” in response to the request from the user).
The Gershfield reference does not explicitly teach but Beredimas teaches the following limitations - wherein the request comprises an identifier of the user and a location of the user (see para. [0044] “The client device 202 may provide the user identifier in the request. In still other embodiments, the client device 202 may provide a unique identifier corresponding to the client device 202 with the request.”; see para. [0042] “The client device 202 may be configured to identify/generate a timestamp corresponding to the time of the input from the user and include the timestamp with the request. The client device 202 may be configured to identify a location of the client device 202 (e.g., based on geolocation data from a GPS sensor, based on a Wi-Fi network to which the client device 202 is connected, etc.). The client device 202 may be configured to include data corresponding to the location of the client device 202 in the request.”);
obtain, from the database, user attribute data for the user based on the identifier of the user, wherein the user attribute data identifies a facility and a time period (see Fig. 2 Namespaces 210 including namespaces including target attributes that matches the attributes in the request. The examiner interprets the Namespaces 210 as equivalent to the database. The examiner notes that the target includes attributes corresponding to the request attributes.; see para. [0052]; see para. [0051] for namespace 210 having a local scope specific to a user. The examiner notes that the namespace with target attributes can be configured to be user-specific.; see para. [0064]-[0066] and [0053] It is noted that the domain-specific policy being generated includes conditions 302 that compare the request attributes with the target attribute values in determining permit or deny effect. The examiner broadly interprets this as the time and location attributes being used against or compared with the selected namespace’s target attribute values (e.g., target time and target location).)
generate configuration data for the application identifying whether each of a plurality of features are enabled for the user based on the attribute-based control policy for the application and the user attribute data (see para. [0056] “any number of domain-specific policies may be generated based on attributes from the request and the domain-specific policy grammars of a namespace 210 corresponding to the request, including policies specific to users (or types of users), network connections or conditions of the client device 202, and so forth.”), wherein the configuration data:
enable a first feature of the plurality of features based on the facility and the location of the user; disable a second feature of the plurality of features based on the location of the user; enable a third feature of the plurality of features based on the time period (see para. [0057] “The policy application engine 212 may apply the domain-specific policy generated by the policy generation engine 208 to the request to permit or deny access to the resource 206. The policy application engine 212 may receive the domain-specific policy from the policy generation engine 208. The policy application engine 212 may apply the domain-specific policy to the attributes of the request (e.g., the subject, action, object, or environment corresponding to the request). The policy application engine 212 may selectively permit/deny access to the resource 206 following application of the domain-specific policy to the request.”; The examiner notes that the request attributes can be compared with the target attributes in the selected domain-specific namespace in determining permit/deny decision for a resource request.)
.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Gershfield and Beredimas before him or her, to modify the scheme of Gereshfield by including Beredimas. The suggestion/motivation for doing so would have been to use extensible Attribute Based Access Control policy configuration using namespaces, selected based on attributes included in resource access request, providing for generating domain-specific policies applicable to a resource access request for permit/deny decision.

Claim 10 recites the same limitations as claim 1 for a method and thereby is rejected under the same rationale.

Claim 17 recites the same limitations as claim 1 for a non-transitory computer readable medium and thereby is rejected under the same rationale.

Regarding claim 2, Gershfield further teaches the system of claim 1, wherein the attribute-based control policy comprises an application node identifying the application, and a plurality of feature nodes identifying features of the application (Gershfield: Abstract, Col. 1 Lines 19-28, Col. 2 Lines 6-14, 18-23, Col. 3 Lines 13-39 provide for the attribute-based control policy which comprises restricting access by certain users or classes of users to one or features of such application. )

Claim 11 recites the same limitations as claim 2 for a method and thereby is rejected under the same rationale.
Claim 18 recites the same limitations as claim 2 for a non-transitory computer readable medium and thereby is rejected under the same rationale.
Regarding claim 4, Gershfield further teaches the system of claim 1, wherein the computing device is configured to identify the attribute-based control policy for the application from a plurality of attribute-based control policies based on an application identifier received in the request (Gershfield: Fig. 1, Col. 2 Lines 18-23, Col. 3 Lines 13-39 provide for identifying the attributes from a plurality of attributes from the database based on the application identifier coming from the second device).
Claim 13 recites the same limitations as claim 4 for a method and thereby is rejected under the same rationale.
Regarding claim 6, Gershfield further teaches the system of claim 1, wherein transmitting the attribute-based control policy to the second computing device causes the second computing device to configure the application based on the attribute-based control policy (Gershfield: Col. 2 Lines 18-23 provide for the second computing device to configure the application and run it based on the attributes from the first device).
Claim 15 recites the same limitations as claim 6 for a method and thereby is rejected under the same rationale.
Claim 20 recites the same limitations as claim 6 for a non-transitory computer readable medium and thereby is rejected under the same rationale.

Regarding claim 7, Gershfield teaches the system of claim 6, wherein transmitting the attribute-based control policy to the second computing device further causes the second computing device to obtain a plurality of user attributes for the user, and wherein configuring the application based on the attribute-based control policy comprises applying the plurality of user attributes for the user to the attribute- based control policy to determine features of the application to be enabled (Gershfield: Col. 3 Lines 13-39 provides for the plurality of user attributes for the user to determine features of the application to be enabled).
Claim 16 recites the same limitations as claim 7 for a method and thereby is rejected under the same rationale.


Claims 3, 5, 12, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gershfield, in view of Beredimas, further in view of Gu et al. (U.S. 10462184 B1) hereinafter Gu.
Regarding claim 3, the combination of Gershfield and Beredimas does not explicitly teach about linking one feature nodes of the plurality of feature nodes to a location node and the location node being linked to at least one role node. However Gu teaches this limitation (Gu: Col 6 Lines 5-22 provides for the access control policy which may restrict access to content based on a variety factors (features), such as identity (role) of the user, the time at which the user attempts to access the content, the location from where the user attempts to access the content etc).
Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Gershfield and Beredimas to incorporate the teachings of Gu and provide a location based feature Iinked to user role. Doing so would aid in incorporating location based access control feature to the system, thereby increasing the protection of the
application resources against malicious user access attempts from a different location.
Claim 12 recites the same limitations as claim 3 for a method and thereby is rejected under the same rationale.
Claim 19 recites the same limitations as claim 3 for a non-transitory computer readable medium and thereby is rejected under the same rationale.
Regarding claim 5, the combination of Gershfield and Beredimas does not explicitly teach but Gu teaches about the attribute-based control policy comprising a location node identifying a location, and wherein the location node is linked to a feature node identifying a feature of the application (Gu: Col. 6 Lines 5-22 provides for the access control policy comprising various factors (features), such as identity (role) of the user, the time at which the user attempts to access the content, the location from where the user attempts to access the content etc).
Claim 14 recites the same limitations as claim 5 for a method and thereby is rejected under the same rationale.

Claims 8 is rejected under 35 U.S.C. 103 as being unpatentable over Gershfield, in view of Beredimas, in view of Gu, and further in view of Smith et al. (U.S. 10218711B2) hereinafter Smith.
Regarding claim 8, Beredimas teaches the limitation “causes the second computing device to:  obtain location data from a global positioning system (GPS): and determine a current location based on the location data” (see para. [0042] “The client device 202 may be configured to identify/generate a timestamp corresponding to the time of the input from the user and include the timestamp with the request. The client device 202 may be configured to identify a location of the client device 202 (e.g., based on geolocation data from a GPS sensor, based on a Wi-Fi network to which the client device 202 is connected, etc.). The client device 202 may be configured to include data corresponding to the location of the client device 202 in the request.”). 
	The combination of Gershfield, Beredimas and Gu do not explicitly teach but Smith the limitation “causes the second computing device to: wherein applying the plurality of user attributes for the user to the attribute-based control policy comprises: determining that the current location matches at least one location identified by a location node of the attuite-based control policy” (see Smith: Col 10 Lines 1-64 provide for determining a current location of the user from the location data from a global positioning system (GPS) and determine that the location data matches with the location identified by the location node of the attribute-based control policy).
Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Gershfield, Beredimas and Gu to incorporate the teachings of Smith and provide a location based feature where the location of the user matches the location information from the attributes-based control policy. Doing so would aid in incorporating location based access control feature to the system and configuring the application to enable the feature, thereby increasing the protection of the application resources against malicious user access attempts from a different location.

Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over Gershfield, in view of Beredimas, in view of Gu, and further in view of Jasper et al. (U.S. 20210385190A 1) hereinafter Jasper.
Regarding claim 9, Gershfield further teaches The system of claim 1, wherein the computing device is configured to display a webpage to receive user inputs to generate the attribute-based control policy for the application (Gershfield: Col. 11 Lines 10-17 provides for website home pages to control the access to the applications being run in a database environment), wherein the attribute-based control policy comprises an application node identifying the application, a feature node identifying a feature of the application and linked to the application node (Gershfield: Abstract, Col. 1 Lines 19-28, Col. 2 Lines 6-14, 18-23, Col. 3 Lines 13-39 provide for the attribute-based control policy which comprises restricting access by certain users or classes of users to one or features of such application.).
Gu further teaches the control policy comprising at least one of a role node identifying a role and a location node identifying a location linked to the feature node (Gu: Col. 6 Lines 5-22 provides for the access control policy comprising various factors (features), such as identity (role) of the user, the time at which the user attempts to access the content, the location from where the user attempts to access the content etc).
The combination of Gershfield, Beredimas, and Gu does not explicitly teach but Jasper teaches about control policy comprising a facility node identifying a facility (Jasper: [0116] provides for the identity and security policy data for the user that has been imported from systems, including the user’s role, designated facility etc.)
Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gershfield, Geredimas, and Gu to incorporate the teachings of Jasper and provide a facility node identifying a facility to the control policy, thereby increasing the protection of the application resources against malicious user access attempts from an unauthorized facility.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE K SONG whose telephone number is (571)270-3260. The examiner can normally be reached on M-F 9:00 am – 5:00 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867 .  The fax phone number for the organization where this application or proceeding is assigned is 571-273-7291.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/HEE K SONG/Primary Examiner, Art Unit 2497