DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Cameron Zinsli (Reg. No. 70,028) on July 15, 2022.

Claims
The application has been amended as follows: 

Regarding claim 1: (Currently Amended) A computer-implemented method comprising:
receiving, at an access control service of a provider network, a first request to create a session with the provider network from an electronic device, the first request including a first one or more attributes and an identification of a role to assume for the session, wherein the first one or more attributes include a user-specified session tag to affect resource permissions of the session with the provider network;
permitting the first request based at least in part on an evaluation of a first rule with at least one attribute of the first one or more attributes, wherein the first rule governs whether the role can be assumed;
generating session data including the user-specified session tag, wherein generating session data includes replacing a value of another attribute with a value of the user-specified session tag, wherein the other attribute is at least one of a first attribute specified in an identity provider credential included with the first request or a second attribute associated with the role via a role object stored in the provider network, and wherein the user-specified session tag and the other attribute share a key name;
sending the session data to the electronic device;
receiving, at a resource interface, a second request to access a resource hosted by the provider network, the second request including the session data;
obtaining the user-specified session tag from the session data received in the second request; and
permitting the second request based at least in part on evaluation of a second rule with at least the user-specified session tag obtained from the session data received in the second request, wherein the second rule governs whether the resource can be accessed.

Regarding claim 2: (Currently Cancelled)

Regarding claim 4: (Currently Amended) A computer-implemented method comprising:
receiving a first request to create a first session with a provider network, the first request including a first one or more attributes and an identification of a role to assume for the first session, wherein the first one or more attributes include a user-specified session tag to affect resource permissions of the session with the provider network;
generating first session data including the user-specified session tag, wherein generating first session data includes replacing a value of another attribute with a value of the user-specified session tag, wherein the other attribute is at least one of a first attribute specified in an identity provider credential included with the first request or a second attribute associated with the role via a role object stored in the provider network, and wherein the user-specified session tag and the other attribute share a key name;
receiving a second request to access a resource hosted by the provider network;
obtaining the user-specified session tag from the first session data based at least in part on the second request; and
permitting the second request based at least in part on the user-specified session tag obtained from the first session data.

Regarding claim 6: (Currently Cancelled)

Regarding claim 15: (Currently Amended) A system comprising:
a first one or more electronic devices implementing an access control service, the access control service including instructions that upon execution cause the first one or more electronic devices to:
receive a first request to create a first session with a provider network, the first request including a first one or more attributes and an identification of a role to assume for the first session, wherein the first one or more attributes include a user-specified session tag to affect resource permissions of the session with the provider network; and
generate first session data including the user-specified session tag, wherein to generate first session data includes replacing a value of another attribute with a value of the user-specified session tag, wherein the other attribute is at least one of a first attribute specified in an identity provider credential included with the first request or a second attribute associated with the role via a role object stored in the provider network, and wherein the user-specified session tag and the other attribute share a key name;
a second one or more electronic devices implementing a resource interface, the resource interface including instructions that upon execution cause the second one or more electronic devices to:
receive a second request to access a resource hosted by the provider network;
obtain the user-specified session tag from the first session data based at least in part on the second request; and
permit the second request based at least in part on the user-specified session tag obtained from the first session data.

Regarding claim 17: (Currently Cancelled)

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Claims 1, 3-5, 7-16 and 18-20 are considered allowable.

The Prior Art Mathew et al. US Patent Application Publication No. 2019/0014102 relates to techniques for enforcing a limit on single sign-on (SSO) sessions for users across multiple data centers in a multi data center deployment. Users may request access to resources that are governed by an access manager deployed across multiple data centers, with each data center being associated with its own identifier. Each user may be associated with an identity attribute preserved in identity stores across the multiple data centers. The prerequisite for session creation at a data center may be to update the identity attribute of the user to that data center's identifier. If the identity attribute can be updated successfully, the access manager can create a new SSO session at that data center. Updates to the identity attribute may be synchronized across all of the data centers, with each data center aware of any existing sessions based on the current value of the identity attribute.
The Prior Art Mandadi et al. US Patent No. 9894067 teaches techniques for using short-term credentials with access roles across regions are described herein. A request to assume a role associated with resources in a first region is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a short-term session credential that includes a session key and that can be used to assume the role. The user in the second region then assumes the role and, accordingly, can use the short-term session credentials to access the resources in the first region.
The Prior Art HUANG et al. US Patent Application Publication No. 2014/0172854 teaches methods and systems for anonymizing a dataset that correlates a set of entities with respective attributes. The method may include: for each entity included in a set of entities, transforming two or more attribute values associated with the entity using received preference information, thereby creating for the entity a set of two or more transformed attribute values; clustering the entities included in the set of entities using said transformed attribute values to form at least a first entity cluster consisting of a first subset of the entities and a second entity cluster consisting of a second subset of the entities, wherein no entity included in the first entity cluster is included in the second entity cluster; anonymizing the first subset of entities; and anonymizing the second subset of entities.
The instant application is allowable over Mathew et al., Mandadi et al. and HUANG et al. described above, either singularly or in combination, due to the instant application teaching a different and detailed techniques for managing permissions to cloud-based resources with session-specific attributes. A first request to create a first session to permit access to resources of a provider network is received under an assumed role. The first request is permitted based on an evaluation of a rule associated with the role. Session data including a user-specified attribute included with the first request is generated. A second request to perform an action with a resource hosted by the provider network is received. The user-specified attribute is obtained from the session data based at least in part on the second request. The second request is permitted based on an evaluation of another rule with the user-specified attribute.
The prior art of record does not disclose, teach, or suggest neither singly nor in combination the claimed limitations of “the first request including a first one or more attributes and an identification of a role to assume for the session, wherein the first one or more attributes include a user-specified session tag to affect resource permissions of the session with the provider network; generating session data including the user-specified session tag, wherein generating session data includes replacing a value of another attribute with a value of the user-specified session tag, wherein the other attribute is at least one of a first attribute specified in an identity provider credential included with the first request or a second attribute associated with the role via a role object stored in the provider network, and wherein the user-specified session tag and the other attribute share a key name; and permitting the second request based at least in part on evaluation of a second rule with at least the user-specified session tag obtained from the session data received in the second request, wherein the second rule governs whether the resource can be accessed” as recited in independent claims 1, 4 and 15 in combination with the remaining elements of the claim as a whole. Therefore, the claims of the instant application are allowable over the cited prior art.[AltContent: textbox ()]
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439   



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439