DETAILED ACTION
This is a non-final office action in response to applicant’s preliminary amendment filed on 4/30/2021.
Claim 1 is cancelled. Claims 2-21 are new claims. Claims 2-21 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application (15/420,038, now US Patent No. 11025635B2, filed on 1/30/2017) under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 
Drawings
The drawings are objected to because:
In Fig. 2, abbreviation of “FP” is found without definition or referenced to a clear definition from the specification. 
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Objections
Claims 3-7, 10, 17-19 are objected to because of the following informalities:  
Claim 3 line 1-2, “wherein dynamically requesting further includes and providing the user with …” may read “wherein the dynamically requesting further includes 
Claim 10 line 2, missing period at end of the claim.
Claim 4 line 1, “wherein obtaining the access permissions …” may read “wherein the obtaining the access permissions …”.
Claim 5 line 1, “wherein receiving the access permissions …” may read “wherein the receiving the access permissions …”.
Claim 6 line 1, “wherein providing the access link …” may read “wherein the providing the access link …”. 
Similarly, claim 7.
Claim 11 line 1, “wherein maintaining further …” may read “wherein the maintaining further …”.
Claim 17 line 1, “wherein providing further includes …” may read “wherein the providing the access link further includes …”.
Similarly, for claim 19.
Claim 18 line 1, “wherein obtaining the approval …” may read “wherein the obtaining the approval …”.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 13-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 13 lines 13-14 recites “… in a first support session between the method and the service engineer”. It is not clear how the method is involved in the support session. In fact, the method is referring to the whole claim (A method comprising…). Applicant needs to clarify the claim language.
Claim 14 line 4 recites “a normal terminal of the second support session by …”. It is not clear what “normal terminal of the second support session” is. Applicant is suggested to clarify the claim language.
Claim 15 depends on claim 14, therefore is also rejected for the same reason.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 2, 13, 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 (or claim 13, 18) of US Patent No. 11025635B2 (hereinafter, “’635”) in view of Priebatch (US20150242850A1, hereinafter, “Priebatch”).
Claim 1 (or claim 13, claim 18) of ‘635 discloses all of the limitations recited in claim 2 (similarly claim 13, claim 20) of the instant application, except those limitations as highlighted in the table below. 
However, Priebatch in similar field of endeavor teaches those limitations as highlighted in the table, i.e. a token associated with the service engineer, the user's account, and the access permissions of claim 2, or a token linked to the user account, the approval, and the access permissions to the service engineer of claim 13, or associating the approval, the user account, the access permissions, the service engineer, and the service session with a token of claim 20 (Priebatsch, [Abstract] a facilitation token that includes authorization for a request manager to act on behalf of a resource is received from the request manager. A user-access token is also received from the request manager; the user-access token includes (i) a request, (ii) an identity of a user making the request, and (iii) permissions information. And [0008] a facilitation token comprising permissions to act with respect to a resource, electronically receiving, from the request-manager device, a request for goods or services from the resource and a user-access token comprising permissions to act on behalf of a user (i.e. user’s account), verifying the facilitation token and the user-access token and that granting the request is permitted by the resource and the user based at least in part on information in the facilitation token and user-access token). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Priebatsch in the secure remote support authorization of ‘635 by using user access token including request, user information and permission information. This would have been obvious because the person having ordinary skill in the art would have been motivated to facilitate token including authorization for a request manager to act on behalf of a user (Priebatsch, [0008]). 
Instant Application 17/243,874
US Patent No. 11025635B2
Claim 2. A method comprising: 





authenticating a service engineer in a first support session; 
receiving a request during the first support session from the service engineer requesting access to a user's account associated with a network service; 
dynamically requesting an approval of a user associated with the user account; 
obtaining access permissions to enforce on the service engineer for a second support session with the service engineer during which the service engineer has access to the user's account based on receiving the approval from the user; 
providing an access link to the service engineer during the first support session, wherein the access link comprises a token associated with the service engineer, the user's account, and the access permissions; 

receiving the token when the service engineer activates the access link within the first support session; 
obtaining the user account, the approval, and the access permissions from the token associated with the access link; 
and providing the service engineer access to the user account in the second support session while enforcing the access permissions against the service engineer during the second support session.
Claim 1. A method, comprising: providing executable instructions to a hardware processor from a non-transitory computer-readable storage medium of a server causing the hardware processor to perform operations comprising: 


receiving an access request from a first principal during a first authenticated session with the first principal; 

requesting a permission from a second principal associated with the access request and providing the second principal with contact details associated with the first principal and a geographic location where the first principal is located; 


delivering an access link to the first principal within the first authenticated session in response to the permission received back from the second principal; 
authenticating a second session for access by the first principal to an account of the second principal and in response to an activated access link that is activated by the first principal within the first authenticated session by processing an encrypted token included within the activated access link and authenticating the first principal and a first principal device operated by the first principal for the second session based on the encrypted token, wherein the authenticating further includes obtaining access permissions linked to the encrypted token and enforcing the access permissions during the second session that were defined in the permission provided by the second principal, wherein the access permissions include limited read access to first account resources associated with the account during the second session and wherein the access permissions include limited write access to second account resources associated with the account during the second session, wherein the authenticating further includes not authorizing access by the first principal to the account of the second principal when the activated access link is activated outside the first authenticated session; 
and terminating the second session in response to a detected termination event.
Claim 13. A method comprising: 







receiving a service request from a service engineer requesting access to a network service associated with a user's account of a user based on a service ticket being handled by the service engineer; 
identifying a service-engineer device being operated by the service engineer and a current location of the service engineer; obtaining contact information for the service engineer; 
requesting an approval in real time from the user to authorize the service engineer to access the network service using the user's account and providing the user the contact information for the service engineer and the current location of the service engineer; obtaining the approval and access permissions from the user; 
providing an access link comprising a token linked to the user account, the approval, and the access permissions to the service engineer in a first support session between the method and the service engineer; identifying an activation of the access link by the service engineer and obtaining the token; obtaining the user account, the approval, and the access permissions and authorizing the service engineer for access to the network service using the user's account; 
and enforcing the access permissions during a second support session during which the service engineer accesses the network service using the user's account.
Claim 13. A method, comprising: providing executable instructions to a hardware processor from a non-transitory computer-readable storage medium of a server causing the hardware processor to perform operations comprising: 

authenticating a remote service engineer during a first authenticated session; 
receiving from the remote service engineer during the first authentication session an access request to access an account of a user with a network-based service; 
requesting a permission from the user for the access request and providing the user with contact details associated with the remote service engineer and a geographic location where the remote service engineer is located; 
providing an access link to the remote service engineer within the first authenticated session for accessing the account in response to the permission provided by the user; authenticating the remote service engineer for a second authenticated session for accessing the account in response to the remote service engineer activating the access link within and from the first authenticated session by processing an encrypted token included within the access link and authenticating the remote service engineer and a remote service engineer operated device based on the encrypted token, wherein the authenticating further includes obtaining access permissions linked to the encrypted token and enforcing access permissions during the second authenticated session that were defined in the permission provided by the user, the access permissions include limited read access to first account resources associated with the account during the second authenticated session and the access permissions include limited write access to second account resources associated with the account during the second authenticated session, wherein authenticating further includes not authenticating the remote service engineer for the second authenticated session when the access link is activated by the remote service engineer outside of the first authenticated session; detecting a termination of the second authenticated session; 
and sending a termination notification to the user indicating that the second authenticated session has terminated in response to the termination.
Claim 20. A system comprising: a server comprising a processor and a non-transitory computer-readable storage medium; the non-transitory computer-readable storage medium comprising executable instructions; the executable instructions executed by the processor from the non-transitory computer-readable storage medium causing the processor to perform operations comprising: 
authenticating a service engineer and a service-engineer operated device for access to a service session; 
receiving a service request from the service engineer based on a service ticket that requests access to a network service using a user account of a user; 
obtaining contact information for the service engineer and a current location of the service-engineer operated device; 
obtaining user contact information for the user based on the user account; 
dynamically requesting an approval and access permissions to grant the service engineer for accessing the network service from the user and providing the user the contact information for the service engineer and the current location of the service-engineer operated device; 
obtaining the approval and the access permissions from the user; 
associating the approval, the user account, the access permissions, the service engineer, and the service session with a token; 
providing an access link comprising the token to the service engineer; 
detecting that the access link was activated by the service engineer; 
obtaining the token from the access link; obtaining the user account, access permissions, and an identifier for the service session from the token; 
ensuring that the access link was activated by the service engineer from within the service session; 
and granting access to the network service using the user account in accordance with the access permissions to the service engineer in a second support session.
Claim 18. A system, comprising: a server; and a remote authenticator; wherein the remote authenticator is configured to: (i) execute on at least one hardware processor of the server; (ii) obtain a permission from a user for a remote service engineer to access an account of the user and provide the user with contact details for the remote service engineer and a geographical location where the support engineer is located, and identify user-defined access permissions to access the account by the remote service engineer from the permission, (iii) provide a limited-access link comprising an encrypted token to the remote service engineer in response to the permission received from the user, wherein the limited-access link provided to the remote service engineer within a first authenticated session associated with the remote service engineer, and (iv) enforce the access permissions when the remote service engineer activates the limited-access link to access the account from within the first authenticated session based on successfully authenticating the remote service engineer and a remote service engineer operated device based on the encrypted token included within the limited-access link and obtaining the access permissions linked to the encrypted token that represent the permissions originally provided by the user, wherein the remote service engineer is not authenticated when the limited-access link is activated by the remote service engineer outside the first authenticated session, wherein the remote service engineer when authenticated establishes a second authenticated session with the remote service engineer to access the account, wherein the access permissions include limited read access to first account resources associated with the account during access of the account by the remote service engineer during the second authenticated session, and wherein the access permissions include limited write access to second account resources associated with the account during access of the account by the remote service engineer during the second authenticated session.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 2, 4-6, 9-12 are rejected under 35 U.S.C. 103 as being unpatentable over Baer et al (US 8,955,149B1, hereinafter, "Baer"), in view of Priebatch (US20150242850A1, hereinafter, “Priebatch”).
Regarding claim 2, Baer teaches:
A method (Baer, discloses method and system granting permission to another user on a computer network to impersonate himself or herself on the network for duration of a specified period, see [Abstract]) comprising: 
authenticating a service engineer in a first support session (Baer, [Col. 11 lines 17-21] The user identification and authentication service 144 authenticates the support representative's (i.e. service engineer) login credentials and verifies 204 whether the authenticated representative has permission to impersonate the identified user and access 205 the user data); Examiner notes it is the first support session once the service engineer is authenticated.
receiving a request during the first support session from the service engineer requesting access to a user's account associated with a network service (Baer, [Col. 10 lines 59-62] In FIG. 2, before granting the request, the user identification and authentication service 144 verifies 204 that the requesting representative is permitted to impersonate the customer. And referring to Fig. 14, and [Col. 15 lines 17-20] The access control module 145 of service provider environment 103 then receives an electronic request from the first user (i.e. service engineer) to access user data of a second user (i.e. user’s account), in box 1410); 
dynamically requesting an approval of a user associated with the user account (Baer, [Col. 6 lines 32-42] the trouble ticket computer service or system 162 may act as the intermediate entity and be configured to select a technical support representative that is currently scheduled to be available to handle a service call/request and delegate the granted impersonation right(s) to the selected representative. By allowing for this type of delegation, the user does not have to reconfigure permission grants every time a support representative needs to be reassigned (e.g., a representative goes off-clock and another representative goes on-clock) (i.e. dynamically). And [Col. 15 lines 24-28] In box 1415, in response to receiving the electronic request, the access control module 145 verifies whether the first user has been associated with an access policy that authorizes or allows the first user to access the user data of the second user); 
obtaining access permissions to enforce on the service engineer for a second support session with the service engineer during which the service engineer has access to the user's account based on receiving the approval from the user (Baer, see Fig. 15, and [Col. 15 lines 52-56] In box 1505, the access control module 145 of service provider environment 103 receives instructions from a second user to grant permission to a first user to have access to user data of the second user. In other words, the second user is granting impersonation permission to the first user); Examiner further notes it is the second support session once the service engineer is granted impersonation permission.
providing an access link to the service engineer during the first support session, wherein the access link comprises a token [associated with the service engineer, the user's account, and the access permissions] (Baer, [Col. 9 line 64-Col. 10 line 2] The ticketing service 162 assigns the ticket to a representative. The representative logs into the ticketing service 162 to help solve the problem. The ticketing service 162 sends a call to impersonate the user to the service provider environment 103 along with an identifier (e.g., ID) of the trouble ticket representative that will do the work. And [Col. 11 lines 28-38] To grant impersonation permissions, …, the user identification and authentication service 144 may have a management software tool for granting a permission to a technical support group or representative (i.e. providing an access link). For example, the tool may provide a graphical interface checkbox that can be selected by a user to opt-in to granting the permission or the user could be prompted to choose to grant a permission after submitting a technical support request or ticket (i.e. token) with it being stated that the permission lasts as long as technical support is being provided to address the issue related to the original request or support ticket); (see Priebatch’s teaching below for limitation(s) in bracket)
receiving the token when the service engineer activates the access link within the first support session (Baer, [Col. 9 lines 42-45] Assuming impersonation is enabled (i.e. activated), the access control module 145 generates a session browser token that allows the representative to go to access the e-commerce web server content and see what the user is seeing); 
obtaining the user account, the approval, and the access permissions from the token associated with the access link (Baer, [Col. 3 lines 39-42] The profile data 153 includes a variety of information regarding the identity of the user, such as a user name, contact information, bank account information,… and [Col. 10 lines 27-32] In the instance where the user needs help with a website, the trouble ticket representative would be provided a web browser cookie (i.e. access link) that includes state that allows the trouble ticket representative to go to the website and be logged in as if the representative was the user. And [Col. 15 lines 57-61] in box 1510, the access control module 145 establishes an access policy authorizing access to the user data of the second user and assigns the policy to the first user, such that a request from the first user to access the second user's data (i.e. user account) will be checked against each assigned policy of the first user); 
and providing the service engineer access to the user account in the second support session while enforcing the access permissions against the service engineer during the second support session (Baer, Fig. 13 step 1320, [Col. 14 lines 58-62] in box 1320, while the policy is currently associated with the first user, the access control module grants the first user access to the user data of the second user commensurate with access policy restrictions to which the second user is subjected. And Fig. 14 step 1420, [Col. 15 lines 31-37] in box 1420, in response to verifying that the first user has been associated with a policy allowing the first user to access the user data of the second user, the access control module 145 authorizes or allows the first user (e.g., grants the request) to access the user data of the second user …).  
	While Baer teaches the main concept of the invention and access link comprises a token but does not specifically teach token associated with the service engineer, the user's account, and the access permissions, Priebatch in similar field of endeavor teaches:
[providing an access link to the service engineer during the first support session, wherein the access link] (see Baer’s teachings shown above) comprises a token associated with the service engineer, the user's account, and the access permissions (Priebatsch, [Abstract] a facilitation token that includes authorization for a request manager to act on behalf of a resource is received from the request manager. A user-access token is also received from the request manager; the user-access token includes (i) a request, (ii) an identity of a user making the request, and (iii) permissions information. And [0008] a facilitation token comprising permissions to act with respect to a resource, electronically receiving, from the request-manager device, a request for goods or services from the resource and a user-access token comprising permissions to act on behalf of a user (i.e. user’s account), verifying the facilitation token and the user-access token and that granting the request is permitted by the resource and the user based at least in part on information in the facilitation token and user-access token).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Priebatsch in the impersonation authorization system of Baer by using user access token including request, user information and permission information. This would have been obvious because the person having ordinary skill in the art would have been motivated to facilitate token including authorization for a request manager to act on behalf of a user (Priebatsch, [Abstract], [0008]).

Regarding claim 4, Baer-Priebatch combination further teaches:
The method of claim 2, wherein obtaining the access permissions further includes receiving the access permissions from the user with the approval (Baer, [Col. 15 lines 52-56] In box 1505, the access control module 145 of service provider environment 103 receives instructions from a second user to grant permission to a first user to have access to user data of the second user. In other words, the second user is granting impersonation permission to the first user).  

Regarding claim 5, Baer-Priebatch combination further teaches:
The method of claim 2, wherein receiving the access permissions further includes receiving selected options from the user that identify specific resources or specific types of resources that the user want to prohibit the service engineer from accessing during the second support session (Baer, [Col. 14 lines 8-18] In FIG. 11, a web page 1110 is shown listing three permission grants for the user. Under each of the three permission grants, information on the term of the permission grant is stated and an option is provided to modify the term or to terminate the term (and thereby remove the permission grant from the party to which it was granted). For example, for the first permission grant listed, the permission grant is to "Retail Support" group and is set to expire on June 3rd. To modify or terminate the term of the permission grant, an option 1120 is provided that can be selected).  

Regarding claim 6, Baer-Priebatch combination further teaches:
The method of claim 2, wherein providing the access link further includes encrypting the token within the access link (Priebatch, [0037] As discussed above, the request manager 800 stores thereon indications of authority from a requester and/or a resource that grant permissions to act on behalf of one or both parties… The indication of authority is a token…The token may include information identifying the sender (such as name, address, telephone number, or location), financial-account information (such as bank-account information or credit-card information), a digital signature, a username and/or password, challenge questions and responses, or minimum or maximum transfer amounts. The token may be encrypted using an RSA or similar algorithm).  

Regarding claim 9, Baer-Priebatch combination further teaches:
The method of claim 2 further comprising, terminating the second support session when a predefined time limit associated with an access restriction is reached (Baer, [Col. 9 lines 42-46] Assuming impersonation is enabled, the access control module 145 generates a session browser token that allows the representative to go to access the e-commerce web server content and see what the user is seeing. This cookie may have a short expiration date. And [Col. 11 lines 48-50] Further, the permission term may be set or scheduled to automatically expire after a specified period or after a designated event has occurred).  

Regarding claim 10, Baer-Priebatch combination further teaches:
The method of claim 2 further comprising, maintaining a user session with the user during the second support session (Baer, Fig. 2 shows user client established communication session first and maintains the session to response to customer representative request for access permission).

Regarding claim 11, Baer-Priebatch combination further teaches:
The method of claim 10, wherein maintaining further includes maintaining a chat session between the user of the user session and the service engineer of the second support session as the service engineer accesses the network service using the user's account (Baer, [Col. 12 lines 61-Col. 13 line2] For example, in FIG. 6, a conversation may take place via telephone 610 between a support representative and a user, where the support representative requests for permission to impersonate the user (as indicated by pointer 620) and triggers activation of an automated interactive voice response system (e.g., via opening of a trouble ticket) that asks for the user to authorize or deny the grant of permission to the support representative (as indicated by pointer 630)). Examiner notes the conversation between user and support representative is the chat session.

Regarding claim 12, Baer-Priebatch combination further teaches:
The method of claim 2 further comprising, tracking and auditing actions of the service engineer during the second support session (Baer, [Col. 7 lines 53-59] The network-based resource, however, can keep track of the interactions that were performed by the actual user and those performed by the support representative acting on behalf of the actual user in an audit log 137… the actual user may be provided access to the audit log 137 so that the user can see what actions were performed while the user was being impersonated).  

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Baer-Priebatch combination as applied above to claim 2, further in view of Tullis (US20130311360A1, hereinafter, “Tullis”).
Regarding claim 3, Baer-Priebatch combination teaches:
The method of claim 2, 
The combination of Baer-Priebatch does not specifically teach the following limitation, in the similar field of endeavor Tullis teaches:
wherein dynamically requesting further includes and providing the user with contact details and a current location of the service engineer based on the first support session (Tullis, discloses method for enabling safe and efficient money transfer, [Abstract]. And referring to Fig. 7 step 708, and [0058] the information sent to the mobile communication device of the beneficiary may include the name, location, and contact information of the one or more agents (i.e. service engineer)… the information sent to the beneficiary's mobile communication device may also include distance of each of the one or more agents from the beneficiary's current location and directions to the location of the one or more agents from the beneficiary's current location).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Tullis in the impersonation authorization system of Baer-Priebatch by implementing the authentication measure of the agent (i.e. support engineer) with details including agent’s name, location etc. This would have been obvious because the person having ordinary skill in the art would have been motivated to include agent’s detailed information as authentication and trust mechanism for safe fund transfer for a designated account of the beneficiary user (Tullis, [Abstract], [0058], [0064]).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Baer-Priebatch combination as applied above to claim 2, further in view of Bhat et al (US20030200442A1, hereinafter, “Bhat”).
Regarding claim 7, Baer-Priebatch combination teaches:
The method of claim 2, 
The combination of Baer-Priebatch does not specifically teach the following limitation, in the similar field of endeavor Bhat teaches:
wherein providing the access link further includes providing the access link as a Hypertext Markup Language (HTML) over a Hypertext Transfer Secure Socket Layer (HTTPS) link to a browser-based interface associated with the first support session of the service engineer (Bhat, discloses method for URL access management and control, [Abstract]. And [0064] the authentication service module 420 can be deployed in a web server and an applications server that support a servlet container. The client interface module 400 provided by the authentication service module 420 is HTML over HTTP(s), which makes it convenient to use with a web browser).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Bhat in the impersonation authorization system of Baer-Priebatch by using client interface with HTML over HTTP(s). This would have been obvious because the person having ordinary skill in the art would have been motivated to provide a web browser as internet solution for client (Bhat, [Abstract], [0064]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Baer-Priebatch combination as applied above to claim 2, further in view of Tokutani et al (US20090300711A1, hereinafter, “Tokutani”).
Regarding claim 8, Baer-Priebatch combination teaches:
The method of claim 2 
The combination of Baer-Priebatch does not specifically teach the following limitation, in the same field of endeavor Tokutani teaches:
further comprising, terminating the second support session when actions taken by the service engineer during the second support session violate the access permissions (Tokutani, discloses a violation detection process for obtaining a policy from a policy storing unit for storing the policy set for the resource or the access to the resource, for checking whether or not the access right management information complies with the policy, see [Abstract]. And [0217] Upon termination of the process in step S1501, the flow goes to step S1601, in which the policy checking/modifying unit 116 starts the process for checking whether or not permission that violates the permission assignment prohibition rules 1403 (permission that is prohibited from being simultaneously possessed by roles) is possessed).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Tokutani in the impersonation authorization system of Baer-Priebatch by detecting permission violating permission assignment prohibition rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to check whether or not the access right management information complies with the policy (Tokutani, [Abstract]).

Claims 13-14, 16, 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Baer et al (US 8,955,149B1, hereinafter, "Baer"), in view of Tullis (US20130311360A1, hereinafter, “Tullis”), further in view of Priebatch (US20150242850A1, hereinafter, “Priebatch”).
Regarding claim 13, Baer teaches:
A method (Baer, discloses method and system granting permission to another user on a computer network to impersonate himself or herself on the network for duration of a specified period, see [Abstract]) comprising: 
receiving a service request from a service engineer requesting access to a network service associated with a user's account of a user based on a service ticket being handled by the service engineer (Baer, [Col. 9 lines 14-20] a trouble-ticket may be opened for the user at a third-party trouble-ticket system of the customer support center 210, where the process of opening the ticket may cause a web browser of the user to be redirected to the service provider environment 103, where the user is prompted to grant the third-party trouble ticket service 162 or its representative permission to impersonate the user. And [Col. 10 lines 59-62] In FIG. 2, before granting the request, the user identification and authentication service 144 verifies 204 that the requesting representative is permitted to impersonate the customer. And referring to Fig. 14, and [Col. 15 lines 17-20] The access control module 145 of service provider environment 103 then receives an electronic request from the first user (i.e. service engineer) to access user data of a second user (i.e. user’s account), in box 1410);  
requesting an approval in real time from the user to authorize the service engineer to access the network service using the user's account and providing the user the contact information for the service engineer and the current location of the service engineer (Baer, [Col. 6 lines 32-42] the trouble ticket computer service or system 162 may act as the intermediate entity and be configured to select a technical support representative that is currently scheduled to be available to handle a service call/request and delegate the granted impersonation right(s) to the selected representative. By allowing for this type of delegation, the user does not have to reconfigure permission grants every time a support representative needs to be reassigned (e.g., a representative goes off-clock and another representative goes on-clock) (i.e. dynamically). And [Col. 15 lines 24-28] In box 1415, in response to receiving the electronic request, the access control module 145 verifies whether the first user has been associated with an access policy that authorizes or allows the first user to access the user data of the second user); 
obtaining the approval and access permissions from the user (Baer, see Fig. 15, and [Col. 15 lines 52-56] In box 1505, the access control module 145 of service provider environment 103 receives instructions from a second user to grant permission to a first user to have access to user data of the second user. In other words, the second user is granting impersonation permission to the first user); 
providing an access link comprising a token [linked to the user account, the approval, and the access permissions to the service engineer] in a first support session between the method and the service engineer (Baer, [Col. 9 line 64-Col. 10 line 2] The ticketing service 162 assigns the ticket to a representative. The representative logs into the ticketing service 162 to help solve the problem. The ticketing service 162 sends a call to impersonate the user to the service provider environment 103 along with an identifier (e.g., ID) of the trouble ticket representative that will do the work. And [Col. 11 lines 28-38] To grant impersonation permissions, …, the user identification and authentication service 144 may have a management software tool for granting a permission to a technical support group or representative. For example, the tool may provide a graphical interface checkbox that can be selected by a user to opt-in to granting the permission or the user could be prompted to choose to grant a permission after submitting a technical support request or ticket (i.e. token) with it being stated that the permission lasts as long as technical support is being provided to address the issue related to the original request or support ticket); (see Priebatch’s teaching below for limitation(s) in bracket); 
identifying an activation of the access link by the service engineer and obtaining the token (Baer, [Col. 9 lines 42-45] Assuming impersonation is enabled (i.e. activated), the access control module 145 generates a session browser token that allows the representative to go to access the e-commerce web server content and see what the user is seeing); 
obtaining the user account, the approval, and the access permissions and authorizing the service engineer for access to the network service using the user's account (Baer, [Col. 3 lines 39-42] The profile data 153 includes a variety of information regarding the identity of the user, such as a user name, contact information, bank account information,… and [Col. 10 lines 27-32] In the instance where the user needs help with a website, the trouble ticket representative would be provided a web browser cookie (i.e. access link) that includes state that allows the trouble ticket representative to go to the website and be logged in as if the representative was the user. And [Col. 15 lines 57-61] in box 1510, the access control module 145 establishes an access policy authorizing access to the user data of the second user and assigns the policy to the first user, such that a request from the first user to access the second user's data (i.e. user account) will be checked against each assigned policy of the first user); 
and enforcing the access permissions during a second support session during which the service engineer accesses the network service using the user's account (Baer, Fig. 13 step 1320, [Col. 14 lines 58-62] in box 1320, while the policy is currently associated with the first user, the access control module grants the first user access to the user data of the second user commensurate with access policy restrictions to which the second user is subjected. And Fig. 14 step 1420, [Col. 15 lines 31-37] in box 1420, in response to verifying that the first user has been associated with a policy allowing the first user to access the user data of the second user, the access control module 145 authorizes or allows the first user (e.g., grants the request) to access the user data of the second user …).  
While Baer teaches service engineer but does not expressly teach the following limitation(s), Tullis in the same field of endeavor teaches:
identifying a service-engineer device being operated by the service engineer and a current location of the service engineer (Tullis, discloses method for enabling safe and efficient money transfer, see [Abstract]. And [0007] the method includes querying the database to determine the location of the one or more agents, comparing the location of the beneficiary with the location of the one or more agents, selecting one or more agents whose location is in close proximity to the beneficiary, and sending the information about the selected one or more agents to the beneficiary's mobile device. And [Claim 1] receiving, by the transaction processor computer, input from the beneficiary's mobile device, the input indicating selection of a mobile agent from the first plurality of mobile agents; and sending, by the transaction processor computer, a message to the mobile device of the selected mobile agent); 
obtaining contact information for the service engineer (Tullis, [0058] the information sent to the mobile communication device of the beneficiary may include the name, location, and contact information of the one or more agents…);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Tullis in the impersonation authorization system of Baer by implementing the authentication measure of the agent (i.e. service engineer) with details including agent’s name, location and contact information. This would have been obvious because the person having ordinary skill in the art would have been motivated to include agent’s detailed information as trust mechanism for safe fund transfer for a designed account of the beneficiary user (Tullis, [Abstract], [0058], [0064]).
While the combination of Baer-Tullis teaches the main concept of the invention and access link comprises a token but does not specifically teach a token linked to the user account, the approval, and the access permissions to the service engineer, Priebatch in similar field of endeavor teaches:
[providing an access link comprising a token] (see Baer’s teachings shown above) linked to the user account, the approval, and the access permissions to the service engineer in a first support session between the method and the service engineer (Priebatsch, [Abstract] a facilitation token that includes authorization for a request manager to act on behalf of a resource is received from the request manager. A user-access token is also received from the request manager; the user-access token includes (i) a request, (ii) an identity of a user making the request, and (iii) permissions information. And [0008] a facilitation token comprising permissions to act with respect to a resource, electronically receiving, from the request-manager device, a request for goods or services from the resource and a user-access token comprising permissions to act on behalf of a user (i.e. user’s account), verifying the facilitation token and the user-access token and that granting the request is permitted by the resource and the user based at least in part on information in the facilitation token and user-access token).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Priebatsch in the impersonation authorization system of Baer-Tullis by using user access token including request, user information and permission information. This would have been obvious because the person having ordinary skill in the art would have been motivated to facilitate token including authorization for a request manager to act on behalf of a user (Priebatsch, [0008]).

Regarding claim 20, Baer teaches:
A system (Baer, discloses method and system granting permission to another user on a computer network to impersonate himself or herself on the network for duration of a specified period, see [Abstract]) comprising: a server comprising a processor and a non-transitory computer-readable storage medium (Baer, see Fig. 16, [Col. 18, lines 3-19); the non-transitory computer-readable storage medium comprising executable instructions; the executable instructions executed by the processor from the non-transitory computer-readable storage medium (Baer, e.g. [Col. 18 lines 7-12] a processor 1603 in a computer system or other system. In this sense, the logic may comprise, for example, statements including instructions and declarations that can be fetched from the computer-readable medium and executed by the instruction execution system) causing the processor to perform operations comprising: 
authenticating a service engineer and a service-engineer operated device for access to a service session (Baer, [Col. 11 lines 17-21] The user identification and authentication service 144 authenticates the support representative's (i.e. service engineer) login credentials and verifies 204 whether the authenticated representative has permission to impersonate the identified user and access 205 the user data); Examiner notes authenticating a service engineer and a service-engineer operated device can be understood to mean authenticating a service engineer since the claim recites no specifics of different features of the service engineer and its operated device, i.e. authenticating a service engineer satisfies authenticating a service-engineer operated device;PRELIMINARY AMENDMENTPage 6Serial Number: 17/243,874Dkt:16-0696-CO1 
Filing Date: April 29, 2021receiving a service request from the service engineer based on a service ticket that requests access to a network service using a user account of a user (Baer, [Col. 9 lines 14-20] a trouble-ticket may be opened for the user at a third-party trouble-ticket system of the customer support center 210, where the process of opening the ticket may cause a web browser of the user to be redirected to the service provider environment 103, where the user is prompted to grant the third-party trouble ticket service 162 or its representative permission to impersonate the user. And [Col. 10 lines 59-62] In FIG. 2, before granting the request, the user identification and authentication service 144 verifies 204 that the requesting representative is permitted to impersonate the customer. And referring to Fig. 14, and [Col. 15 lines 17-20] The access control module 145 of service provider environment 103 then receives an electronic request from the first user (i.e. service engineer) to access user data of a second user (i.e. user’s account), in box 1410); 
obtaining user contact information for the user based on the user account (Baer, [Col. 3 lines 39-42] The profile data 153 includes a variety of information regarding the identity of the user, such as a user name, contact information, bank account information, and/or other data relevant to the identity of the user. And [Col. 12 lines 38-41] Column 312c indicates that additional information may be specified with respect to access policies (e.g., policy expiration criteria, contact information for the user …);
dynamically requesting an approval and access permissions to grant the service engineer for accessing the network service from the user and providing the user the contact information for the service engineer and the current location of the service-engineer operated device (Baer, [Col. 6 lines 32-42] the trouble ticket computer service or system 162 may act as the intermediate entity and be configured to select a technical support representative that is currently scheduled to be available to handle a service call/request and delegate the granted impersonation right(s) to the selected representative. By allowing for this type of delegation, the user does not have to reconfigure permission grants every time a support representative needs to be reassigned (e.g., a representative goes off-clock and another representative goes on-clock) (i.e. dynamically). And [Col. 15 lines 24-28] In box 1415, in response to receiving the electronic request, the access control module 145 verifies whether the first user has been associated with an access policy that authorizes or allows the first user to access the user data of the second user); 
obtaining the approval and the access permissions from the user (Baer, see Fig. 15, and [Col. 15 lines 52-56] In box 1505, the access control module 145 of service provider environment 103 receives instructions from a second user to grant permission to a first user to have access to user data of the second user. In other words, the second user is granting impersonation permission to the first user); 
providing an access link comprising the token to the service engineer (Baer, [Col. 9 line 64-Col. 10 line 2] The ticketing service 162 assigns the ticket to a representative. The representative logs into the ticketing service 162 to help solve the problem. The ticketing service 162 sends a call to impersonate the user to the service provider environment 103 along with an identifier (e.g., ID) of the trouble ticket representative that will do the work. And [Col. 11 lines 28-38] To grant impersonation permissions, …, the user identification and authentication service 144 may have a management software tool for granting a permission to a technical support group or representative. For example, the tool may provide a graphical interface checkbox that can be selected by a user to opt-in to granting the permission or the user could be prompted to choose to grant a permission after submitting a technical support request or ticket (i.e. token) with it being stated that the permission lasts as long as technical support is being provided to address the issue related to the original request or support ticket); 
detecting that the access link was activated by the service engineer; obtaining the token from the access link (Baer, [Col. 9 lines 42-45] Assuming impersonation is enabled (i.e. activated), the access control module 145 generates a session browser token that allows the representative to go to access the e-commerce web server content and see what the user is seeing); 
obtaining the user account, access permissions, and an identifier for the service session from the token (Baer, [Col. 3 lines 39-42] The profile data 153 includes a variety of information regarding the identity of the user, such as a user name, contact information, bank account information,… and [Col. 10 lines 27-32] In the instance where the user needs help with a website, the trouble ticket representative would be provided a web browser cookie (i.e. access link) that includes state that allows the trouble ticket representative to go to the website and be logged in as if the representative was the user. And [Col. 15 lines 57-61] in box 1510, the access control module 145 establishes an access policy authorizing access to the user data of the second user and assigns the policy to the first user, such that a request from the first user to access the second user's data (i.e. user account) will be checked against each assigned policy of the first user); 
ensuring that the access link was activated by the service engineer from within the service session (Baer, [Col. 9 lines 42-45] Assuming impersonation is enabled (i.e. activated), the access control module 145 generates a session browser token that allows the representative to go to access the e-commerce web server content and see what the user is seeing); 
and granting access to the network service using the user account in accordance with the access permissions to the service engineer in a second support session (Baer, Fig. 13 step 1320, [Col. 14 lines 58-62] in box 1320, while the policy is currently associated with the first user, the access control module grants the first user access to the user data of the second user commensurate with access policy restrictions to which the second user is subjected. And Fig. 14 step 1420, [Col. 15 lines 31-37] in box 1420, in response to verifying that the first user has been associated with a policy allowing the first user to access the user data of the second user, the access control module 145 authorizes or allows the first user (e.g., grants the request) to access the user data of the second user …).  
While Baer teaches service engineer but does not expressly teach the following limitation(s), Tullis in the same field of endeavor teaches:
obtaining contact information for the service engineer and a current location of the service-engineer operated device (Tullis, discloses method for enabling safe and efficient money transfer, [Abstract]. And [0007] the method includes querying the database to determine the location of the one or more agents, comparing the location of the beneficiary with the location of the one or more agents, selecting one or more agents whose location is in close proximity to the beneficiary, and sending the information about the selected one or more agents to the beneficiary's mobile device. And [Claim 1] receiving, by the transaction processor computer, input from the beneficiary's mobile device, the input indicating selection of a mobile agent from the first plurality of mobile agents; and sending, by the transaction processor computer, a message to the mobile device of the selected mobile agent); 
obtaining contact information for the service engineer (Tullis, [0058] the information sent to the mobile communication device of the beneficiary may include the name, location, and contact information of the one or more agents…);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Tullis in the impersonation authorization system of Baer by implementing the authentication measure of the agent (i.e. service engineer) with details including agent’s name, location and contact information. This would have been obvious because the person having ordinary skill in the art would have been motivated to include agent’s detailed information as trust mechanism for safe fund transfer for a designed account of the beneficiary user (Tullis, [Abstract], [0058], [0064]).
While the combination of Baer-Tullis teaches the main concept of the invention and access link comprises a token but does not specifically teach associating the approval, the user account, the access permissions, the service engineer, and the service session with a token, Priebatch in similar field of endeavor teaches:
associating the approval, the user account, the access permissions, the service engineer, and the service session with a token (Priebatsch, [Abstract] a facilitation token that includes authorization for a request manager to act on behalf of a resource is received from the request manager. A user-access token is also received from the request manager; the user-access token includes (i) a request, (ii) an identity of a user making the request, and (iii) permissions information. And [0008] a facilitation token comprising permissions to act with respect to a resource, electronically receiving, from the request-manager device, a request for goods or services from the resource and a user-access token comprising permissions to act on behalf of a user (i.e. user’s account), verifying the facilitation token and the user-access token and that granting the request is permitted by the resource and the user based at least in part on information in the facilitation token and user-access token);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Priebatsch in the impersonation authorization system of Baer-Tullis by using user access token including request, user information and permission information. This would have been obvious because the person having ordinary skill in the art would have been motivated to facilitate token including authorization for a request manager to act on behalf of a user (Priebatsch, [0008]).

Regarding claim 14, Baer-Tullis-Priebatch further teaches:
The method of claim 13 further comprising, terminating the second support session based on one or more of an action taken by the service engineer that violates any of the access permissions, an abnormal network disconnection between the service-engineer device and the network service, a normal terminal of the second support session by the service engineer, and expiry of an elapsed period of time associated with an access restriction of the second support session (Baer, [Col. 9 lines 42-46] Assuming impersonation is enabled, the access control module 145 generates a session browser token that allows the representative to go to access the e-commerce web server content and see what the user is seeing. This cookie may have a short expiration date. And [Col. 11 lines 48-50] Further, the permission term may be set or scheduled to automatically expire after a specified period or after a designated event has occurred).  

Regarding claim 16, similarly claim 21, Baer-Tullis-Priebatch further teaches:	
The method of claim 13, the system of claim 20,
further comprising tracking actions of the service engineer during the second support session and maintaining an audit log of the actions (Baer, [Col. 7 lines 53-59] The network-based resource, however, can keep track of the interactions that were performed by the actual user and those performed by the support representative acting on behalf of the actual user in an audit log 137. In one embodiment, the actual user may be provided access to the audit log 137 so that the user can see what actions were performed while the user was being impersonated).  

Regarding claim 18, Baer-Tullis-Priebatch further teaches:	
The method of claim 13, wherein obtaining the approval further includes receiving the access permissions from the user as authorized and non-authorized selected options for types of resources and specific resources associated with the network service of the user's account (Baer, [Col. 14 lines 8-18] In FIG. 11, a web page 1110 is shown listing three permission grants for the user. Under each of the three permission grants, information on the term of the permission grant is stated and an option is provided to modify the term or to terminate the term (and thereby remove the permission grant from the party to which it was granted). For example, for the first permission grant listed, the permission grant is to "Retail Support" group and is set to expire on June 3rd. To modify or terminate the term of the permission grant, an option 1120 is provided that can be selected).  

Regarding claim 19, Baer-Tullis-Priebatch further teaches:	
The method of claim 13, wherein providing further includes encrypting the token within the access link (Priebatch, [0037] As discussed above, the request manager 800 stores thereon indications of authority from a requester and/or a resource that grant permissions to act on behalf of one or both parties… The indication of authority is a token…The token may include information identifying the sender (such as name, address, telephone number, or location), financial-account information (such as bank-account information or credit-card information), a digital signature, a username and/or password, challenge questions and responses, or minimum or maximum transfer amounts. The token may be encrypted using an RSA or similar algorithm).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Baer-Tullis-Priebatch as applied above to claim 14, further in view of Banjo (US20070136195A1, hereinafter, “Banjo”).
Regarding claim 15, Baer-Tullis-Priebatch teaches:
The method of claim 14 
While the combination of Baer-Tullis-Priebatch does not specifically teach, Banjo in similar field of endeavor teaches:
further comprising, notifying the user when the second support session terminates (Banjo, discloses method to provide a service session, [Abstract]. And [0070] In step S13 the service gateway or portal 108 is notified of the limit or threshold being exceeded, as part of the session with the credit control server 114. The service gateway or portal 108 then performs the defined actions related to the limit or threshold being exceeded (for example notifying the user and/or terminating the service session as mentioned above) at step S14).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Banjo in the impersonation authorization system of Baer-Tullis-Priebatch by notifying user that service gateway has performed the defined action of terminated service session. This would have been obvious because the person having ordinary skill in the art would have been motivated to notify user of session termination of service in control of service cost (Banjo, [Abstract]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Baer-Tullis-Priebatch as applied above to claim 13, further in view of Kong et al (US20180191700A1, hereinafter, “Kong”).
Regarding claim 17, Baer-Tullis-Priebatch teaches:	
The method of claim 13, 
While the combination of Baer-Tullis-Priebatch does not expressly teach the following limitation(s), Kong in the same field of endeavor teaches:
wherein providing further includes ensuring that the access link was activated by the service engineer from the service-engineer device within the first support session and disregarding any activation of the access link originating outside of the first support session (Kong, discloses maintaining a web session across multiple web resources and/or devices using two token model, [Abstract]. And [0071] to maintain a session across multiple devices, a user agent of the user's first electronic device may not hold a grant token, but instead the grant token may be held by a second electronic device that is in a communication range of the first electronic device. The second electronic device will include a virtual session manager that manages the session across multiple electronic devices. Only client devices with a virtual session manager will hold the grant token; other client devices will not be given the grant token. In this way, dissemination of the grant token is limited to certain client devices that are have virtual session manager functionality).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kong in the impersonation authorization system of Baer-Tullis-Priebatch by implementing authentication measure with multiple sessions. This would have been obvious because the person having ordinary skill in the art would have been motivated of using virtual session manager for multiple sessions with two tokens to allow user for efficient control over the access privileges (Kong, [Abstract], [0089]). 
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Asano et al (US9473505B1) discloses method of management of third party access privileges to web service.
Birtwhistle et al (US20130167249A1) discloses a method for accessing a user's account by customer support without viewing the user's private data includes receiving, in an application module communicating with a web service, a request for authentication by a support person using a linked user-support login name.
Zlatarev et al (US20120260330A1) discloses user authentication for intermediate representational state transfer client via CA.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436