Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The applicant’s arguments, see pages 7-8, filed June 10, 2022, with respect to the rejection of claims 1-5 under Smith in view of Mankovskii in further view of Furuya have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground of rejection is made in view of Smith and in view of Mankovskii and in further view of Wahl.

With regards to claim 6, the applicant argues that the prior arts of record Mahaffey failed to disclose “wherein satisfaction of the contextual information depends at least in part on a network address identifier of the computing instance provided in the access request to determine an allowable scope of operation to be performed using the computing instance”. The examiner respectfully disagrees with the applicant’s argument and analysis, particularly with the interpretation and meaning of “a network address identifier of the computing instance”. To construe boundary and scope of the claimed limitations, the following Broadest Reasonable Interpretation (BRI) have been given to a network address identifier of the computing instance consistent with the applicant’s disclosure as it would be understood by one of ordinary skill in the art. The applicant has the following limited description for “a network address identifier of the computing instance” in the disclosure:
[Applicant’s Disclosure: 0060] A context validation plugin, determines whether an operation is allowed based at least in part on the identity of the requester and the time the request, in accordance with an embodiment. .... The context validation plugin retrieves a current date and time using a network time service or system clock.  The context validation plugin determines the identity of the requester that submitted the request, and queries personnel management systems to determine the customary working hours of the requester. The customary working hours of the requester are determined by determining the geographical location of the requester, determining the time zone for the location of the requester, and assuming a customary working schedule such as 9 AM to 5 PM local time. In some examples, the context validation plugin can determine whether the requester is on-site or off-site by examining the network connection used by the requester. If the network connection used by the requester is a virtual private network (“VPN”) connection, the context validation plug-in can infer that the requester is located off-site. If the network connection used by the requester is not a VPN connection, the network address of the requester can be used to identify an on-site location. [0068] The context validation plugin determines the allowable scope of operations by identifying resources that are named in the ticket such as servers, databases, data tables, and network addresses. 
Under BRI, the examiner has been considering “a network address identifier” as any network addressing mechanism assigned to a computing device to identify on a site-location of the network whenever there is no VPN connection the computing device. Depending on the type of network connection, at least any of the following widely available network addressing mechanism (an Internet Protocol (IP) address, MAC addresses, Wi-Fi SSIDs, BSSIDs address, Mobile Cell-Tower identifiers, Location based addressing (Geo-IP, GPS, broadcast address, Bluetooth, addressing)) can be used as a network address identifier of a computing device to identify the computing device on the respective network connection. These network address identifiers are readily used to examine whether the computing device/instance is actively connected to the network and therefore determine whether the computing device/instance is on-site location or not and therefore enable to determine an allowable scope of operations (authorization) to be performed using the computing instance/device. 
These different network addressing identifiers or features (an Internet Protocol (IP) address, MAC addresses, Wi-Fi SSIDs, BSSIDs address, Mobile Cell-Tower identifiers, Location based addressing (Geo-IP, GPS, broadcast address, Bluetooth, addressing corresponding to “a network address identifier of the computing instance”) are described and discussed in detail in the prior art of record Mahaffey recited as follows:
[Mahaffey: 0072] The authentication server uses context information to perform authorization of the requesting client and/or the user. The authorization may take into consideration information provided by the client, e.g., provided as part of requesting client's request content, requested by server from requesting client or another client determined by server as a result of processing information from a client (e.g. geo-ip, mobile network operator location lookup), retrieved from another server or service, associated with the account and stored at server. Location is also another item of context, and such location can be determined via: geo-ip, provided by clients (e.g., by GPS or other on-device location systems), nearby wireless infrastructure, e.g., Wi-Fi access points (APs) which may supply Wi-Fi SSIDs, BSSIDs, type of authentication information, any other information gather-able about the APs, and signal strength information, Bluetooth: nearby discoverable device addresses and names, cell-towers: single or multiple neighbor cells, cell identifiers, signal strength, etc. Location may be used as sole factor or contributing factor to authorization decision. Requesting client in known location that has previously been authorized from the same exact location, same city, etc. For the location of multiple clients, the server receives location of both requesting client and authorizing clients (e.g. when receiving request from requesting client, contact authorizing client and receive its location), and if the authorizing client is in the same location as the requesting client, the request may be authorized or treated differently (e.g. lower security method of authorization) than if they were in different locations; or the authentication may be completely denied. Other forms of location can be integrated to determine if requesting client and/or authorizing client is in an appropriate location for the user, such as: credit card transactions, social network check-ins, building access control systems, facial recognition cameras, network-based location systems (e.g. mobile phone or laptop connected to Wi-Fi in a particular location).
[Mahaffey: 0073] The network may be determined by one of: client provided network configuration information, or the server determining source information from the client. Types of network information include client provides configuration information (e.g. ip, default gateway, netmask, DNS server, domain); client provided neighbor device information such as: other device MAC addresses, e.g. gateway MAC, other device IPs, other device names (e.g. using SMB or MDNS); client provided Wi-Fi information (e.g., currently connected access point). Authorization may be based on same IP address or network/Wi-Fi AP. If a requesting client and authorizing client are on the same network (e.g. same public IP, same Wi-Fi access point, as supplied to server by both client, or otherwise have network information that they supply to server that corresponds), server can determine that the clients are in the same place, and reduce or eliminate the need to perform further authorization.
[Mahaffey: 0078] The location of the requesting client, authorizing client, or both, as determined by GPS, cell ID, presence on a given network (described below), Wi-Fi access points nearby, etc., may also be a factor, such that if a location is a high risk area, then the system performs a different level of authorization than a low risk area, e.g., some countries have higher fraud rates. For those countries the same action may trigger higher authorization requirements than countries with lower fraud rates. A location difference between requesting client and authorizing client may trigger a change, such that if they are in the same place, then may have lower authorization requirements than in different places. Also a factor is any policy that the service being authorized may have toward the specific account or requesting client, or global policy/configuration (e.g., for a bank transfer, the bank may specify what the level of authorization required is). Any combination of the above mentioned factors may also be considered. For example, if requesting client has a successful login to a particular service, record its location at server side. If the requesting client wants to log in to that service again, there may be a lesser authorization requirement than the first time if that client is in the same location than if that requesting client is in a different location. If the requesting client is in a different location, the level of authorization may be less than the first time, but more than if it were in the same location as the first login
[Mahaffey: 0090] In an embodiment, the authentication server 102 uses certain context information to perform the authorization. Such context information can include information provided by the client, the location of the client (such as determined by geo-ip, GPS or other location finding means, nearby wireless infrastructure, cell tower or other device triangulation means, transaction locations, building locations, etc.), network information (e.g., client configuration information, IP address, gateway, netmask, DNS, server, network names, access points, etc.), application data (e.g., pre-installed apps), common accounts, and device usage patterns and anomalies. For common accounts, if the requesting client and the authorizing client are both logged into the same service, the system can use either as authentication or authorization, since a common user is likely involved. Multiple clients can provide account information to the server and the account information may be stored at the server so that a new client may be compared without having to communicate with the previous clients.
[Mahaffey: 0094] The server may identify the authorizing client 324 based on the network information provided by one or both clients (such as through WIFI access point, common public IP address, etc.), or the requesting client 322 broadcasting to the local network, or other discovery means. Whether the requesting client or the server determines authorizing client could be based on the network information as described above or by user choice. For example, the requesting client may know about nearby authorizing clients based on proximity such as Bluetooth or network broadcasts if they are on the same LAN. Alternatively, the server may provide one or more "nearby" (based on IP, location, etc) authorizing clients and a method to reach them, such as an IP and port, broadcast address, Bluetooth address, etc.). The requesting client then requests authorization from the authorizing client. The request may need to be generated by the server and digitally signed by the server's private key, and the authorizing client only accepts requests that are validated against the server's public key. Alternatively, the request may be signed/validated against secret information associated with the account. The authorizing client receives the request and validates the request as legitimate. The authorizing client then performs the authorization and sends a response to the requesting client. The requesting client then either uses the response to complete the request (e.g., for login credentials) or provides the response to the authentication server as proof of authorization.
For at least the reason provided above, the applicant’s arguments are not persuasive to overcome the prior arts in record and place claim 6 in a better condition for allowance and therefore the rejection of 35 USC 103 for claim 6 has been maintained.

With regards to claim 14, the applicant continues to argue that Mahaffey failed to disclose “allowable scope of operations”. The examiner respectfully disagrees with the applicant’s argument and analysis. Again, to construe boundary and scope of the claimed limitations, the following Broadest Reasonable Interpretation (BRI) have been given to allowable scope of operations from the applicant’s disclosure as it would be understood by one of ordinary skill in the art. The applicant has the following description for allowable scope of operations in the disclosure:
[Applicant’s Disclosure: 0068] The context validation plugin queries the ticketing service using ticket identifier to determine an allowable scope of operations that may be necessary to fulfill the ticket. In some examples, the context validation plugin determines the allowable scope of operations by identifying resources that are named in the ticket such as servers, databases, data tables, and network addresses. In additional examples, the ticket identifies a group of computer systems, and the allowable scope of operations is based at least in part on the membership of the group of computer systems. In yet additional examples, the context validation plugin identifies a type of work described in the ticket, and defines the allowable scope of operations based at least in part on the type of work described in the ticket.
However, as recited above, Mahaffey in [0073] discloses authorization (allowable scope of operation) may be based on same IP address or network/Wi-Fi AP after the network is determining client provided network configuration information, or the server determining source information from the client. Types of network information include client provides configuration information (e.g. ip, default gateway, netmask, DNS server, domain); client provided neighbor device information such as: other device MAC addresses, e.g. gateway MAC, other device IPs, other device names (e.g. using SMB or MDNS); client provided Wi-Fi information (e.g., currently connected access point). If a requesting client and authorizing client are on the same network (e.g. same public IP, same Wi-Fi access point, as supplied to server by both clients, or otherwise have network information that they supply to server that corresponds), server can determine that the clients are in the same place, and reduce or eliminate the need to perform further authorization which in effect determining allowable scope of operation. Similarly, Mahaffey further discloses allowable scope of operation in in at least [0043; 0050; 0078; 0094; 
For at least the reason provided above, the applicant’s argument is not persuasive to overcome the prior arts in record and place claim14 in a better condition for allowance and therefore the rejection of 35 USC 103 for claim 14 has been is maintained.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US. Pub. No.: 20150135258) in view of Mankovskii (US Pub. No.: 20160112397) in further view of Wahl US. Pub. No.: US 20080228721 A1.

As per claim 1:
Smith discloses a computer-implemented method comprising:
authorizing, at a web server, a request for access to a storage resource received by a requestor, where the requestor is an authenticated requestor (0012: user identification and/or authentication, device identification and/or authentication, seeking access to a resource; 0018: resource requestor);
as a result of determining that the request is authorized, determining whether one or more conditions are applicable to the request (0025: determine applicable criterion of context to access the requested resource);
performing an operation to determine whether fulfillment of the request is allowable, where the operation includes determining whether information from the one or more conditions satisfies a set of context-based rules (0016: context-based access and resource access policy; 0019: collection and/or monitoring of context-aware data may be performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event );
determining that fulfillment of the request is allowable as a result of the one or more conditions satisfying the set of context-based rules (0030:  provisioning of context-aware access credentials may be performed on-demand; 0034; 0043: context-aware authorization policy for the requested resource) and
providing, by the web server, access to the storage resource to satisfy the request based at least in part on fulfillment of the request being allowable (0034; 0043; 0049: 0053).

Smith suggests in [¶0019: The collection and/or monitoring of context-aware data may be performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event]. Smith does not explicitly disclose wherein satisfaction of the one or more conditions depends, at least in part, on a timestamp of the request for access to the storage resource according to a schedule in a time zone of the request.

Mankovskii, in analogous art however, discloses wherein satisfaction of the one or more conditions depends, at least in part, on a timestamp of the request for access to the storage resource according to a schedule in a time zone of the request [¶0020: An access control system acquire a request for access to a protected resource within a computing environment, identify a username associated with the request, authenticate the username, acquire contextual information associated with the request for access (the contextual information comprise an identification of the device making the request, an identification of the operating system used by the device making the request, a location of the device making the request, a time of day associated with the location of the device making the request, or whether a particular cookie is stored on the device making the request), acquire a baseline set of rules for the username (e.g., determined based on a prior history of access requests made by the username), detect a deviation from the baseline set of rules based on the contextual information (e.g., a deviation may comprise a known device requesting access to the protected resource from a new location or from a new network), acquire additional authentication information in response to detecting the deviation, authorize access to the protected resource based on the additional authentication information. ¶0037: ¶0043: An access control application acquire contextual information associated with an access request by extracting the contextual information from an HTTP header transmitted from a computing device; the access control application derive the time of day associated with the location of the computing device by acquiring time of day information from a time zone converter application that outputs a current time of day given a location].
Mankovskii, further discloses in [¶0047: The contextual information is stored and an identification of the deviation is outputted in response to detecting the deviation, the contextual information tagged or indexed with an identification of the request for access (e.g., identified using a unique access request number or a time stamp for when the access request was received). ¶0051 : an access control application may acquire contextual information associated with an access request by extracting the contextual information from a message header transmitted from a computing device. The access control application may derive the time of day associated with the location of the computing device by acquiring time of day information from a time zone converter application that outputs a current time of day given a location. ¶0060: The baseline set of rules may be updated to include a new web browser from which an access request has occurred or to include a new time of day during which an access request has occurred; the baseline set of rules may be updated only if an intrusion or attack to an access control system or application managing access to the protected resource has not been detected within a threshold period of time subsequent to access to the protected resource being authorized. In one example, the baseline set of rules may be updated if no intrusion or attack has been detected within a threshold time period (e.g., within 24 hours) from access being authorized]. 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify features of the claimed limitations of the access control requestor disclosed by Smith to include wherein satisfaction of the one or more conditions depends, at least in part, on a timestamp of the request for access to the storage resource according to a schedule in a time zone of the request. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide an improved technique of managing access to protected resources (e.g., networks, servers, processors, storage devices, databases, files, and computing applications) and for detecting anomalies related to access control events as suggested by Mankovskii in (0002; 0004; 0013).

Smith and Mankovskii do not explicitly disclose comparing the timestamp of the request to specified working hours in the time zone of the authenticated requestor. Wahl, in analogous art however, discloses comparing the timestamp of the request to specified working hours in the time zone of the authenticated requestor ([0105:  Each user will have a calendar record that specifies their default location with an end date for the record having a value in the future. For example, normal US business hours might have a recurring event of "in office", scheduled for every Monday-Friday 8AM-6PM local time, with a location code of the office. Someone who works from home at potentially all hours might also have a recurring event 7.times.24 of "at home", with a location code of the home. As another example, for someone who is traveling from one office to another and may access the company resources while in transit]. [0106: The calendar access component periodically extracts calendar information from the calendar server, all times are converted from the time zone in which they were entered to Universal Coordinated Time (UTC)]. [0121:  The access control component determines if the request is from an anomalous location for that user using databases that contain user calendars and locations]. [0136: transit time table]; [0152: ACCESS DATE: the date and time of the access request]; [0172-0176]).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify features of the claimed limitations of the access control requestor disclosed by Smith and Mankovskii to include comparing the timestamp of the request to specified working hours in the time zone of the authenticated requestor. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide an improved intrusion detection method for an access control function that is a component of a network-based service that anticipates locations for users and determine minimum transit times between multiple working locations to deny the request if the user's access is anomalous, as this may be caused by a request from an unauthorized individual impersonating the user as suggested by Wahl in [0011-0013].

As per claim 2:
Smith discloses wherein the one or more conditions comprise one or more statements, wherein each of the one or more statements expresses an attribute-based control rule that is compared with the set of context-based rules to determine whether fulfillment of the request is allowable (0019; 0025).

As per claim 3:
Smith discloses wherein the one or more conditions applicable to the request are based at least in part on the storage resource or information related to the request (0083).

As per claim 4:
Mankovskii discloses wherein the one or more conditions that are based at least in part on the storage resource further comprise at least one of: a name and type of the requested storage resource (0019; 0021; 0037; 0041).

As per claim 5:
Mankovskii discloses wherein the one or more conditions that are based at least in part on the information related to the request include at least one of: the timestamp, an originating Internet Protocol (IP) address, and a destination IP address of the requested storage resource (0021; 0037; 0041).

Claims 6-20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US. Pub. No.: 2015/0135258) in view of Mahaffey et al. (Hereinafter referred to as Mahaffey, US Pub. No.: US 20140189808 A1).

As per claim 6:
Smith discloses a system, comprising:
one or more processors (0014: Computing Device-Host Machine 102); and
memory storing executable instructions that, as a result of execution by the one or more processors (0014: Computing Device-Host Machine 104), cause the system to:
receive an access request for a computing instance hosted by a computing resource service provider (0012: user or device identification and/or authentication seeking access to a resource; the resource may include a variety of items, such as any number and type of data, files, folders, information, devices, at a single computing device serving as a host machine or distributed across a network (e.g., cloud network) at enterprise or other specific server computers or at location where a resource may be access, or a combination thereof;  0018: resource requestor);
determine whether contextual information related to the access request satisfies a set of context-based policies (0025: determine applicable criterion of context to access the requested resource; evaluation logic 216 evaluates the request which may include comparing the user/device contexts with one or more policies (e.g., policy P1) to determine the request meets the minimum criteria of contexts to access the requested resource (e.g., resource R1).)
provide an indication that fulfillment of the access request is allowable as a result of the contextual information satisfying the set of context-based policies (0016: context-based access and resource access policy; 0019: collection and/or monitoring of context-aware data may be performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event); and
provide access to the computing instance to satisfy the access request based at least in part on the indication (0026: using the evaluation results, decision/return logic 218 decides whether the request be granted, such as whether the user be allowed access to the requested resource. If the request is approved by decision/return logic 218, the approval decision is returned by decision/return logic 218 to policy enforcement point (PEP) 210; 0030-0031: provisioning of context-aware access credentials may be performed on-demand; 0038-0039: a determination is made as to whether the resource request satisfies a base policy. If the base policy is satisfied, at block 316, the user is allowed access to the requested resource).
Smith suggests in [¶0045: A deviation from the baseline set of rules is detected prior to authorizing access to the protected resource based on the contextual information. In one embodiment, a deviation from the baseline set of rules may comprise a computing device requesting access to the protected resource from a new location, from a new geolocation, or from a new network not covered by the baseline set of rules. In one example, the baseline set of rules for the username may specify that the username has only previously requested access to the protected resource from a first network (e.g., a work network) and the deviation may be detected if the access request derives from a second network different from the first network (e.g., a home network or a public network outside of the work environment)]. Smith does not explicitly disclose wherein satisfaction of the contextual information depends, at least in part, on a network address identifier of the computing instance provided in the access request to determine an allowable scope of operations to be performed using the computing instance
Mahaffey, in analogous art however, discloses wherein satisfaction of the contextual information depends, at least in part, on a network address identifier of the computing instance provided in the access request to determine an allowable scope of operations to be performed using the computing instance ([0063] a hardware identifier that may be used to determine identity of the client (e.g. IMEI, IMSI, UDID, MAC address, serial number, or other unique identifier provided by device's hardware), and which, because hardware identifiers are not always secret, may be used alongside other mechanisms to strengthen authentication or provide additional context to server when evaluating client-supplied information (e.g., a hardware ID associated with hardware that has previously authenticated successfully may be treated differently than a hardware ID that has not previously authenticated. [0068] In an embodiment, the authorizing client sends the results to the authentication server. A network provider may add header enrichment to request sent from authorizing client to server, thereby providing additional context to server of device's identity. e.g. device phone number, IMEI, IMSI, or other information added to HTTP header. [0072-0073]  For the location of multiple clients, the server receives location of both requesting client and authorizing clients (e.g. when receiving request from requesting client, contact authorizing client and receive its location), and if the authorizing client is in the same location as the requesting client, the request may be authorized or treated differently (e.g. lower security method of authorization) than if they were in different locations; or the authentication may be completely denied. Other forms of location can be integrated to determine if requesting client and/or authorizing client is in an appropriate location for the user, such as: credit card transactions, social network check-ins, building access control systems, facial recognition cameras, network-based location systems (e.g. mobile phone or laptop connected to Wi-Fi in a particular location). The network may be determined by one of: client provided network configuration information, or the server determining source information from the client. Types of network information include client provides configuration information (e.g. IP, default gateway, netmask, DNS server, domain); client provided neighbor device information such as: other device MAC addresses, e.g. gateway MAC, other device IPs, other device names (e.g. using SMB or MDNS); client provided Wi-Fi information (e.g., currently connected access point). Authorization may be based on same IP address or network/Wi-Fi AP. If a requesting client and authorizing client are on the same network (e.g. same public IP, same Wi-Fi access point, as supplied to server by both client, or otherwise have network information that they supply to server that corresponds), server can determine that the clients are in the same place, and reduce or eliminate the need to perform further authorization.
Mahaffey, further discloses in ([0078]: Authorization requirements may change based on information available to server. The determination of what authorization steps to take (if any), and how to determine whether or not the request is authorized may be based on a number of factors. Such data can include the context information described above. Examples of input to determine what level of authorization is required include: all authorizations are treated the same (i.e. no step of determining what form of authorization to do); server configuration/policy; requesting client configuration/policy or user input; based on type of authorization, e.g., if requesting client wants a one-time authorization vs. an authorization to access a number of services for the next 30 minutes creates different levels of authorization, access to view a bank account balance may be different than access to transfer money from the account.  [0090] The authentication server 102 uses certain context information to perform the authorization. Such context information can include information provided by the client, the location of the client (such as determined by Geo-IP, GPS or other location finding means, nearby wireless infrastructure, cell tower or other device triangulation means, transaction locations, building locations, etc.), network information (e.g., client configuration information, IP address, gateway, netmask, DNS, server, network names, access points, etc.), application data (e.g., pre-installed apps), common accounts, and device usage patterns and anomalies. [0091] The authentication process 106 is dynamic in that authorization requirements may change depending on the information available to the server. The level of authorization may be characterized as weak, strong, or any value in a range depending on a number of factors. These include: server configuration and policies, client configuration and policies, user input, types of transactions (e.g., website access versus money transfers or building access or personal data access), transaction frequency (e.g., one-time versus periodic), vulnerability of the requested transaction (e.g., susceptibility to fraud or malware attack), location of the client (e.g., near or far from home, safe or dangerous location), and other similar factors. [0094] The authorization flow starts with the requesting client 322 identifying the authorizing client 324 to communicate with. Alternatively, the server may identify the authorizing client 324 based on the network information provided by one or both clients (such as through WIFI access point, common public IP address, etc.), or the requesting client 322 broadcasting to the local network, or other discovery means. Whether the requesting client or the server determines authorizing client could be based on the network information as described above or by user choice. For example, the requesting client may know about nearby authorizing clients based on proximity such as Bluetooth or network broadcasts if they are on the same LAN. Alternatively, the server may provide one or more "nearby" (based on IP, location, etc) authorizing clients and a method to reach them, such as an IP and port, broadcast address, Bluetooth address, etc.). The requesting client then requests authorization from the authorizing client. 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify features of the claimed limitations of contextual information to the access request disclosed by Smith to include wherein satisfaction of the contextual information depends, at least in part, on a network address identifier of the computing instance provided in the access request to determine an allowable scope of operations to be performed using the computing instance. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide a comprehensive password and identity management system that provides a simple and centralized method of user authentication and login for a wide variety of applications and networks and that utilizes an authentication device that is readily available. It further provides description for managing the identity, passwords and authentication credentials for users accessing network resources through server computers from client computers in a computer network environment. The comprehensive system is for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer, determining one or more items of context information related to at least one of the user, the request, and the client computer, and determining a disposition of the request based on the reply and the one or more items of context information as suggested by Mahaffey in (0007, 0039).

As per claim 7:
Smith discloses wherein access to the computing instance is provided on a temporary basis or with usage limitations on the computing instance (0025: context  necessary or minimally required for grant of access to one or more resources; policy decision point evaluate the request such that the context received with or within the request matched against the relevant policy for the requested resource to be accessed; comparing the user/device contexts with one or more policies to determine with the request meets the minimum criteria of contexts to access the requested resource –under BRI directed to usage limitations ). 

As per claim 8:
Smith discloses wherein the contextual information comprises one or more statements, wherein the system compares each of the one or more statements to the set of context-based policies to determine whether fulfillment of the request is allowable (0019: The collection and/or monitoring of context-aware data performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event; sensors devices configured to sense various characteristics of users, devices, environment, and/or things, etc., relative to computing device , e.g. biometric sensors to sense physical attributes (e.g., fingerprints, facial features/measurements, speech patterns, retinal patterns, etc.) and/or behavioral characteristics (e.g., body movement, visual focus patterns, eye movement, speed and strength of key inputs, etc.) of users of computing device; facilitate audio/visual devices to detect and monitor some of the characteristics, such as using a camera to detect a user's facial features, such as distance between the user's eyes, etc., microphone to detect the user's voice patterns, etc.)

As per claim 9:
Smith discloses wherein fulfillment of the access request is allowable if one or more statements, when evaluated against the set of context-based policies, indicate an approval (0025-0026).

As per claim 10:
Smith discloses wherein the contextual information comprises attributes that are either based at least in part on the requested computing instance or information related to the access request (0019; 0083).

As per claim 11:
Mahaffey discloses wherein the attributes based at least in part on the requested computing instance include at least one of: a name and type of the requested computing instance (0063; 0072-0073; 0078, 0091; 0094).

As per claim 12:
Mahaffey discloses wherein the attributes based at least in part on the information related to the access request include at least one of: a timestamp, an originating Internet Protocol (IP) address, and the network address of the requested computing instance (0063; 0072-0073; 0078, 0091; 0094).

As per claim 13:
Mahaffey discloses wherein the timestamp indicates a time that the access request is generated for the requested computing instance (0076; 0128; 0163; 0166).

As per claim 14:
Smith discloses a non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system (0014: Computing Device-Host Machine 102, 104), cause the computer system to at least:
receive a request generated by an authenticated user to access a web service (0012: user identification and/or authentication, device identification and/or authentication, seeking access to a resource; 0018: resource requestor);
as a result of receiving the request from the authenticated user, determining that the request is authorized (0025: determine applicable criterion of context to access the requested resource);
determine one or more conditions associated with the request, wherein the one or more conditions comprises one or more attributes to be checked against a set of context-based policies (0016: context-based access and resource access policy; 0019: collection and/or monitoring of context-aware data may be performed continuously, periodically (e.g., upon reaching a predetermined time period), and/or upon detecting an event; 0030:  provisioning of context-aware access credentials may be performed on-demand; 0034;  0043: context-aware authorization policy for the requested resource);
generate an indication that fulfillment of the request is allowable as a result of checking the one or more attributes against the set of context-based policies (0026: decision/return logic ; 0039: the rejection and the minimum policy are returned to the user); and
grant access to the web service  based at least in part on the indication (0030-0031; 0038-0039; 0041: in case of the acceptance of the request, the requested resource 356 is returned 352 to resource requestor 246 to be communicated on to the user; 0053: where the resource is a server, a server array or server farm, a web server, a network server, an Internet server, a work station, a mini-computer, a main frame computer, a supercomputer, a network appliance, a web appliance, a distributed computing system).

Smith does not explicitly disclose wherein the one or more attributes includes the identifier for the web service identified in the request is to be performed using the web service in accordance with an allowable scope of operations. Mahaffey, in analogous art however, discloses wherein the one or more attributes includes the identifier for the web service identified in the request is to be performed using the web service in accordance with an allowable scope of operations ([0047]: A service may use the server as a primary method of authenticating. In this case, the client sends a request to the server asking to authenticate with the service. The client automatically sends request to server (e.g. if user's request to take an action is implied or the request originates as part of a background, non-user-initiated, process on the service, no user action is required). In a user-initiated request, a web browser or app displays a button indicating that the user can authenticate (e.g. create account or login) to the service by clicking the appropriate button. When the user clicks the button, the client sends a request (e.g. HTTP) to server with information provided by the service. In an example implementation, the system can follow the OAuth standard. The request may contain information provided by service: an address (e.g. URL) where the authorized request can return information to the server, parameters indicating what type of authorization to perform to verify user consent (e.g. need voice, picture, biometric, parental or administrator authorization), or parameters indicating what type of information service requests to know about user. The server may determine what information to provide to service. A UI is displayed asking the user to choose what information or access to information or other privilege level to provide service. The service may request access to certain information as part of request to server or the type of information requested may be pre-configured on server, or all services may receive the same set of information, based on user selection. [0049]: The server may send user/identity/account information to service directly (or authorization to retrieve/access that information), e.g. via a pre-registered URL, via a URL provided in the request, or in response to a server's request for the information/authorization. This information may include any information server wishes to provide and may also include information provided to server in request, e.g. service's identifier for the request. [0060]: In an embodiment, the authentication/login component 106 enables a challenge-response interaction between client and server when the client makes a request to the server. The request specifies the resource or application to be accessed. The request 120 includes the application identity information--for a website, mobile or desktop application, or other service needing authentication or authorization URL, package name of hosting application, signing certificate of hosting application, class name or other identifier of a current user interface dialog, UUID (Universally Unique ID), a hash of the application or site code, a digital signature or HMAC provided by the application, or other information that can be used to fingerprint software (e.g. class name of running service or activity). To gain access, the client must provide the proper credentials in response to the challenge 116 from the server.
Mahaffey, further discloses ([0073] The network may be determined by one of: client provided network configuration information, or the server determining source information from the client. Types of network information include client provides configuration information (e.g. ip, default gateway, netmask, DNS server, domain); client provided neighbor device information such as: other device MAC addresses, e.g. gateway MAC, other device IPs, other device names (e.g. using SMB or MDNS); client provided Wi-Fi information (e.g., currently connected access point). Authorization may be based on same IP address or network/Wi-Fi AP. If a requesting client and authorizing client are on the same network (e.g. same public IP, same Wi-Fi access point, as supplied to server by both client, or otherwise have network information that they supply to server that corresponds), server can determine that the clients are in the same place, and reduce or eliminate the need to perform further authorization. [0078] Authorization requirements may change based on information available to server. The determination of what authorization steps to take (if any), and how to determine whether or not the request is authorized may be based on a number of factors. Such data can include the context information described above. Examples of input to determine what level of authorization is required include: all authorizations are treated the same (i.e. no step of determining what form of authorization to do); server configuration/policy; requesting client configuration/policy or user input; based on type of authorization, e.g., if requesting client wants a one-time authorization vs. an authorization to access a number of services for the next 30 minutes creates different levels of authorization, access to view a bank account balance may be different than access to transfer money from the account

Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify features of the claimed limitations of contextual information to the access request disclosed by Smith to include wherein the one or more attributes includes the identifier for the web service identified in the request is to be performed using the web service in accordance with an allowable scope of operations. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide a comprehensive password and identity management system that provides a simple and centralized method of user authentication and login for a wide variety of applications and networks and that utilizes an authentication device that is readily available. It further provides description for managing the identity, passwords and authentication credentials for users accessing network resources through server computers from client computers in a computer network environment. The comprehensive system is for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer, determining one or more items of context information related to at least one of the user, the request, and the client computer, and determining a disposition of the request based on the reply and the one or more items of context information as suggested by Mahaffey in (0007, 0039).

As per claim 15:
Mahaffey discloses wherein access to the web service is granted for at least one of: a predetermined amount of time and granted with limited access to the web service (0076; 0128; 0163; 0166).

As per claim 16:
Smith discloses wherein each of the one or more conditions comprise a title, a description, and an expression (0037; 0041).

As per claim 17:
Smith discloses wherein the expression comprises one or more statements, wherein each of the one or more statements expresses an attribute-based control rule that is compared with the set of context-based policies to determine whether fulfillment of the request is allowable (0019; 025).

As per claim 18:
Mahaffey discloses wherein the expression comprises a timestamp applicable to a time the request was generated by the authenticated user (0076; 0128; 0163; 0166).

As per claim 19:
Smith discloses wherein the context-based policies are obtained from policies determined by the authenticated user (0025-0026).

As per claim 20:
Smith discloses wherein the user is determined to be an authenticated user by at least submitting an identity associated with the request to an authentication service and receiving a result that the user is authenticated (0037; 0041).

BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as they would be interpreted by one of ordinary skill in the art at the time of filing of the invention. In order to construe, appraise boundary and scope of the claimed limitations, the following claim words or terms or phrases or languages have been given to them their BRI considerations and context in view of the applicant’s disclosure. For example, for the following claim words or terms or phrases or languages, the examiner recites BRI considerations from the applicant’s disclosure as follows:

Conditions; Satisfactions; Statement; Expressions; Attribute-Based; Policies and Timestamp, Computing Instance: are given their literal meaning as it would be understood by one of ordinary skill in the art in the context of the applicant’s disclosure. 

A schedule in a time zone of the authenticated requestor: [Applicant’s Disclosure: ¶ 0060] The context validation plugin retrieves 804 a current date and time using a network time service or system clock. At block 806, the context validation plugin determines the identity of the requester that submitted the request, and queries personnel management systems to determine the customary working hours of the requester. In some implementations, the customary working hours of the requester are determined by determining the geographical location of the requester, determining the time zone for the location of the requester, and assuming a customary working schedule such as 9 AM to 5 PM local time.

Allowable Scope of Operations	[Applicant’s Disclosure: 0068] The context validation plugin queries the ticketing service using ticket identifier to determine an allowable scope of operations that may be necessary to fulfill the ticket. In some examples, the context validation plugin determines the allowable scope of operations by identifying resources that are named in the ticket such as servers, databases, data tables, and network addresses. In additional examples, the ticket identifies a group of computer systems, and the allowable scope of operations is based at least in part on the membership of the group of computer systems. In yet additional examples, the context validation plugin identifies a type of work described in the ticket, and defines the allowable scope of operations based at least in part on the type of work described in the ticket.

Network Address Identifier	[Applicant’s Disclosure: 0060] A context validation plugin, determines whether an operation is allowed based at least in part on the identity of the requester and the time the request, in accordance with an embodiment. .... The context validation plugin retrieves a current date and time using a network time service or system clock.  The context validation plugin determines the identity of the requester that submitted the request, and queries personnel management systems to determine the customary working hours of the requester. The customary working hours of the requester are determined by determining the geographical location of the requester, determining the time zone for the location of the requester, and assuming a customary working schedule such as 9 AM to 5 PM local time. In some examples, the context validation plugin can determine whether the requester is on-site or off-site by examining the network connection used by the requester. If the network connection used by the requester is a virtual private network (“VPN”) connection, the context validation plug-in can infer that the requester is located off-site. If the network connection used by the requester is not a VPN connection, the network address of the requester can be used to identify an on-site location. [0068] The context validation plugin determines the allowable scope of operations by identifying resources that are named in the ticket such as servers, databases, data tables, and network addresses. 
Network Address Identifier: (From Wikipedia, the free encyclopedia) A network address is an identifier for a node or host on a telecommunications network. Network addresses are designed to be unique identifiers across the network, although some networks allow for local, private addresses, or locally administered addresses that may not be unique. Special network addresses are allocated as broadcast or multicast addresses. These too are not unique. 
Examples of network addresses include: Telephone number, in the public switched telephone network; IP address in IP networks including the Internet; IPX address, in NetWare; X.25 or X.21 address, in a circuit switched data network; MAC address, in Ethernet and other related IEEE 802 network technologies (From Wikipedia, the free encyclopedia).

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494