Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

CLAIM INTERPRETATION

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “storage unit, control unit” in claim 15.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention

Claims 1, 3, 6-8, 10, 13-15, 17, 19, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Wang et al. (US 11,032,287, hereinafter Wang).

Regarding claim 1, Wang discloses
A computer implemented method for access management for applications, the method comprising: (a) initializing, by one or more computing devices and at execution time of an application code (col. 4, lines 50-53: Access management system 110 may include the client permissions manager 115 that controls one or more user's access to the services 154A-N, the resources 150A-N, or any combination thereof; col. 19, lines 47-50: the client permissions manager 590 may include instructions 522 to enable execution of the processes and corresponding components shown and described in connection with FIGS. 1-4D), a scan of actions performed by the application code (col. 7, lines 5-7: The client permissions manager 115 can check the permission boundary policies 147 and the permissions policies 143 for the client request) on resources of a cloud computing environment (col. 4, lines 50-60: Access management system 110 may include the client permissions manager 115 that controls one or more user's access to the services 154A-N, the resources 150A-N, or any combination thereof. The services 154A-N may include computing services, storage services, database services, application services, or the like. The resources 150A-N may include computing resources, storages resources, database resources, application resources, or the like. The client permissions manager 115 can be used to grant different permissions to different users for difference services and resources);
(b) identifying, by the one or more computing devices, an existing set of permissions for the resources (col. 7, lines 5-7: The client permissions manager 115 can check the permission boundary policies 147 and the permissions policies 143 for the client request);
(c) identifying, by the one or more computing devices, one or more accessed permissions by the application code based on the actions performed by the application code on the resources (col. 7, lines 5-7: The client permissions manager 115 can check the permission boundary policies 147 and the permissions policies 143 for the client request);
(d) generating, by the one or more computing devices, a new set of permissions for accessing the resources (col. 8, lines 30-40: The permissions policy editor 210 can receive a request to create a new permissions policy 243 or modify an existing permissions policy 243 ... The permissions boundary policy editor 210 can receive a request to create a new permission boundary policy 245 or modify an existing permissions policy 245) based on the identifying in (b) and (c) (col. 7, lines 5-7: The client permissions manager 115 can check the permission boundary policies 147 and the permissions policies 143 for the client request);
(e) transmitting, by the one or more computing devices, the new set of permissions (col. 8, lines 30-40: The permissions policy editor 210 can receive a request to create a new permissions policy 243 or modify an existing permissions policy 243 ... The permissions boundary policy editor 210 can receive a request to create a new permission boundary policy 245 or modify an existing permissions policy 245) to a database for storage and later retrieval (col. 6, lines 13-24: The client permissions manager 115 can generate one or more permissions policies 143, one or more permissions boundary policies 147, and can store other data 145 or metadata in the data store 142. The client permission manager 115 can used the stored permission boundary policies 147 and the permissions policies 143 to determine whether that the action or access for an IAM principal is within the intersection of access permissions specified in the permission boundary policies 147 and the one or more access permissions in the and the permissions policies 143, allowing or denying the action or access in view of the determination); and
(f) applying, by the one or more computing devices, the new set of permissions (col. 8, lines 30-40: The permissions policy editor 210 can receive a request to create a new permissions policy 243 or modify an existing permissions policy 243 ... The permissions boundary policy editor 210 can receive a request to create a new permission boundary policy 245 or modify an existing permissions policy 245) to the resources when the application code is executed in a production environment (col. 6, lines 56-59: The client permissions manager 115 can receive a request to apply the permissions policies 143 and permission boundary policies 147 to a user).
Regarding claim 8 referring to claim 1, Wang discloses A non-transitory computer readable medium including instructions for a computing system for access management for applications, the instructions comprising: ... (Fig. 5).
Regarding claim 15 referring to claim 1, Wang discloses A computing system for access management for applications comprising: a storage unit to store instructions; a control unit, coupled to the storage unit, configured to processed the stored instructions to: ... (Fig. 5).

Regarding claims 3, 10, and 17, Wang discloses
wherein the identifying in (c) is performed by (col. 7, lines 5-7: The client permissions manager 115 can check the permission boundary policies 147 and the permissions policies 143 for the client request):
scanning a log of the cloud computing environment (col. 2, lines 46-49: To enable Bob as a delegated administrator, a new type of managed policy attachment is introduced called a permission boundary attachment, which specifies the maximum permission on an IAM principal; col. 9, lines 25-27: the permissions policy 243 and permission boundary policy 245 can be applied to a resource 250); and
identifying, using the log (col. 2, lines 46-49: To enable Bob as a delegated administrator, a new type of managed policy attachment is introduced called a permission boundary attachment, which specifies the maximum permission on an IAM principal; col. 9, lines 25-27: the permissions policy 243 and permission boundary policy 245 can be applied to a resource 250), application programming interface (API) calls to the resources by the application code (col. 5, lines 63-66: The command line tool can also be used in connection with scripts to perform tasks. The access management system 110 may also include an application programming interface (API) to permit requests directly to the service; col. 8, lines 21-23: The client permissions manager 200 may also include other software components, such as an API, a CLI, or the like).

Regarding claims 6, 13, and 19, Wang discloses
further comprising:
receiving a set of permissions from a user; and modifying the existing set of permissions based on the received set of permissions (col. 5, lines 20-24: The permissions granted to users or roles created or modified by the delegated administrator will never exceed the permission boundaries specified by the original grantor (central administrator) in the permission boundary policy 147).

Regarding claims 7, 14, and 20, Wang discloses
wherein the set of permissions are received via a user interface (col. 5, lines 56-63: The access management system 110, and its corresponding components, can be accessed in one or more of the following ways: a management console that is a browser-based interface to manage the access management system 110, and corresponding services and resources; a command line tool that can be used to issue commands at a client device's command line to perform access management tasks).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made

Claims 2, 4, 9, 11, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (US 11,032,287, hereinafter Wang) in view of Nevrekar et al. (US 2022/0182333, hereinafter Nevrekar).

Regarding claims 2, 9, and 16, Wang discloses
further comprising generating, by the one or more computing devices, metadata (col. 6, lines 13-24: The client permissions manager 115 can generate one or more permissions policies 143, one or more permissions boundary policies 147, and can store other data 145 or metadata in the data store 142. The client permission manager 115 can used the stored permission boundary policies 147 and the permissions policies 143 to determine whether that the action or access for an IAM principal is within the intersection of access permissions specified in the permission boundary policies 147 and the one or more access permissions in the and the permissions policies 143, allowing or denying the action or access in view of the determination) about the new set of permissions as a part of the generating in (d) (col. 8, lines 30-40: The permissions policy editor 210 can receive a request to create a new permissions policy 243 or modify an existing permissions policy 243 ... The permissions boundary policy editor 210 can receive a request to create a new permission boundary policy 245 or modify an existing permissions policy 245)
Wang does not explicitly disclose wherein the metadata includes a timestamp indicating the time of generation of the new set of permissions. Nevrekar discloses selecting remote device wherein the metadata includes a timestamp indicating the time of generation of the new set of permissions (paragraph [0020]: an attribute of a resource indicates (e.g., specifies) information about the resource. Examples of an attribute of a resource include but are not limited to metadata (e.g., a tag or a timestamp) associated with the resource, a name of the resource, an environment of the resource (e.g., production, test, or confidential), a credential that is usable to obtain access to the resource, a type of the resource, a time instance at which the resource was most recently scanned, and a proportion of the resource that was scanned during the most recent scan of the resource). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wang by utilizing the attribute of a resource including metadata (e.g., timestamp) associated with the resource and an environment of the resource (e.g., test) in production environment or test environment of Nevrekar. The motivation would have been to increase efficiency of a user of a computing system that governs resources and/or extracts metadata associated with the resources, for example, by streamlining setup at scale, management and monitoring of the metadata extraction process, and application of policies (e.g., access policies, classification policies, and scan policies) (Nevrekar paragraph [0024]).

Regarding claims 4 and 11, Wang discloses
wherein (a)-(f) are performed in a ... environment for the application code (col. 4, lines 50-53: Access management system 110 may include the client permissions manager 115 that controls one or more user's access to the services 154A-N, the resources 150A-N, or any combination thereof; col. 19, lines 47-50: the client permissions manager 590 may include instructions 522 to enable execution of the processes and corresponding components shown and described in connection with FIGS. 1-4D).
Wang does not explicitly disclose test environment. Nevrekar discloses selecting remote device test environment (paragraph [0020]: an attribute of a resource indicates (e.g., specifies) information about the resource. Examples of an attribute of a resource include but are not limited to metadata (e.g., a tag or a timestamp) associated with the resource, a name of the resource, an environment of the resource (e.g., production, test, or confidential), a credential that is usable to obtain access to the resource, a type of the resource, a time instance at which the resource was most recently scanned, and a proportion of the resource that was scanned during the most recent scan of the resource). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wang by utilizing the attribute of a resource including metadata (e.g., timestamp) associated with the resource and an environment of the resource (e.g., test) in production environment or test environment of Nevrekar. The motivation would have been to increase efficiency of a user of a computing system that governs resources and/or extracts metadata associated with the resources, for example, by streamlining setup at scale, management and monitoring of the metadata extraction process, and application of policies (e.g., access policies, classification policies, and scan policies) (Nevrekar paragraph [0024]).

Allowable Subject Matter
Claims 5, 12, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SISLEY KIM whose telephone number is (571)270-7832.  The examiner can normally be reached on 9:30 A.M - 6:30 P.M. 
	If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Emerson Puente can be reached on (571)272-3652. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
/SISLEY N KIM/Primary Examiner, Art Unit 2196                                                                                                                                                                                                        9/1/2022