DETAILED ACTION

This communication is in response to Application No. 17/393,347 filed on 8/3/2021. Claims 1-20 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/19/2021 is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 12-15, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Viswanathan et al. (hereinafter Viswanathan)(US 2019/0197246) in view of Kawato (US 2009/0164649).
Regarding claims 1 and 14, Viswanathan teaches as follows:
a security zone policy enforcement system (interpreted as security module 105 in figure 1) in a cloud service provider infrastructure (the computer system 100 includes a security module 105, which can be configured to execute on one or more computers, such as computer 615 of FIG. 6 and/or other computers, see, para. [0019] and figure 1), comprising: 
a processor; and a memory storing instructions that, when executed by the processor (the logic of the security module 105 may be implemented in hardware, a non-transitory computer-readable medium 605 with stored instructions, firmware, and/or combinations thereof. The logic of the security module 105 could be implemented in the processor 620, stored in memory 635, or stored in disk 655, see, para. [0043] and figure 6), configure the system to: 
receive a request to perform an operation (at 225, a request 480 for access to time series data of the group 465 is received from a requestor through the access control container 455, such as from the first computing device 415 of the first tenant, see, para. [0035] and figures 2 and 4D); 
determine a compartment associated with the resource; determine that the compartment is associated with a security zone (the tenant can associate particular resources with particular compartments for grouping such time series data from the resources, and then assign access policies to each compartment in order to control access to time series data of respective resources assigned to each compartment, see, para. [0034]); 
determine set of one or more security zone policies applicable to the resource (an access policy 475 specifying access control rules (equivalent to security zone policies) for authorizing access to the time series data associated with the group 465 is created. The security module 105 programmatically defines the access policy 475 based upon various security rules, and ownership rules, resource allocations to tenants, and policies of the cloud computing environment 410, see, para. [0027] and figure 4C)(wherein, the time series data is collected from a resource, see, para. [0035]);
determine that the operation on the resource is permitted based on the set of one or more security zone policies (at 230, the security module 105 executes the access control rules within the access policy 475 to either deny or allow implementation of the request 480, see, para. [0036] and figures 2 and 4D); and 
responsive to determining that the operation on the resource is permitted, allow the operation to be performed on the resource (the security module 105 allows 485 implementation of the request 480, see, para. [0036] and figure 4D).
Viswanathan teaches a request to access time series data which is collected from a resource (see, para. [0035]) but does not explicitly teach performing the request (operation) on a resource.
Kawato teaches as follows:
the task management unit 200 requests the resource management units 300 to execute an operation to the resources 400 under the management thereof, in order to provide a service to the user. Execution of the operation by the resource management units 300 is accompanied by an access control processing in which an admission or denial of the operation is judged (see, para. [0030] and figure 1); and
the resource management units 300 each manage a plurality of resources 400 configuring the distributed computing system. The resources 400 are devices used for achieving a task, and more specifically, include computers, switches, routers, load balancers, firewalls, storage devices etc. (see, para. [0029]). 
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan with Kawato to include utilizing processing (executing) capability of resources as taught by Kawato in order to provide processing service to the requesting users. 
Regarding claims 2 and 15, Viswanathan teaches as follows:
the tenant can associate particular resources with particular compartments for grouping such time series data from the resources, and then assign access policies to each compartment in order to control access to time series data of respective resources assigned to each compartment (see, para. [0034]); and
a compartment of the first tenant is represented by the access control container 455, and thus access policies can be defined at a compartment level. If the first tenant has multiple compartments, then multiple access control containers 455 may be associated with the first tenant for each compartment (see, para. [0023]).
Viswanathan in view of Kawato teaches similar limitations as presented above except for the compartment identifier.
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan in view of Kawato to include a compartment identifier in order to efficiently identify multiple compartments. 
Regarding claims 3 and 7, Viswanathan teaches as follows:
access policies can be defined and executed at various levels within the cloud computing environment 410. In one embodiment, access control rules within the access policy 475 are executed at a tenant level of a multi-tenant computing service hosted by the cloud computing environment 410. In another embodiment, the access control rules within the access policy 475 are executed at a compartment level of the multi-tenant computing service hosted by the cloud computing environment 410 (see, para. [0034]).
Viswanathan in view of Kawato does not teach hierarchically related compartment policies.
 It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan in view of Kawato to include the well-known hierarchic policy structure in order to organize multiple policies on multiple compartments.
Regarding claim 4, Viswanathan teaches as follows:
determining that the operation on the resource is permitted based on the set of one or more compartment policies; and responsive to the determining, determining that the compartment is associated with the security zone (a compartment of the first tenant is represented by the access control container 455, and thus access policies can be defined at a compartment level. If the first tenant has multiple compartments, then multiple access control containers 455 may be associated with the first tenant for each compartment, see, para. [0023]).
Regarding claim 5, Viswanathan teaches as follows:
determining that the operation on the resource is not permitted based on the set of one or more compartment policies; and responsive to determining that the operation is not permitted to be performed on the resource based on the set of one or more compartment policies, disallowing the operation to be performed on the resource (the tenant can associate particular resources with particular compartments for grouping such time series data from the resources, and then assign access policies to each compartment in order to control access to time series data of respective resources assigned to each compartment, see, para. [0034])(at 230, the security module 105 executes the access control rules within the access policy 475 to either deny or allow implementation of the request 480, see, para. [0036]).
Regarding claim 6, Viswanathan teaches as follows:
determining that the operation on the resource is not permitted based on the set of one or more security zone policies; and responsive to the determining, disallowing the operation to be performed on the resource (at 230, the security module 105 executes the access control rules within the access policy 475 to either deny or allow implementation of the request 480, see, para. [0036])(the security module 105 denied 495 implementation of the second request 490, see, para. [0037] and figure 4E).
Regarding claims 12 and 13, Viswanathan teaches as follows:
requests to access the time series data of the group through the access control container are either denied or allowed based upon the execution of the access control rules within the access policy (see, para. [0018]); 
the security module 105 allows 485 implementation of the request 480 (see, para. [0036] and figure 4D); and
the security module 105 denied 495 implementation of the second request 490 (see, para. [0037] and figure 4E).
 Viswanathan does not teach transmitting a result indicating the operation performed on the resource.
Kawato teaches as follows:
the operation execution means 340 notifies the result of the execution to the task management unit 200, after completion of the execution of operation to the resource 400 (see, para. [0039]); and 
the task management unit 200 requests the resource management units 300 to execute an operation to the resources 400 under the management thereof, in order to provide a service to the user (see, para. [0030]).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan with Kawato to include transmitting operation execution result to users as taught by Kawato in order to efficiently notify the users regarding operation performed on a resource.
Regarding claim 17, Viswanathan in view of Kawato teaches similar limitations as presented above in the rejections regarding claims 1, 2, and 4. Therefore, it is rejected for similar reason as presented above.
Regarding claim 18, Viswanathan teaches as follows:
the tenant can associate particular resources with particular compartments for grouping such time series data from the resources, and then assign access policies to each compartment in order to control access to time series data of respective resources assigned to each compartment (see, para. [0034]).
Viswanathan in view of Kawato teaches all limitations as presented above except for adding a resource to the compartment.
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan in view of Kawato to include adding a resource while associating resources with particular compartments in order to provision additional resource for the existing compartments. 

Claims 8-11, 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Viswanathan et al. (hereinafter Viswanathan)(US 2019/0197246) in view of Burns et al. (hereinafter Kawato)(US 2017/0093867), and further in view of Proffit et al. (hereinafter Proffit)(US 2014/0109103).
Regarding claims 8, 16, and 20, Viswanathan in view of Kawato teaches all limitations as presented above except for the conditions specifying a restriction on the operation.
Proffit teaches as follows:
some policies can be applicable to processing tasks to be performed on content objects of a given type (equivalent to operation performed on the resource), to processing types requested by a client associated with a specific level of service, or to specific types of requested processing tasks. Some policies may always be applicable. One or more policies can include a restriction, indicating that, when the policy is applicable, a resource is to have specific limitations or preferences in terms of which processing task it will perform (see, para. [0065]).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan in view of Kawato with Proffit to include some restrictions on the policy as taught by Proffit in order to efficiently protect the resource from malicious operations.
Regarding claim 9, Viswanathan in view of Kawato and Proffit does not teach a restriction being accessible from the public internet.
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan in view of Kawato and Proffit to include restriction regarding public access via the Internet in order to securely protect the resource.
Regarding claim 10, Proffit teaches as follows:
one or more policies can include a restriction, indicating that, when the policy is applicable, a resource is to have specific limitations or preferences in terms of which processing task it will perform (see, para. [0065]).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan in view of Kawato and Proffit to include restriction conditions about related multiple resources in order to efficiently control access on multiple resources together.  
Regarding claims 11 and 19, Proffit teaches as follows:
a criterion could then identify types of tasks that the resource can or cannot perform based on the capabilities (see, para. [0053]); and
the restrictions can include criteria requiring that specific task characteristics be included or avoided in an assigned task (see, para. [0064]).
The Examiner interpreted applicant’s specific configuration and specific version as types of tasks or specific task characteristics.
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Viswanathan in view of Kawato with Proffit to include restriction conditions about specific task characteristics as taught by Proffit in order to restrict the resource based on operation characteristics. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeong S Park whose telephone number is (571)270-1597. The examiner can normally be reached Monday through Friday 8:00-4:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEONG S PARK/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        
September 10, 2022