DETAILED ACTION
Remarks
The instant application having Application Number 17/217,025 filed on March 30, 2021 has a total of 20 claims pending in the application; there are 3 independent claims and 17 dependent claims, all of which are presented for examination by the examiner.  The present application is being examined under the pre-AIA  first to invent provisions. 

Examiner Notes
Examiner has cited particular columns/paragraph and line numbers in the references applied to the claims above for the convenience of the applicant. Although the specified citations are representative of the teachings of the art and are applied to specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant in preparing responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06. An amendment which does not comply with the provisions of 37 CFR 1.121(b), (c), (d), and (h) may be held not fully responsive. See MPEP § 714.”  Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.131(b), (c), (d), and (h) and therefore held not fully responsive.  Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.

Continuation Statement
This patent application 17/217,025, filed 03/30/2021 is a continuation of 15/132,109, filed 04/18/2016, now U.S. Patent #10,997,312.

Drawings
The applicant’s drawings submitted are acceptable for examination purposes.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites a series of acts (i.e., process) of receiving, from a user, a request for data in a data source, wherein the data source is bound to an access policy; based on the request, identifying an identity of the user; identifying a rule in the access policy, the rule specifying access permission to the data source for the identity; applying the rule to the request to generate response data from the data source; and providing the response data to the user.  
The limitations of receiving, from a user, a request for data in a data source, wherein the data source is bound to an access policy; based on the request, identifying an identity of the user; identifying a rule in the access policy, the rule specifying access permission to the data source for the identity; applying the rule to the request to generate response data from the data source; and providing the response data to the user, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “a processor and memory,” nothing in the claim element precludes the steps from practically being performed in the mind. For example, but for the “a processor and memory” language, “receiving, from a user, a request for data in a data source, wherein the data source is bound to an access policy”, in the context of this claim and under its broadest reasonable interpretation encompasses the user manually collecting information that follows some action. Similarly, the limitation of “identifying an identity of the user” based on the request and “identifying a rule in the access policy, the rule specifying access permission to the data source for the identity; applying the rule to the request to generate response data from the data source; and providing the response data to the user”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, but for the “a processor and memory, “specifying access permission”, “applying the rule to the request” in the context of this claim encompasses the user doing some action on the collected data and producing the treated data to the user. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – using a processor and memory to perform receiving, identifying, applying and providing steps. The processor and memory in all steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of receiving, identifying, applying and providing information based on a determined amount of use) such that it amounts to no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor and memory to perform receiving, identifying, applying and providing steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Therefore, the claim is not patent eligible.
Independent claims 35 and 43 have the similar limitations as claim 1 and are rejected for at least the same reasons as claim 1.  With respect to the dependent claims 25-34 and 36-42, the claims do not provide any additional elements that when considered individually or as an ordered combination, amount to significantly more than the abstract idea identified. 	

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this country, more than one year prior to the date of application for patent in the United States.


Claims 24, 25, 30, 34, 35, 38, 40, 42 and 43 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Sheinis et al. (US Patent Publication No. 2004/0019809 A1, ‘Sheinis’, hereafter).


Regarding claim 24. Sheinis teaches a system comprising: 
a processor; and memory coupled to the processor, the memory comprising computer executable instructions that, when executed by the processor (a system for entity-based security comprising a server having a central processing unit (CPU), a data storage device for exchanging non-volatile data with the CPU, random access memory (RAM) for exchanging volatile data with the CPU, and an input device for receiving data for the CPU and output device for presenting outputted data from the CPU. The CPU is operable to receive, via the input device, a request to access one of a plurality of server objects stored in the data storage device, the CPU is operable to execute the instructions, Sheinis [0040], [0043]), performs a method comprising: 
receiving, from a user, a request for data in a data source, wherein the data source is bound to an access policy (EJB container 48 also contains a policy manager 100 that is responsible for determining access rights of a particular user logged-in to system 20, and who is generating a particular access request. Policy manager 100 is implemented as a stateless session bean, and as such can obtain logged-in user information portion of the security characteristics of any given call from the session context, as provided by EJB container 48. In turn, these access rights are used, (in conjunction with the access rules in supplementary access control rules 68), to determine whether a particular access request is authorized, Sheinis [0082]); 
based on the request, identifying an identity of the user (At step 230, it is determined whether the call on home interface 76 is authorized. In the present embodiment, EJB proxy 60 handles the determination as to whether the call is authorized for a user upon whose behalf the call was made. EJB Proxy 60 extracts security characteristics from the call in order to make the determination. The security characteristics can include any number particular attributes of the call, including, but not limited to: a) the type of call that is made; b) the identity of the logged-in user on whose behalf the call was made, Sheinis [0090], [0096]); 
identifying a rule in the access policy, the rule specifying access permission to the data source for the identity (At step 236, policy manager 100 then verifies that the logged-in user has access to entity bean 96, and then proceeds to compare the roles with which the logged-in user can access the entity, with each set of authorization criteria for the supplementary access control rules 68 received at step 232. In a particular embodiment, the authorization criteria are positively declared and, upon satisfaction of any of the sets of authorization criteria, the matching process is terminated. If the user's information satisfies the authorization criteria, policy manager 100 determines that the call is authorized. Where the user's information does not satisfy the authorization criteria, policy manager 100 determines that the call is not authorized (i.e. rejected.), Sheinis [0097]); 
applying the rule to the request to generate response data from the data source (at step 232, there is an access control rule that states "allow call of type `B` for only certain people", and the type of call that was received at step 210 was a call of type `B`, then at step 233 an initial determination will be made that "No" the call is not approved, and the identity portion of the security characteristics will be deemed relevant, and the method will advance to step 234 so that a further determination as to whether to approve or reject the call can be made, Sheinis [0093-0095]); and 
providing the response data to the user (At step 250, a determination is made as to whether the response to the call made at step 240 is authorized. This determination at step 250 is performed in substantially the same manner as the determination made at step 230, except that this time it is the delivery of the response to the call for which the determination is made, rather than a determination as to the authorization of the call itself. In essence, EJB proxy 60 then repeats the process of providing entity-based security on the response received at step 240, Sheinis [0101-0102]).
Regarding claim 25. Sheinis teaches, wherein the data source is a view or a stored procedure (Sheinis [0077], [130-0131, [0142], [0147]).
Regarding claim 30. Sheinis teaches, wherein the identity is a user role (Sheinis [0016], [0077], [0096-0097]).
Regarding claim 34. Sheinis teaches, wherein the access permission provides the identity less than full access to the data source (Sheinis [0095-0096], Fig, 4).
Regarding claim 35. Sheinis teaches a method comprising: 
receiving, from a user, a request for data in a data source, wherein the data source is bound to an access policy (EJB container 48 also contains a policy manager 100 that is responsible for determining access rights of a particular user logged-in to system 20, and who is generating a particular access request. Policy manager 100 is implemented as a stateless session bean, and as such can obtain logged-in user information portion of the security characteristics of any given call from the session context, as provided by EJB container 48. In turn, these access rights are used, (in conjunction with the access rules in supplementary access control rules 68), to determine whether a particular access request is authorized, Sheinis [0082]); 
based on the request, identifying a user identity of the user (At step 230, it is determined whether the call on home interface 76 is authorized. In the present embodiment, EJB proxy 60 handles the determination as to whether the call is authorized for a user upon whose behalf the call was made. EJB Proxy 60 extracts security characteristics from the call in order to make the determination. The security characteristics can include any number particular attributes of the call, including, but not limited to: a) the type of call that is made; b) the identity of the logged-in user on whose behalf the call was made, Sheinis [0090], [0096]); 
identifying in the access policy: a first rule specifying access permission to the data source for a first identity; and a second rule specifying access permission to the data source for a second identity (At step 236, policy manager 100 then verifies that the logged-in user has access to entity bean 96, and then proceeds to compare the roles with which the logged-in user can access the entity, with each set of authorization criteria for the supplementary access control rules 68 received at step 232. In a particular embodiment, the authorization criteria are positively declared and, upon satisfaction of any of the sets of authorization criteria, the matching process is terminated. If the user's information satisfies the authorization criteria, policy manager 100 determines that the call is authorized. Where the user's information does not satisfy the authorization criteria, policy manager 100 determines that the call is not authorized (i.e. rejected.), Sheinis [0097], Please also see [0092-0093]); 
when the user identify is the first identify, applying the first rule to the request to provide a first view of the data source (at step 232, there is an access control rule that states "allow call of type `B` for only certain people", and the type of call that was received at step 210 was a call of type `B`, then at step 233 an initial determination will be made that "No" the call is not approved, and the identity portion of the security characteristics will be deemed relevant, and the method will advance to step 234 so that a further determination as to whether to approve or reject the call can be made, Sheinis [0093-0094], [0096]); 
when the user identify is the second identify, applying the second rule to the request to provide a second view of the data source, wherein the second view is different from the first view (at step 232, there is an access control rule that states "allow call of type `B` for only certain people", and the type of call that was received at step 210 was a call of type `B`, then at step 233 an initial determination will be made that "No" the call is not approved, and the identity portion of the security characteristics will be deemed relevant, and the method will advance to step 234 so that a further determination as to whether to approve or reject the call can be made, Sheinis [0093-0095]); and 
providing the first view or the second view to the user (At step 250, a determination is made as to whether the response to the call made at step 240 is authorized. This determination at step 250 is performed in substantially the same manner as the determination made at step 230, except that this time it is the delivery of the response to the call for which the determination is made, rather than a determination as to the authorization of the call itself. In essence, EJB proxy 60 then repeats the process of providing entity-based security on the response received at step 240, Sheinis [0101-0102]).
Regarding claim 38. Sheinis teaches, wherein the first view and the second view are each a base view or a database view of the data source (Sheinis [0077], [130-0131, [0142], [0147]). 
Regarding claim 40. Sheinis teaches, wherein the second rule enables the user to delete the data in the data source (Sheinis [0045], [0130]). 
Regarding claim 42. Sheinis teaches, wherein the access policy is further associated with a second attribute, the second attribute corresponding to an identifier for a group of users (Sheinis [0077], [0157]). 
Regarding claim 43, although claim 43 directed to a method, it is similar in scope to claim 35.  The method steps of claim 35 substantially encompass the method recited in claim 43. Therefore; claim 43 is rejected for at least the same reason as claim 35 above.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 26-29, 31, 37 and 39 are rejected under 35 U.S.C. 103 (a) as being unpatentable over Sheinis et al. (US Patent Publication No. 2004/0019809 A1, ‘Sheinis’, hereafter) in view of Lei et al. (US Patent Publication No. 2005/0038783 A1, ‘Lei’, hereafter).

Regarding claim 26. Sheinis does not teach, wherein the access policy is associated with one or more attributes bound to the data source, the data source providing respective values for the one or more attributes.
However, Lei teaches wherein the access policy is associated with one or more attributes bound to the data source, the data source providing respective values for the one or more attributes (attaching predicates to queries, policy functions may be configured to set context attributes. For example, assume that a view Vx is created which selects only the unclassified columns of a table t. Under these conditions, the policy function associated with Vx may set the value of an "access_path" attribute to Vx, Lei [0188]).
Therefore, it would have been obvious to one ordinary skill in the art at the time of invention was made having the teachings of Sheinis and Lei before him/her, to modify Sheinis with the teaching of Lei’s database management systems to control access to information within database management systems.  One would have been motivated to do so for the benefit of providing Sheinis row-level filtering of data.   A database server must have a mechanism for restricting users to particular subsets of the rows within tables to enforce row-level filtering of data to restrict access to certain rows for security reasons as taught by Lei (Lei, Abstract, [0012-0013]).
Regarding claim 27. Sheinis as modified teaches, wherein the data source is a centralized default source that comprises one or more columns that are bound to the one or more attributes (Lei [0187-0188]).
Regarding claim 28. Sheinis as modified teaches, wherein a subset of fields from the data source are bound to a centralized default source, the access policy being bound to the centralized default source (Lei [0015]).
Regarding claim 29. Sheinis as modified teaches, wherein: when an attribute of the access policy is bound to a column in the data source, the centralized default source is overridden for the attribute such that the attribute of the data source is used (Lei [0015], [0025]).
Regarding claim 31. Sheinis as modified teaches, wherein applying the rule to the request comprises applying the rule to at least one of inputs or outputs of the data source using the respective values for the one or more attributes (Lei [0077-0079]).
Regarding claim 37. Sheinis as modified teaches, further comprising: prior to identifying, in the access policy, the first rule, identifying the access policy is bound to the data source (Lei [0188]).
Regarding claim 39. Sheinis as modified teaches, wherein the first rule: 
enables the user to modify the data in the data source (Lei [0079], [0118]); and 
does not enable the user to delete the data in the data source (Lei [0079], [0118]).  

Claims 32, 33, 36 and 41 are rejected under 35 U.S.C. 103 (a) as being unpatentable over Sheinis et al. (US Patent Publication No. 2004/0019809 A1, ‘Sheinis’, hereafter) in view of Russell A. et al. (Publication “SQL DOM: Compile Time Checking of Dynamic SQL Statements”, ACM 1-58113-963-2/05/0005, ‘Russell’, hereafter).

Regarding claim 32. Sheinis does not teach, wherein applying the rule to the request comprises rewriting the request to collect the response data from one or more tables bound to the access policy.
However, Russell teaches wherein applying the rule to the request comprises rewriting the request to collect the response data from one or more tables bound to the access policy (Russell, Section 3.4, pages 92-93).
Therefore, it would have been obvious to one ordinary skill in the art at the time of invention was made having the teachings of Sheinis and Russell before him/her, to modify Sheinis with the teaching of Russell’s “SQL DOM: Compile Time Checking of Dynamic SQLStatements”.  One would have been motivated to do so for the benefit of providing Sheinis increase reliability of an application during runtime.   Without compiler support the developer can never be sure that the code and database schema remain consistent. Unit tests, even if they exist, are also rarely complete enough to uncover all deviations between code and schema. Using the SQL DOM would eliminate this problem. The compiler would be able to assist in the maintenance process, thereby increasing the reliability of the application. Having the SQL DOM, developers would be more willing to make changes to the database schema to meet the needs of their customers taught by Russell (Russell, Abstract, [0012=0013]).
Regarding claim 33. Sheinis as modified teaches, wherein a structures query language domain object model (SQL DOM) is used to rewrite the request to include one or more filter conditions, the SQL DOM comprising one or more classes that load a query by parsing a SQL statement (Russell, Section 3.4, pages 92-93).
Regarding claim 36. Sheinis as modified teaches, wherein the data source extracts the data from one or more database tables (Russell, Section 3.3, Column 1, Page 92).
Regarding claim 41. Sheinis as modified teaches, wherein the access policy is associated with a first attribute, the first attribute corresponding to a primary key of the access policy (Russell, Section 3.3, page 91, Section 3.4, pages 92-93).  

Conclusion
The prior art made of record, listed on form PTO-892, and not relied upon, if any, is considered pertinent to applicant’s disclosure.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASANUL MOBIN whose telephone number is (571)270-1289.  The examiner can normally be reached on 8AM to 5:00PM EST M-F.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Fred Ehichioya can be reached on 571-272-4034.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HASANUL MOBIN/
Primary Examiner, Art Unit 2168