DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on December 14, 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner. 

Specification
The disclosure is objected to because of the following informalities: 
In paragraph [0053], line 1, “that that” should be read as “that”.   
Appropriate correction is required.

Claim Objections
Claims 11 and 20 are objected to because of the following informalities: 
In claim 11, line 3 and claim 20, line 5,  “a processor(s)” is unclear whether it is intended to one process or plural processors. As in MPEP 608.01(m), Forms of claims, Reference characters corresponding to elements recited in the detailed description and the drawings may be used in conjunction with the recitation of the same element or group of elements in the claims. The reference characters, however, should be enclosed within parentheses so as to avoid confusion with other numbers or characters which may appear in the claims. Generally, the presence or absence of such reference characters does not affect the scope of a claim. In this case, the (s), provides confusion as to the intended subject matter as it is enclosed within parentheses. 
Appropriate correction is required.

Claim Rejections - 35 USC § 101
Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim does not fall within at least of the four categories of patent eligible subject matter because the broadest reasonable interpretation of the “computer program product” of claim 20 encompasses signals per se. The specification states that “computer program product may include a computer readable storage medium (or media) having computer readable program instructions” which clearly includes propagating electromagnetic waves. The broadest reasonable interpretation of another recitation “a machine readable storage device” in claim 20 encompasses signals per se. The specification is silent on the “machine readable storage device”. The further recitations of “computer code” and “instructions” in claim 20 only serve to limit the content carried by the electromagnetic waves. As understood in light of the specification, the broadest reasonable interpretation of claim 20 encompasses signals which are not within one of the four statutory categories of invention. See MPEP 2106.03 I. It is suggested that claim 20 be amended to recite a “non-transitory” computer readable medium to overcome this rejection. 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 2, 5, 7, 9, 11, 12, 15, 17, 19 and 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chhabra et al. (US PG Publication No. 2020/0007455, hereinafter “Chhabra”).
Regarding claim 1, Chhabra discloses a method [reads on access management service 104 or service 104, see Chhabra para 0069 and Figures 1-2] for controlling an application programming interface (API) access action [reads on an access to resource, see Chhabra para 0069], the method comprising: 
selecting [reads on specifying a principal tag that permits access to the resource, wherein the principal tag may be a user tag associated with a user or a role tag associated with a role.  The Examiner asserts selecting an operator account to be the same as Chhabra’s specifying the principal tag that indicates a user or a role being permitted to access the resource, see Chhabra para 0071] from an operator account database [reads on user profile 106 which includes tags and stores or otherwise be associated with information about user (or principal) and capable of recall or access by the service 104 for certain operations, such as in response to a request, see Chhabra para 0024 and Figures 1-2]  an available operator account [reads on a principal tag, see Chhabra para 0071], 
generating a unique action tag [reads on combination of a request for access by a principal to a resource and a token or other certificate to access the resource that is given to the principal after determining that access condition is satisfied, see Chhabra para 0072. The Examiner asserts one of ordinary skill in the art would know for a request for access by a principal to a resource that includes a tag (reads on tags that may be added to an action and/or a request in order to support authorization based on request tags, see Chhabra para 0095) and the tag to be the same as an identifier for the API access action  and a token or other certificate to access the resource as a unique API access key.] which encompasses an identifier for the API access action [tags added to an action and/or a request, see Chhabra para 0095] and a unique API access key [a token or other certificate to access the resource, see Chhabra para 0072] for executing the API access action, 
maintaining a dynamic access list [reads on implementing one or more access policies that include tags required to access a particular resource, which must be held by a user to access that resource, see para 0041. The Examiner construes the dynamic access list to be the same as a policy that includes principal to access resource, action to be performed, and resource to be accessed, see table in Chhabra para 0089], which has a mapping of the identifier of the API access action [reads on action tag, “Action”: [“storage: GetObject”], see Chhabra para 0089 table] and the unique API access key [a token or other certificate to access the resource, see para 0072] and a selected operator account [reads on principal tag, “xyz: PrincipalAccount”: ”111122223333”, see Chhabra para 0089 table],  
granting [reads on enabling access to the resource by the principal. see Chhabra para 0074.], via the dynamic access list [reads on the access policies that may include tags required to access a particular resource, see Chhabra para 0041 and 0089 table] and the unique action tag [reads on combination of a request for access by a principal to a resource and a token or other certificate to access the resource that is given to the principal after determining that access condition is satisfied, see Chhabra para 0072.], to the selected operator account [reads on the principal tag, see Chhabra para 0071] an authorization for the API access action  to a security-sensitive computing system [reads on computing resources, see Chhabra para 0025 and Figure 1 block 114(1)-(M)] limited to performing the mapped API access action, and 
revoking a further API access action [reads on expiring access after usage and/or a predetermined duration of time, see Chhabra para 0072] based on the unique action tag [reads on combination of a request for access by a principal to a resource and a token or other certificate to access the resource that is given to the principal after determining that access condition is satisfied, see Chhabra para 0072.], after the operator has performed the API access action [reads on after usage of the token or other certificate, see Chhabra para 0072].  

Regarding claim 2, Chhabra discloses the method according to claim 1, wherein the selected operator account [reads on a principal tag that permits access to the resource, see Chhabra para 0071]  is a group of operator accounts [reads on  principals having the same (or similar) principal tag that may be grouped together and have certain access privileges with respect to different resources, see Chhabra para 0040].  

Regarding claim 5, the prior art of record suggests wherein the security sensitive system [reads on an access management system 900 that can be configured to implement aspect of the functionality, see Chhabra para 0098] is implemented as a secure appliance in form of a secure enclave [reads on the system being part of a larger system that provides the additional computing resources that include, without limitation, data storage resources, data processing resources, such as virtual machine (VM) instances, networking resources, data communication resources, network services, and other types of resources, see Chhabra para 0098.].  

Regarding claim 7, the prior art of record suggests wherein the API access action [access to the resource] is an enablement of a component of the security-sensitive computing system [reads on a request to create or deploy a new resource or existing resource, which are performed by the access management service, see Chhabra para 0079-0080. The Examiner creating or deploying a new resource or existing resource to be the same as an enablement of a component the security-sensitive computing system.].

Regarding claim 9, the prior art of record suggests extending an access [reads on using those resource tag(s) to identify other resources that have the same, or similar, resource tags, wherein the additional resources may include data/information that is the same as, or is similar to, the data/information requested in the initial request, see Chhabra para 0053 ] controlled by the unique action key to an additional set of APIs [reads on the different resources in which the principal is authorized to access, see Chhabra para 0053] if a previous access action did not arrive at a working solution [reads on upon notifying the user that access is denied, see Chhabra para 0053].  

Claim 11 is analyzed with respect to claim 1. The prior art of record further suggests  an access control system [reads on an access management system 102, see Chhabra para 0023-0027 and Figures 1-2] for controlling an application programming interface (API) access action, the system comprising: 
a processor(s) set [reads on one or more processors 202, see Chhabra para 0036 and Figure 2]; 
a machine readable storage device [reads on computer-readable media 204, see Chhabra para 0036 and Figure 2]; and 
computer code [reads on computer-executable instructions stored on one or more computer-readable storage media, including routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types,  see Chhabra para 0044] stored on the machine readable storage device [reads on computer-readable media 204, see Chhabra para 0036 and Figure 2], with the computer code including instructions and data [reads on instructions that, when executed by the one or more processors 202, cause the processors to perform the operations described herein for the service 104, see Chhabra para 0036] for causing the processor(s) set to perform operations.

System claims 12, 15, 17 and 19 are drawn to the system corresponding to the method of using same as claimed in claims 2, 5, 7 and 9.  Therefore system claims 12, 15, 17 and 19 correspond to method claims 2, 5, 7 and 9, and are rejected for the same reasons of anticipation as used above.

Claim 20 is analyzed with respect to claim 1. The prior art of the record further suggest a computer program product [reads on a computer program product including a non-transitory machine-readable storage medium having stored thereon instructions (in compressed or uncompressed form) that may be used to  program a computer (or other electronic device) to perform processes or methods described herein, see Chhabra para 0037] for controlling an application programming interface (API) access action, the computer program product comprising: 
a machine readable storage device [reads on computer-readable media 204, see Chhabra para 0036 and Figure 2]; and 
computer code [reads on computer-executable instructions stored on one or more computer-readable storage media, including routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types,  see Chhabra para 0044] stored on the machine readable storage device [reads on computer-readable media 204, see Chhabra para 0036 and Figure 2], with the computer code including instructions and data [reads on instructions that, when executed by the one or more processors 202, cause the processors to perform the operations described herein for the service 104, see Chhabra para 0036 ] for causing a processor(s) set [reads on one or more processors 202, see Chhabra para 0036 and Figure 2] to perform operations.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 4, 6, 13, 14, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chhabra in view of Carroll, JR et al. (US PG Publication No. 2021/0117561, hereinafter “Carroll”).

Regarding claim 3, Chhabra discloses the method of claim 1 as outlined above. Chhabra does not appear to explicitly disclose the API access action is a group of API access actions. 
However, Carroll suggests that the API access action is a group of API access actions [reads on permitted actions (or collections of actions) 336 identified by an identifier that is included in the access response, see Carroll para 0052. The examiner construes the permitted actions identified by an identifier to be the same as a group of API actions.].  
Chhabra and Carroll are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified an access management system of Chhabra to incorporate teachings of Carroll to realize the instant limitations. One of ordinary skill in the art would have recognized that applying the access control technology via an access decision provided in response to an access request of Carroll would have yielded predictable results, enforcing the access decision by a tenant-specific enforcement, and resulted in an improved system. It would have been recognized that applying the access decision provided in response to an access request of Carroll to the teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such dynamic access control teachings into similar systems that would allow more detailed control over the tenant specific enforcement system. The motivation to combine the references applies to all claims under this heading. [Carroll, Abstract, para 0005-0006]

Regarding claim 4, the prior art of record suggests wherein the group of API access actions refers to different APIs [reads on an access request 118 indicative of the user or application or other workload that is requesting access to a particular set of data or resources, see Carroll para 0019. The Examiner construes a particular set of resources to be same as different APIs.]
 
Regarding claim 6, the prior art of record suggests monitoring and analyzing a system log file [reads on logging a variety of different information that indicates the type of administrative actions that have been taken in ABAC computing system 116 as well as the types of data access requests and processing operations that have been taken, see Carroll para 0037 and Figure 2 block 208.] for determining a requirement of an API access action [reads on determining when administrative actions are requested and taken and logging information indicative of those operations, see Carroll para 0037 and Figure 2 block 208].  

System claims 13, 14 and 16 are drawn to the system corresponding to the method of using same as claimed in claims 3, 4 and 6. Therefore, system claims 13, 14 and 16 correspond to method claims 3, 4 and 6, and are rejected for the same reasons of obviousness as used above.

Claims 8, 10, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Chhabra in view of Kelley et al. (US PG Publication No. 2017/0099292, hereinafter “Kelley”).
Regarding claim 8, Chhabra discloses the method of claim 1 as outlined above. Chhabra does not appear to explicitly disclose monitoring a completion of the API access action before revoking the further API access action. 
However, Kelly suggests wherein the revoking the further API access action further includes: monitoring a completion of the API access action before revoking the further API access action [reads on sending a communication to administrative security personnel, when the access management server 102 determines that access to a first object by a first entity should be revoked or removed, see Kelly para 0038. The Examiner asserts one of ordinary skill in the art would know that sending communication before revoking or removing the API access action, by the access management server 102 which monitors the API calls in the request log (see Kelly para 0031), includes monitoring a completion of a completion of the API access action].  
Chhabra and Kelley are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified an access management technology of Chhabra to incorporate teachings of Kelly to realize the instant limitations. One of ordinary skill in the art would have recognized that applying the access management technology via removal of access and modification of an access policy based on information from a request log of Kelly would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the removal of access and modification of an access policy based on information from a request log of Kelly to the teachings of the prior art of record would have yielded predictable result  because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such access control teachings into similar systems that would allow more detailed control to provide access permission within distributed computing environment. The motivation to combine the references applies to all claims under this heading. 

Regarding claim 10, the prior art of record further suggest sending a notification to the selected operator account [reads on communication and interaction between users of the access management server 102, and user’s receiving a notification or alert of a modification made to an access policy or a modification scheduled to be made to access policy,  see Kelly para 0048.], wherein the notification comprises a detail about the API access action [reads on the modification made to an access policy and handling of requests to grant access to one or more objects, such as APIs, and other request, see Kelly para 0048.].  

System claim 18 is drawn to the system corresponding to the method of using same as claimed in claim 8. Therefore system claim 18 corresponds to method claim 8, and is rejected for the same reasons of obviousness as used above.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEONGSOOK YI whose telephone number is (571)272-9407. The examiner can normally be reached Monday-Friday 8:00 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/J.Y./Examiner, Art Unit 2496                                                                                                                                                                                                        

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496