DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
The claim objections except for the one(s) being repeated below have been withdrawn in view of the claim amendment. 

Response to Arguments
Applicant's arguments filed 07/25/22 have been fully considered but are moot in view of the new ground of rejection presented below in view of newly found prior art.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 1 recites “the command” in 4th to last line.  However, it’s unclear which command this is referring to.  For examination purposes, “the command” has been interpreted as any command.  Claims 2-10 depend from claim 1 and thus also have this issue.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 5, 8-13, 16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Karame (US 20200059495) in view of Balle (US 20180150299).

Claim 1, Karame discloses A method, comprising: 
implementing, by a computer system, an authorization service that has a store of a set of security rules defining permissible circumstances where actions can be performed by a plurality of controller modules arranged in a hierarchy when implementing an operational scenario involving a set of one or more operational entities included in a target computing environment, wherein the authorization service is separate from the hierarchy of controller modules; (e.g. fig. 1, ¶16-21, 36, 38-39, 44-45, 55: a method for managing data traffic within a network, the network including a plurality of controllers, each of the controllers controlling a part of the network, the network parts including at least one forwarding element, ‘FE’, for forwarding data within the network, and wherein each of the controllers is connected to at least one reference monitor, ‘RM’ for enforcing a security policy for the network part managed by the controller…The term “reference monitor” is to be understood in its broadest sense and refers in particular in the claims, preferably in the specification to any kind of computing device or computing entity being adapted to enforce, monitor, control, implement, amend, change, supervision, manage one or more policies, in particular security policies. The computing entity or computing device may be…connected to a controller…The term “policy” is to be understood in its broadest sense and refers in particular in the claims, preferably in the specification to any kind of data, information, etc. defining certain situations, scenarios, or the like which have to be fulfilled or which must not have to be fulfilled, applied, etc...With regard to contacting other controllers, contacting other controllers follows a tree-like communication path starting from a controller initiating the contact—the “root”—by contacting all the “children” of the root wherein the children in turn—now seen as parent—contact their children, and so on.)
executing, by the computer system, the operational scenario, through an orchestrator controller module at a top level of the hierarchy that issues a set of one or more commands targeted to one or more controller modules at one or more lower levels of the hierarchy that are executable to manage the set of one or more operational entities to implement the operational scenario and change a state of at least one operational entity; and (e.g. ¶17-21, 32, 41-42, 75, 80: a) Receiving a rule request by a controller and transmitting it to its RM, b) Checking the rule request by the RM for policy compliance, c) Authorizing the part of the rule request which is policy compliant by the RM, and Wherein when the rule request includes an outside modification, an outside modification impacting at least one other network part not managed by the controller, d) The controller contacts at least the one or more controllers being impacted by the outside modification for obtaining an authorization for the outside modification, e) Upon reception of the one or more authorizations for the outside modification, sending all modifications of the rule request and corresponding authorizations by the controller to all other controllers being impacted by the rule request for implementing the modification in their one or more forwarding elements…When the controller Ci, or a network application running on top of the controller Ci, requests a modification of the network configuration, for example, the application requests the installation of a network flow for connecting two hosts in the network.)
executing, by the computer system, a given targeted controller module in the hierarchy to, after receiving one of the set of one or more commands, communicate with the authorization service to verify that an action defined by the command is permitted to be performed by the given targeted controller module under the set of security rules. (e.g. figs. 1-3, ¶16, 18, 20, 77, 84-85, 90, 112, 114: each of the controllers is connected to at least one reference monitor, ‘RM’ for enforcing a security policy for the network part managed by the controller…b) Checking the rule request by the RM for policy compliance…d) The controller contacts at least the one or more controllers being impacted by the outside modification for obtaining an authorization for the outside modification… In addition to checking whether modifications or parts of it are policy compliant, the reference monitors can authorize modifications…2. The reference monitor Ri checks whether the modification is policy compliant and authorizes it or parts of it…For those parts, the controller Ci needs to obtain the permission and the authorization replies from other controllers/reference monitors…a method for checking policy compliance of accessing/reconfiguring data plane components of an SDN network…2) Reference monitors are contacted by controllers to check policy compliance of modification requests and authorizing such requests, or parts of them)
Although Karame discloses wherein the authorization service is separate from the hierarchy of controller modules and is accessible to a single controller (see above), Karame does not appear to explicitly disclose but Balle discloses wherein the authorization service is accessible to the hierarchy of controller modules (e.g. ¶46, 74, 78-80: a micro-orchestrator logic unit 1220 of each accelerator sled 1204 is configured to receive a job requested to be accelerated from the compute sled 1206…if the accelerator sled 1202 determines that the orchestrator server authorization is required, the method 1500 advances to block 1538 shown in FIG. 17, in which the accelerator sled 1202 transmits the job analysis performed by the accelerator sled 1202 to the orchestrator server 1204…the accelerator sled 1202 determines whether an authorization from the orchestrator server 1204 has been received…the accelerator sled 1202 determines that the authorization has been received.  Note that the compute sled 1206 (the root) initiates the contact by contacting accelerator sleds 1204 (its children) to accelerate jobs and follows a tree-like communication path).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Balle into the invention of Karame for the purpose of enabling the controllers to directly contact the reference monitor in another network part to obtain authorization for outside modifications thereby increasing the convenience and flexibility of the system.

Claim 2, Karame-Balle discloses The method of claim 1, wherein the executing of the given targeted controller module to communicate with the authorization service includes the given targeted controller module: sending, to the authorization service an authorization request for the action defined by the command; in response to the authorization service determining that the action complies with the set of security rules, receiving a response authorizing performance of the action; and based on the authorizing response, performing the action  defined by the command. (Balle, e.g. ¶78-80, 82). Same motivation as in claim 1 would apply.

Claim 5, Karame-Balle discloses The method of claim 2, wherein the authorizing response includes a token indicating that a particular controller module in the hierarchy is authorized to perform a particular action; (Karame, e.g. figs. 1-2, ¶19-21, 40, 77-78, 85, 89, 114) and wherein the performing of the action includes: issuing, to the particular controller module, a command including the token, wherein the token is verifiable by the particular controller module to confirm that performance of the particular action has been authorized. (Karame, e.g. figs. 1-2, ¶32, 40, 75, 78-79, 88, 91-92)

Claim 8, Karame-Balle discloses The method of claim 1, further comprising: receiving, by the given targeted controller module, a request to issue a particular command to a particular component; (Karame, e.g. ¶17, 19, 32, 41-42, 75)  and communicating, by the given targeted controller module, with the authorization service to verify that the particular command complies with the set of security rules prior to the given targeted controller module issuing the particular command to the particular component. (Balle, e.g. ¶78-80, 82). Same motivation as in claim 1 would apply.

Claim 9, Karame-Balle discloses The method of claim 8, wherein the particular component is an operational entity operable to perform the particular command. (Karame, e.g. figs. 1-2, ¶32, 75, 88, 91-92)

Claim 10, Karame-Balle discloses The method of claim 8, wherein the particular component is a controller module operable to cause one or more operational entities to perform the particular command. (Karame, e.g. figs. 1-2, ¶32, 75, 88, 91-92)  

Claim 11, Karame discloses A non-transitory computer readable medium having program instructions stored thereon that are executable to cause a computing system to implement an authorization service that performs operations comprising: 
maintaining a set of security rules defining permissible circumstances where actions can be performed by a plurality of controller modules arranged in a hierarchy when implementing an operational scenario involving a set of one or more operational entities included in a target computing environment, wherein the authorization service is separate from the hierarchy of controller modules; (e.g. fig. 1, ¶16-21, 36, 38-39, 44-45, 55: a method for managing data traffic within a network, the network including a plurality of controllers, each of the controllers controlling a part of the network, the network parts including at least one forwarding element, ‘FE’, for forwarding data within the network, and wherein each of the controllers is connected to at least one reference monitor, ‘RM’ for enforcing a security policy for the network part managed by the controller…The term “reference monitor” is to be understood in its broadest sense and refers in particular in the claims, preferably in the specification to any kind of computing device or computing entity being adapted to enforce, monitor, control, implement, amend, change, supervision, manage one or more policies, in particular security policies…The term “policy” is to be understood in its broadest sense and refers in particular in the claims, preferably in the specification to any kind of data, information, etc. defining certain situations, scenarios, or the like which have to be fulfilled or which must not have to be fulfilled, applied, etc...With regard to contacting other controllers, contacting other controllers follows a tree-like communication path starting from a controller initiating the contact—the “root”—by contacting all the “children” of the root wherein the children in turn—now seen as parent—contact their children, and so on.)
receiving, from controller modules of the plurality of controller modules, indications of commands issued to the controller modules to implement the operational scenario; and determining whether actions defined by the commands comply with the set of security rules. (e.g. figs. 1-3, ¶16, 18, 20, 77, 84-85, 90, 112, 114: each of the controllers is connected to at least one reference monitor, ‘RM’ for enforcing a security policy for the network part managed by the controller…b) Checking the rule request by the RM for policy compliance… d) The controller contacts at least the one or more controllers being impacted by the outside modification for obtaining an authorization for the outside modification… In addition to checking whether modifications or parts of it are policy compliant, the reference monitors can authorize modifications… 2. The reference monitor Ri checks whether the modification is policy compliant and authorizes it or parts of it…For those parts, the controller Ci needs to obtain the permission and the authorization replies from other controllers/reference monitors…a method for checking policy compliance of accessing/reconfiguring data plane components of an SDN network…2) Reference monitors are contacted by controllers to check policy compliance of modification requests and authorizing such requests, or parts of them.  Note that reference monitor can directly receive indications of commands from its associated controller and can indirectly receive indications of commands from other controllers through its associated controller)
Although Karame discloses wherein the authorization service is separate from the hierarchy of controller modules and is accessible to a single controller (see above), Karame does not appear to explicitly disclose but Balle discloses wherein the authorization service is accessible to the hierarchy of controller modules (e.g. ¶46, 74, 78-80: a micro-orchestrator logic unit 1220 of each accelerator sled 1204 is configured to receive a job requested to be accelerated from the compute sled 1206…if the accelerator sled 1202 determines that the orchestrator server authorization is required, the method 1500 advances to block 1538 shown in FIG. 17, in which the accelerator sled 1202 transmits the job analysis performed by the accelerator sled 1202 to the orchestrator server 1204…the accelerator sled 1202 determines whether an authorization from the orchestrator server 1204 has been received…the accelerator sled 1202 determines that the authorization has been received.  Note that the compute sled 1206 (the root) initiates the contact by contacting accelerator sleds 1204 (its children) to accelerate jobs and follows a tree-like communication path).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Balle into the invention of Karame for the purpose of enabling the controllers to directly contact the reference monitor in another network part to obtain authorization for outside modifications thereby increasing the convenience and flexibility of the system.

Claim 12, Karame-Balle discloses The computer readable medium of claim 11, wherein the receiving the indications includes: receiving, from a first controller module, an authorization request to authorize performance of an action specified in an issued command; (Karame, e.g. figs. 1-2, ¶16, 18, 20, 77, 84, 112, 114 or Balle, e.g. ¶78) and wherein the operations further comprise: in response to determining that the action complies with the set of security rules, sending, to the first controller module, a response authorizing performance of the action.  (Karame, e.g. figs. 1-2, ¶19, 20-21, 40, 77, 85, 89, 114 or Balle, e.g. ¶78-80).  Same motivation as in claim 11 would apply.

Claim 13, Karame-Balle discloses The computer readable medium of claim 12, wherein the response includes a token that is conveyable by the first controller module to a second controller module to authorize the second controller module to perform one or more additional actions to implement the operational scenario. (Karame, e.g. figs. 1-2, ¶19, 20-21, 40, 77-79, 85, 89, 114)

Claim 16, Karame discloses A non-transitory computer readable medium having program instructions stored thereon that are executable to cause a computing system to perform operations comprising: 
receiving a first command of a set commands issued to a hierarchy of controller modules for implementing an operational scenario within a target computing environment; sending a request to authorize performance of an action defined by the first command to an authorization service, (e.g. ¶17-21, 32, 38, 41-42, 75, 80, 85: a) Receiving a rule request by a controller and transmitting it to its RM, b) Checking the rule request by the RM for policy compliance, c) Authorizing the part of the rule request which is policy compliant by the RM, and Wherein when the rule request includes an outside modification, an outside modification impacting at least one other network part not managed by the controller, d) The controller contacts at least the one or more controllers being impacted by the outside modification for obtaining an authorization for the outside modification, e) Upon reception of the one or more authorizations for the outside modification, sending all modifications of the rule request and corresponding authorizations by the controller to all other controllers being impacted by the rule request for implementing the modification in their one or more forwarding elements…When the controller Ci, or a network application running on top of the controller Ci, requests a modification of the network configuration, for example, the application requests the installation of a network flow for connecting two hosts in the network…2. The reference monitor Ri checks whether the modification is policy compliant and authorizes it or parts of it. The reference monitor Ri sends its policy decision back to the controller Ci…For those parts, the controller Ci needs to obtain the permission and the authorization replies from other controllers/reference monitors)
wherein the authorization service is operable to store a set of security rules defining permissible circumstances where actions can be performed by the hierarchy of controller modules when implementing the operational scenario, and wherein the authorization service is separate from the hierarchy of controller modules; and (e.g. fig. 1, ¶16-21, 36, 38-39, 44-45, 55: a method for managing data traffic within a network, the network including a plurality of controllers, each of the controllers controlling a part of the network, the network parts including at least one forwarding element, ‘FE’, for forwarding data within the network, and wherein each of the controllers is connected to at least one reference monitor, ‘RM’ for enforcing a security policy for the network part managed by the controller…The term “reference monitor” is to be understood in its broadest sense and refers in particular in the claims, preferably in the specification to any kind of computing device or computing entity being adapted to enforce, monitor, control, implement, amend, change, supervision, manage one or more policies, in particular security policies…The term “policy” is to be understood in its broadest sense and refers in particular in the claims, preferably in the specification to any kind of data, information, etc. defining certain situations, scenarios, or the like which have to be fulfilled or which must not have to be fulfilled, applied, etc...With regard to contacting other controllers, contacting other controllers follows a tree-like communication path starting from a controller initiating the contact—the “root”—by contacting all the “children” of the root wherein the children in turn—now seen as parent—contact their children, and so on.)
receiving, from the authorization service, a response indicating whether the action complies with the set of security rules. (e.g. ¶17-21, 32, 38, 41-42, 75, 80, 85: b) Checking the rule request by the RM for policy compliance, c) Authorizing the part of the rule request which is policy compliant by the RM, and Wherein when the rule request includes an outside modification, an outside modification impacting at least one other network part not managed by the controller, d) The controller contacts at least the one or more controllers being impacted by the outside modification for obtaining an authorization for the outside modification, e) Upon reception of the one or more authorizations for the outside modification, sending all modifications of the rule request and corresponding authorizations by the controller to all other controllers being impacted by the rule request for implementing the modification in their one or more forwarding elements…When the controller Ci, or a network application running on top of the controller Ci, requests a modification of the network configuration, for example, the application requests the installation of a network flow for connecting two hosts in the network…2. The reference monitor Ri checks whether the modification is policy compliant and authorizes it or parts of it. The reference monitor Ri sends its policy decision back to the controller Ci…For those parts, the controller Ci needs to obtain the permission and the authorization replies from other controllers/reference monitors)
Although Karame discloses wherein the authorization service is separate from the hierarchy of controller modules and is accessible to a single controller (see above), Karame does not appear to explicitly disclose but Balle discloses wherein the authorization service is accessible to the hierarchy of controller modules (e.g. ¶46, 74, 78-80: a micro-orchestrator logic unit 1220 of each accelerator sled 1204 is configured to receive a job requested to be accelerated from the compute sled 1206…if the accelerator sled 1202 determines that the orchestrator server authorization is required, the method 1500 advances to block 1538 shown in FIG. 17, in which the accelerator sled 1202 transmits the job analysis performed by the accelerator sled 1202 to the orchestrator server 1204…the accelerator sled 1202 determines whether an authorization from the orchestrator server 1204 has been received…the accelerator sled 1202 determines that the authorization has been received.  Note that the compute sled 1206 (the root) initiates the contact by contacting accelerator sleds 1204 (its children) to accelerate jobs and follows a tree-like communication path).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Balle into the invention of Karame for the purpose of enabling the controllers to directly contact the reference monitor in another network part to obtain authorization for outside modifications thereby increasing the convenience and flexibility of the system.

Claim 18, Karame-Balle discloses The computer readable medium of claim 16, wherein the operations further comprise: in response to sending the request, receiving a token from the authorization service, wherein the token is usable by a controller module within the hierarchy to confirm that an issued command complies with the set of security rules; (Karame, e.g. figs. 1-2, ¶19, 20-21, 40, 77-79, 85, 89, 114) and sending the token to the controller module to cause performance of the issued command. (Karame, e.g. figs. 1-2, ¶32, 40, 75, 78-79, 88, 91-92)

Claim 19, Karame-Balle discloses The computer readable medium of claim 16, wherein the operations further comprise: based on the received response, performing the action. (Karame, e.g. figs. 1-2, ¶32, 75, 88, 91-92)  

Claim 20, Karame-Balle discloses The computer readable medium of claim 16, wherein the program instructions include program instructions executable to implement the authorization service. (Karame, e.g. figs. 1-2, ¶13)

Claims 3, 7, 14, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Karame (US 20200059495) in view of Balle (US 20180150299) and further in view of Durham (US 6601082).

Claim 3, Karame-Balle discloses The method of claim 2, (see above) and does not appear to explicitly disclose but Durham discloses wherein the authorization service is operable to authenticate a source of the authorization request prior to sending the authorizing response. (e.g. col. 3, ll. 36-48, col. 4, ll. 64-col. 5, ll. 3, col. 7, ll. 1-14, 44-50, col. 8, ll. 12-15, 46-50, 60-col. 9, ll. 9)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Durham into the invention of Karame-Balle for the purpose of allowing a system and network administrator to exercise control over the providing of actions based on a particular source's attributes, time-of day, group memberships, and source/destination networks/hosts, applications, etc. (Durham, col. 8, ll. 46-50).

Claim 7, Karame-Balle discloses The method of claim 1, wherein the set of security rules includes a rule identifying one or more authorized actions associated with the authorized requester, and wherein the authorization service is operable to: receive an indication of the command; and verify whether the action to be performed for the command is one of the one or more authorized actions. (Karame, e.g. figs. 1-2, ¶16-20, 32, 41-42, 75, 77, 84, 112, 114)
Although Karame-Balle discloses wherein the set of security rules includes a rule identifying one or more authorized actions associated with the authorized requester and verifying whether an action to be performed by the command is one of the authorized actions (see above), Karame does not appear to explicitly disclose but Durham discloses wherein the set of rules includes a rule identifying an authorized requester and verifying whether a requester of the command corresponds to the authorized requester (e.g. col. 3, ll. 36-48, col. 4, ll. 64-col. 5, ll. 3, col. 7, ll. 1-14, 44-50, col. 8, ll. 12-15, 46-50, 60-col. 9, ll. 9)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Durham into the invention of Karame-Balle for the purpose of allowing a system and network administrator to exercise control over the providing of actions based on a particular source's attributes, time-of day, group memberships, and source/destination networks/hosts, applications, etc. (Durham, col. 8, ll. 46-50).

Claim 14, Karame-Balle discloses The computer readable medium of claim 12, (see above) and does not appear to explicitly disclose but Durham discloses wherein the determining that the action complies with the set of security rules includes: authenticating an issuer of the issued command prior to sending the authorizing response to the first controller module. (e.g. col. 3, ll. 36-48, col. 4, ll. 64-col. 5, ll. 3, col. 7, ll. 1-14, 44-50, col. 8, ll. 12-15, 46-50, 60-col. 9, ll. 9)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Durham into the invention of Karame-Balle for the purpose of allowing a system and network administrator to exercise control over the providing of actions based on a particular source's attributes, time-of day, group memberships, and source/destination networks/hosts, applications, etc. (Durham, col. 8, ll. 46-50).

Claim 17, Karame-Balle discloses The computer readable medium of claim 16, (see above) and does not appear to explicitly disclose but Durham discloses wherein the operations further comprise: authenticating an issuer of the first command; and indicating an identity of the issuer to the authorization service to facilitate determining whether the first command complies with the set of security rules. (e.g. col. 3, ll. 36-48, col. 4, ll. 64-col. 5, ll. 3, col. 7, ll. 1-14, 44-50, col. 8, ll. 12-15, 46-50, 60-col. 9, ll. 9)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Durham into the invention of Karame-Balle for the purpose of allowing a system and network administrator to exercise control over the providing of actions based on a particular source's attributes, time-of day, group memberships, and source/destination networks/hosts, applications, etc. (Durham, col. 8, ll. 46-50).

Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Karame (US 20200059495) in view of Balle (US 20180150299) and further in view of Henderson (US 8014756).

Claim 4, Karame-Balle discloses The method of claim 2, (see above) and does not appear to explicitly disclose but Henderson discloses wherein the authorization service is operable to store, in a log, a report identifying reception of the authorization request. (e.g. col. 4, ll. 6-15, col. 5, ll. 22-46).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Henderson into the invention of Karame-Balle for the purpose of providing data about the authorization requests for auditing purposes.

Claim 15, Karame-Balle discloses The computer readable medium of claim 12, (see above) and does not appear to explicitly disclose but Henderson discloses wherein the operations further comprise: maintaining a database of audit reports identifying received authorization requests; and in response to receiving the authorization request, adding a corresponding audit report to the database, wherein the corresponding audit report identifies the issued command and an issuer of the issued command.  (e.g. col. 4, ll. 6-15, col. 5, ll. 22-46).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Henderson into the invention of Karame-Balle for the purpose of providing data about the authorization requests for auditing purposes.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Karame (US 20200059495) in view of Allen (US 20110040836) in view of Balle (US 20180150299) and further.

Claim 6, Karame-Balle discloses The method of claim 5, wherein the token identifies the particular action and a signature of the authorization service. (Karame, e.g. ¶40, 62, 78)
Although Karame discloses wherein the token identifies the particular action and a signature of the authorization service (see above), Karame-Balle does not appear to explicitly disclose but Allen discloses wherein the token identifies the given targeted controller module (e.g. ¶126)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Allen into the invention of Karame-Balle for the purpose of identifying that the device has been authorized as a controller (Allen, ¶126).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Crucs (US 20060259513) discloses a method to submit image requests to a DICOM server. The method comprises receiving an image request at a data manager from a requesting computer-based platform. As a further step in the method, the data manager administers a first security policy to determine if the requesting computer-based platform is authorized to access images from or submit images to the DICOM server. If the data manager determines that the requesting computer-based platform is authorized, then as another step in the method, the data manager sends the image request to the DICOM server. As still a further step in the method, the DICOM server administers a second security policy to determine if the data manager is authorized to access images from or submit images to the DICOM server. In accordance with various embodiments of the present invention, the data manager may receive many image requests from a plurality of requesting computer-based platforms.

Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:30 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436