DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/4/2022 has been entered.

Response to Arguments
With respect to applicant’s argument that Belinkiy, Lai and Bender do not in combination teach “a delegation policy that specifies (a) a validation policy that identifies one or more users, accounts, or clients that are authorized to use the delegation policy and (b) one or more authorization rules that allows access to only a subset of a table in the database for individual ones of the one or more users, accounts, or clients”, Examiner respectfully disagrees.  
Lai teaches in paragraphs [0422], [0969], [1233], [1341] teaches that each user ID is verified with access control policies to identify which user is authorized to access data.  Access control policies (delegation policy) defines which user ID/role is authorized to access certain data and each user is verified (validation policy) before given access to the data.  Therefore, Lai teaches a delegation policy that specifies (a) a validation policy that identifies one or more users, accounts, or clients that are authorized to use the delegation policy.
Bender teaches in paragraph [0022] that each user with a SQLID (individual user) is authorized to access (authorization rule) specific rows or columns (subset) of a table of a database.  So, Bender teaches (b) one or more authorization rules that allows access to only a subset of a table in the database for individual ones of the one or more users, accounts, or clients.  
Therefore Lai and Bender in combination teach the above cited limitation.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 22, 23, 26, 29,30,31,32,33, 37,39, 41 are rejected on the grounds of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 9,569,634 (hereinafter ‘634) and in view of Belinkiy (2012/0159577) and in view of Lai (US 2005/0044197) and in view of Bender (2008/0052291).
Although the conflicting claims are not identical, they are not patentably distinct from each other because both the instant application and U.S. Patent No. 9,569,634
disclose similar limitations.
As an illustrative example, claim 22 of the examined application is mapped to claim 1 of ‘634 in the following table:

Instant application
US Patent No. 9,569,634
Claim 22: A system, comprising: 
Claim 1: A system, comprising:
one or more hardware processors; and memory storing program instructions that when executed implement a delegation service to: 	


a plurality of compute nodes implementing a database service maintaining data for an application provider, wherein the database service implements a fine-grained access management module to authorize fine-grained access requests from one or more application clients of the application provider directed toward portions of the data; the fine-grained access management module, configured to:
receive a first request from a client for a delegated access credential to access a database, wherein the first request includes an identity credential that identifies a user of the database, and in response:

verify the identity credential with an identity provider that issued the identity credential;

issue the delegated access credential for the user, wherein the delegated access credential is associated with a delegation policy that specifies (a) a validation policy that identifies one or more users, accounts, or clients that are authorized to use the delegation policy and (b) one or more authorization rules that allows access to only a subset of a table in the database for individual ones of the one or more users, accounts, or clients;
receive a fine-grained access request for a specified portion of the data maintained at the database service and a delegated access credential for the fine-grained access request from one of the one or more application clients;
and send the delegated access credential to the client; and


request, from a delegation service, verification of the delegated access credential;

receive the verification of the delegated access credential;
receive a second request from the database, wherein the second request includes the delegated access credential issued by the delegation service, and in response: 
send the delegation policy to the database,
receive, from the delegation service, a delegation policy corresponding to the delegated access credential;

wherein the database is configured to use the delegation policy to determine whether 
evaluate the fine-grained access request according to the delegation policy in order to determine request authorization for the fine-grained access request from the one application client; 
an access request to the table submitted with the delegated access credential is authorized.
and in response to determining that the fine-grained access request is authorized, provide access to the specified portion of the data in order to service the fine-grained access request.


As seen above in the table, claim 1 of ‘639 teaches all the limitations of claim 22 of the instant application except for “one or more hardware processors; and memory storing program instructions that when executed implement a delegation service, wherein the first request includes an identity credential that identifies a user of the database, and in response: receive a first request from a client for a delegated access credential to access a database, wherein the first request includes an identity credential that identifies a user of the database, and in response: verify the identity credential with an identity provider that issued the identity credential; issue the delegated access credential for the user, wherein the delegated access credential is associated with a delegation policy that specifies (a) a validation policy that identifies one or more users, accounts, or clients that are authorized to use the delegation policy and (b) one or more authorization rules that allows access to only a subset of a table in the database for individual ones of the one or more users, accounts, or clients; and send the delegated access credential to the client”, 
Belinkiy (2012/0159577) teaches one or more hardware processors; and memory storing program instructions that when executed implement a delegation service (fig. 1) issue the delegated access credential for the client, (0035; examiner’s note: the access credential is given to a user).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Belinkiy into the invention of ‘634 because said incorporation allows for the benefit of memory and processor to store and process data and also to issue access credential to users to access data .
Lai teaches wherein the first request includes an identity credential that identifies a user of the database ([0611, 0612]; examiner’s note: the identity credential identifies a user of the database), and in response: verify the identity credential with an identity provider that issued the identity credential ([1294]; examiner’s note: the users access rights are requested with the authorization assertion request (a second request));
a delegation policy that specifies (a) a validation policy that identifies one or more users, accounts, or clients that are authorized to use the delegation policy  ([0422, The Policy Server stores access rights and policies that govern the access level of each service component or system by users and by roles], [0969, Upon successful validation, the client requester may be granted access to the authorized business services stored in the user profile], [1233], [1341], examiner’s note: each users ID is verified (validation policy verifies the user) with access control policies (delegation policy) to identify which user is authorized to access data);
receive a second request from the database; send the delegated access credential to the client ([1294]; examiner’s note: the users access rights are sent to the policy decision point (database) in response to an access request).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Lai into the invention of ‘634/Belinkiy because said incorporation allows for the benefit of providing users with the opportunity to have a credential which identifies a database user and also to send the delegation policy to the database if it is requested to have an efficient system.
Blender teaches (b) one or more authorization rules that allows access to only a sub-set of a table in the database for induvial one of the one or more users, accounts, or clients ([0022, if the user has a SQLIDSOLID of "MY SQLID2," then that user may access any row of data for either the "EASTERN" or "WESTERN" division of the enterprise]; examiner’s note: each user ID (individual user) has access control policy, SQLID1 can access rows and SQLID2 can access some parts of rows and columns, the partial access of rows and columns are the subset of tables).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Lai into the invention of ‘634/Belinkiy/Lai because said incorporation allows for the benefit of providing users with the opportunity to have a system which will only authorize subset of data from the table to only specific users so that the data is protected from unauthorized access.

Independent claim 31 corresponds independent claim 5 of the patent ‘634 with 
differences being similar to the differences in claim 22 above, these differences 
are obvious for the rationale above.

Independent claim 37 corresponds claim 14 of the patent ‘634 with differences being similar to the differences in claim 22 above, these differences are obvious for the rationale above.

Dependent claims 23, 32, 39, add the features of prior to sending the credential to the user verifying it and creating delegation policy with specified time. Belinkiy  teaches the verifying the features before sending it and creating a delegation policy with specified time in para. [0030, 0035]. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Belinkiy into the invention of ‘634/Lai/Bender because said incorporation allows for the benefit of providing users with credential that is verified before sending it to the user.

Dependent claim 26 adds the features of cause the delegation service to create the delegation policy to specify an authorization rule to restrict access to specified columns, fields, or attributes in the table. Bender teaches wherein the program instructions are further executable to cause the delegation service to create the delegation policy to specify an authorization rule to restrict access to specified columns, fields, or attributes in the table ([0022], [0023, Similar conditions are placed on a user having a SOLID of "MY SQLID2," in which the user is prohibited from access data in any row that has "Western" and/or "Denver" in the respective "Division" and "Location" columns], examiner’s note: the user is associated with column restriction). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Blender into the invention of ‘634/Belinkiy because said incorporation allows for the benefit of providing users with restricted access to secure data.

Claim 29 adds the features of delegation service to create the delegation policy to specify an authorization rule that authorizes a read operation or a write operation to a portion of the table.  Belinkiy teaches delegation service to create the delegation policy to specify an authorization rule that authorizes a read operation or a write operation ([0018], [0024]; examiner’s note: access rules specifies a read or write operation), to a portion of the table (Bender teaches portion of the table in para. [0022] i.e. rows or columns).  Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Belinkiy and Blender into the invention of ‘634/Belinkiy/Lai/Bender because said incorporation allows for the benefit of providing users with restricted access to secure data.

Dependent claim 30 adds the features of cause the delegation service to create the delegation policy to specify an authorization rule to restrict access to specified rows in the table. Bender teaches wherein the program instructions are further executable to cause the delegation service to create the delegation policy to specify an authorization rule to restrict access to specified rows in the table ([0022], [0023, Similar conditions are placed on a user having a SOLID of "MY SQLID2," in which the user is prohibited from access data in any row that has "Western" and/or "Denver" in the respective "Division" and "Location" columns], examiner’s note: the user is associated with column restriction). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Blender into the invention of ‘634/ Belinkiy/Lai/Bender because said incorporation allows for the benefit of providing users with restricted access to secure data.

Dependent claims 33, 41 add the features of delegation policy to expire based at least in part on the passage of a specified period of time.  Belinkiy teaches the delegation policy to expire based at least in part on the passage of a specified period of time (0024, delegated to an anonymous principal based on a condition of the delegation expiring after a fixed time period]; examiners note: the delegation policy has a valid time).  Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Belinkiy into the invention of ‘634/ Belinkiy/Lai/Bender because said incorporation allows for the benefit of providing users with restricted access to secure data.

Claims 24, 25, 34, 35, 38 are rejected on the grounds of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 9,569,634 (hereinafter ‘634) and in view of Belinkiy (2012/0159577) and in view of Lai (US 2005/0044197) and in view of Bender (2008/0052291) and in view of Barenholz (US 9,043,870).

Dependent claims 24, 34, 38 add the features of the identity provider is a social media service, email service, or e-commerce service.  Barenholz teaches wherein the identity provider is a social media service, email service, or e-commerce service ([col. 4, lines 55-60; identity provider ("IDP"), email service, social networking service or other service providing a user account) is a service that specializes in registering user accounts], examiner’s note: identity provider is an email service).  Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate email service of Barenholz into the system to ‘634/Belinky/Lai/Bender to have a secured system. The motivation would be to have a system which will have email service as an identity provider to have a secure system.

Dependent claim 25 depends from claim 24 and adds the features of deny a request for another access credential based at least in part on a determination that another identify credential included in the third request is not verified.  Lai (2008/0052291) teaches deny a request for another access credential based at least in part on a determination that another identify credential included in the third request is not verified ([1200]; examiner’s note: each user is determined to authorize access of data or unauthorized access of data). Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Lai into the invention of ‘634/Belinkiy/Bender because said incorporation allows for the benefit of providing users with restricted access to secure data.

Dependent claim 35 depends from claim 34 and add the features of receiving a third request for another delegated access credential, determining from an identity provider that the other identity credential is not validated and denying the third request for the other delegated access credential. Belinkiy teaches receiving a third request for delegated access credential and request includes identity credential ([0025-0027]; examiner’s note: each request includes a credential of the user) and Lai teaches determining identify credential is validated or not and when not validated denying the access in paragraph [1200] that when the user ID is not validated denying access to the data for that particular data.  Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Belinkiy and Lai into the invention of ‘634/Bender because said incorporation allows for the benefit of providing users with restricted access to secure data.

Claims 27, 36 are rejected on the grounds of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 9,569,634 (hereinafter ‘634) and in view of Belinkiy (2012/0159577) and in view of Lai (US 2005/0044197) and in view of Bender (2008/0052291) and in view of Shukla (2010/0257578).

Dependent claims 27, 36 add the features of a public certificate and cause the delegation service to select the delegation policy for the delegated access credential based at least in part on the public certificate. Shukla teaches a public certificate and cause the delegation service to select the delegation policy for the delegated access credential based at least in part on the public certificate in [0017]. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Shukla into the invention of ‘634/Belinkiy/Lai/Bender because said incorporation allows for the benefit of providing users with restricted access to secure data.

Claims 28, 40 are rejected on the grounds of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 9,569,634 (hereinafter ‘634) and in view of Belinkiy (2012/0159577) and in view of Lai (US 2005/0044197) and in view of Bender (2008/0052291) and in view of Doran (2014/0006095).

Claims 28, 40 add the features creating a delegation policy in response to a request and store the delegation policy in a data store. Belinkiy teaches store delegation policy to a data store ([0014, 0057]).  Doran (2014/0006095) teaches creating a delegation policy in response to a request in [0031]. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teachings of Belinkiy and Doran into the invention of ‘634/Belinkiy/Lai/Bender because said incorporation allows for the benefit of providing users with restricted access to secure data.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 22, 23, 26, 29-33, 37, 39, 41 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belinkiy et al. (US 2012/0159577) and of Lai (US 2005/0044197) and in view of Bender (US 2008/052291).

With respect to claim 22, Belinkiy teaches a system, comprising:
one or more hardware processors [(0056); examiner's note: the computer includes memory and processer]); and
memory storing program instructions that when executed implement a delegation service to ([0056]; examiner’s note: the computer includes memory and processor):
receive a first request from a client for a delegated access credential to access a database ([0033, principal 180 establishes a credential by sending to an anonymous credential issuer 184 (i.e., an anonymous credential authority) a request 186 for a token or credential attesting to an attribute]; [0034, The request may also specify a particular type of security token or security protocol that is desired by the principal 180 for compatibility with the web service 182. In response, the STS 194 performs a step 196 of generating an anonymous token in the form of an ephemeral security token 198, which is returned to the anonymous principal 180]; fig. 4; examiner's note: the principal is requesting for a credential to access to a web service as described in paragraph [0035]; the web service is the database because it has the information that the principal is requesting to access and the principal is the client and the request for a credential is the first request),
and in response: issue the delegated access credential for the user ([0033, The anonymous credential issuer 184 (e.g., a governmental motor vehicle administration) confirms the age of principal 180 and uses a private key to sign, at step 187, an initial anonymous credential 188]: examiners note: the credential is delegated to the principal to access the web-service in response to the access request), wherein the delegated access credential ([0033]; examiner’s note: the delegated credential identifies that the user is over age 21, and the user can access the database which is identifying a user of the database; the principal who is trying to access the database is a user of the database and the principal needs to sign in with a delegated token; also teaches in para. [0024] that delegating access to a specific user to access the database and para. [0030] that each credential which is specific to a user, can access the resource) is associated with a delegation policy ([0035, The web service 182 may use security infrastructure (similar to security system 102 in FIG. 1) when it receives the request 200. The security infrastructure obtains any necessary security policy 202.  The policy 202 may describe which principals can access the web service 182 under which conditions (e.g., age over twenty one).], fig. 4; examiner's note: the policy 202 is associated with the principal’s (client) credential) and
send the delegated access credential to the client (fig. 4; [0033, 0035]; examiners note: the principal receives the credential to access the web-service);
and receive a second request, wherein the second request includes the delegated access credential issued by the delegation service (fig. 4: [0035, The web service 182 may use security infrastructure (similar to security system 102 in FIG. 1) when it receives the request 200. The security infrastructure obtains any necessary security policy 202…The security infrastructure determines at step 204 that the ephemeral security token 198 is properly signed and attests to the necessary conditions that policy 202 specifies as a prerequisite for access to the web service 182]: examiner’s note: the access to web service request contains the token (first request) assigned by the delegation service which is the credential issued by the delegation service to access the web service (database) and requesting access to the web service with the token is the second request), 
send the delegation policy, wherein the database is configured to use the delegation policy to determine whether an access request submitted with the delegated access credential is authorized (fig. 4; [0035]; examiner's note: the web- service obtains the policy 202 in response to the access request of the user to the web service, therefore, obtaining the policy requires sending policy 202 to the web service and only the authorized users can access the database web-service).
Belinkiy does not explicitly teach wherein the first request includes an identity credential that identifies a user of the database, verify the identity credential with an identity provider that issued the identity credential; a delegation policy that specifies (a) a validation policy that identifies one or more users, accounts, or clients that are authorized to use the delegation policy and (b) one or more authorization rules that allows access to only a subset of a table in the database for individual ones of the one or more users, accounts, or clients; receive a second request from the database; and in response: send the delegation policy to the database; an access request to the table; delegation policy allowing access to only a sub-set of a table in the database.
Belinkiy teaches the web service obtaining the database policies ([0035]), delegation policies ([0017]) but it does not explicitly teach wherein the first request includes an identity credential that identifies a user of the database, verify the identity credential with an identity provider that issued the identity credential that the delegation policy is sent to the database, in response to a request from the database and delegation policies specifying a validation policy which identifies a user authorized to access subset of a table in the database for individual one of the one or more users, accounts, or clients.
However, Lai teaches wherein the first request includes an identity credential that identifies a user of the database ([0611, 0612]; examiner’s note: identity credential identifies a user of the database);
verify the identity credential with an identity provider that issued the identity credential ([1237, The trading partner's user credentials may be issued and managed by an authorized Identity Provider]; [1294, 1295, 1296]; examiner’s note: the access credential is verified by the identity provider and the identity provider is the provider which assigns the users credential);
a delegation policy that specifies (a) a validation policy that identifies one or more users, accounts, or clients that are authorized to use the delegation policy ([0422, The Policy Server stores access rights and policies that govern the access level of each service component or system by users and by roles], [0969, Upon successful validation, the client requester may be granted access to the authorized business services stored in the user profile], [1233], [1341], examiner’s note: each users ID is verified (validation policy verifies the user) with access control policies (delegation policy) to identify which user is authorized to access data);
receive a second request from the database ([1294]; examiner’s note: the users access rights are requested with the authorization assertion request (a second request)); 
and in response: send the delegation policy to the database ([1294]; examiner’s note: the users access rights are sent to the policy decision point (database) in response to an access request).  One of ordinary skill in the art would recognize that the process verifying the identity of a user with the identity provider and sending policies in response to a request from the database of Lai could be incorporated with assigning delegated access credential of Belinkiy to further improve the system to verify the identity and receive a request from a database first to send delegation policy to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate sending a delegation policy to the database of Lai into the system to Belinkiy to have an efficient system. The motivation would be to have a system which will send and receive data when the data is requested to have data security and also to save time.
Belinkiy and Lai do not in combination teach an access request to the table; delegation policy allowing access to only a sub-set of a table in the database.
Belinkiy teaches delegation policy and allowing access to a web service (0035) and Lai teaches verifying identity and sending the delegation policy in the database (0041) but they do not in combination teach an access request to the table and delegation policy allowing access to only a sub-set of a table in the database for each individual user.
However, Blender teaches an access request to the table ([0022]; examiner's note: each user ID has access control policy, SQLID1 can access rows and SQLID2 can access some parts of rows and columns, the partial access of rows and columns are the subset of tables); 
(b) one or more authorization rules that allows access to only a sub-set of a table in the database for induvial one of the one or more users, accounts, or clients ([0022, if the user has a SQLIDSOLID of "MY SQLID2," then that user may access any row of data for either the "EASTERN" or "WESTERN" division of the enterprise]; examiner’s note: each user ID (individual user) has access control policy, SQLID1 can access rows and SQLID2 can access some parts of rows and columns, the partial access of rows and columns are the subset of tables). One of ordinary skill in the art would recognize that the access control of user to only access subset of data of Bender could be incorporated with assigning delegated access credential of Belinky/Lai to further improve the system to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate access control of users to only access a subset of database Bender into the system to Belinky/Lai to have a secured system. The motivation would be to have a system which will only authorize subset of data from the table to only specific users so that the data is protected from unauthorized access.

With respect to claim 23, Belinkiy, Lai and Bender in combination teach the system of claim 22, Lai further teaches wherein the program instructions are further executable to cause the delegation service to: prior to sending the delegation policy to the database, verify the delegated access credential included in the second request ([1294, Upon the successful processing of the Authentication Assertion request, the Service Requester may be granted sign-on to the common security domain]; examiner’s note: user ID is verified before sending the access control rights (delegation policy) to the database).  One of ordinary skill in the art would recognize that verifying the access credential of Lai could be incorporated with assigning delegated access credential of Belinky/Bender to further improve the system to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate access control of users to only access a subset of database Lai into the system to Belinky/Bender to have a secured system. The motivation would be to have a system which will only authorize access of data from the table to specific users to prevent unauthorized access.

With respect to claim 26, Belinkiy, Lai in combination teach the system of claim 22, Bender further teaches wherein the program instructions are further executable to cause the delegation service to create the delegation policy to specify an authorization rule to restrict access to specified columns, fields, or attributes in the table ([0022], [0023, Similar conditions are placed on a user having a SOLID of "MY SQLID2," in which the user is prohibited from access data in any row that has "Western" and/or "Denver" in the respective "Division" and "Location" columns], examiner’s note: the user is associated with column restriction). One of ordinary skill in the art would recognize that denying unauthorized request of Bender could be incorporated with assigning delegated access credential of Belinky/Lai to further improve the system to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate access control of users to only access a subset of database Bender into the system to Belinky/Lai to have a secured system. The motivation would be to have a system which will only authorize access of data from the table to specific users to prevent unauthorized access.

With respect to claim 29, Belinkiy, Lai, Bender in combination teach the system of claim 22, Belinkiy further teaches wherein the program instructions are further executable to cause the delegation service to create the delegation policy to specify an authorization rule that authorizes a read operation or a write operation ([0018, fine-grained" may refer to the intersection of a set of constraints on an access right, for example "Joe" may be allowed to say who can read file:///foo], [0024,  allows read or write access to a resource if an anonymous principal is a subscriber]; examiner’s note: access rules specifies a read or write operation). The security infrastructure determines at step 204 that the ephemeral security token 198 is properly signed and attests to the necessary conditions that policy 202 specifies as a prerequisite for access to the web service 182]; examiner's note: the delegate is the user who can access the web-service), to a portion of the table (Bender teaches portion of the table in para. [0022] i.e. rows or columns).

With respect to claim 30, Belinkiy, Lai, Bender in combination teach the system of claim 22, Bender further teaches delegation service to create the delegation policy that specifies an authorization rule to restrict access to specified rows in the table ([0022]; [0023, Similar conditions are placed on a user having a SOLID of "MY SQLID2," in which the user is prohibited from access data in any row that has "Western" and/or "Denver" in the respective "Division" and "Location" columns]; examiner’s note: the access control has row restriction access based on the user). One of ordinary skill in the art would recognize that restricting users to access some data of Bender could be incorporated with assigning delegated access credential of Belinky/Lai to further improve the system to add more data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate access control of users to only access a subset of database Bender into the system to Belinky/Lai to have a secured system. The motivation would be to have a system which will only authorize access of some data from the table to specific users to protect data.
Claim 31 encompasses the same scope of limitation of claim 22 in additions of a method (fig. 1). Therefore, claim 31 is rejected on the basis of rejection of claim 22.

Claim 32 is rejected on the basis of rejection of claim 23.

With respect to claim 33, Belinkiy, Lai, Bender in combination teach the system of claim 31, Belinkiy further teaches further comprising causing the delegation policy to expire based at least in part on the passage of a specified period of time (0024, delegated to an anonymous principal based on a condition of the delegation expiring after a fixed time period]; examiners note: the delegation policy has a valid time).

Claim 37 encompasses the same scope of limitation of claim 22 in additions of a non-transitory computer-readable medium (fig. 1). Therefore, claim 37 is rejected on the basis of rejection of claim 22.

With respect to claim 39, Belinkiy, Lai, Bender in combination teach the non-transitory computer-readable storage medium of claim 37, Lai further teaches wherein the program instructions when executed by the one or more hardware processors further cause the one or hardware more processors to: prior to sending the delegation policy to the database, verify the delegated access credential ([1294, Upon the successful processing of the Authentication Assertion request, the Service Requester may be granted sign-on to the common security domain]; examiner’s note: user ID is verified before sending the access control rights (delegation policy) to the database).  One of ordinary skill in the art would recognize that verifying the access credential of Lai could be incorporated with assigning delegated access credential of Belinky/Bender to further improve the system to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate access control of users to only access a subset of database Lai into the system to Belinky/Bender to have a secured system. The motivation would be to have a system which will only authorize access of data from the table to specific users to prevent unauthorized access.

Claim 41 is rejected on the basis of rejection of claim 33.

Claims 24, 25, 34, 35, 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belinkiy et al. (2012/0159577) and in view of Lai (US 2005/0044197) and in view of Bender (US 2008/0052291) in view Barenholz et al. (US 9,043,870).

With respect to claim 24, Belinkiy, Lai and Bender teach the system of claim 22, but do not explicitly teach wherein the identity provider is a social media service, email service, or e-commerce service.
However, Barenholz teaches wherein the identity provider is a social media service, email service, or e-commerce service ([col. 4, lines 55-60; identity provider ("IDP"), email service, social networking service or other service providing a user account) is a service that specializes in registering user accounts], examiner’s note: identity provider is an email service).  One of ordinary skill in the art would recognize that email service as identity provider of Barenholz could be incorporated with assigning delegated access credential of Belinky/Lai/Bender to further improve the system to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate email service of Barenholz into the system to Belinky/Lai/Bender to have a secured system. The motivation would be to have a system which will have email service as an identity provider to have a secure system.

With respect to claim 25, Belinkiy, Lai, Bender and Barenholz in combination teach the system of claim 24, Lai further teaches wherein the program instructions are further executable to cause the delegation service to: deny a third request for another delegated access credential based at least in part on a determination that another identity credential included in the third request is not verified ([1200]; examiner’s note: each user is determined to authorize access of data or unauthorized access of data and denying access to unauthorized access, Bender also teaches in para. [0027]).
One of ordinary skill in the art would recognize that denying unauthorized request of Lai could be incorporated with assigning delegated access credential of Belinky/Bender/ Barenholz to further improve the system to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate access control of users to only access a subset of database Bender into the system to Belinky/Bender/ Barenholz to have a secured system. The motivation would be to have a system which will only authorize access of data from the table to specific users to prevent unauthorized access.

Claim 34 is rejected on the basis of rejection of claim 24.

With respect to claim 35, Belinkiy, Lai, Bender, Barenholz in combination teach the system of claim 34, Belinkiy further teaches further comprising receiving a third request for another delegated access credential ([0025-0027]; examiner’s note: multiple requests are received to access data), the third request including another identity credential ([0025-0027]; examiner’s note: each request is associated with a credential); 
Lai further teaches determining from an identity provider that the other identity credential is not validated ([1200]; examiner’s note: each user is determined to authorize access of data or unauthorized access of data); and 
denying the third request for the other delegated access credential ([1200]; examiner’s note: denying access to the database with the specific user ID (delegated access credential), Bender also teaches in para. [0027]).  One of ordinary skill in the art would recognize that denying unauthorized request of Lai could be incorporated with assigning delegated access credential of Belinky/Bender/ Barenholz to further improve the system to ensure data security.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate access control of users to only access a subset of database Bender into the system to Belinky/Bender/ Barenholz to have a secured system. The motivation would be to have a system which will only authorize access of data from the table to specific users to prevent unauthorized access.

Claim 38 is rejected on the basis of rejection of claim 24.

Claims 27, 36 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belinkiy et al. (2012/0159577) and in view of Lai (US 2005/0044197) and in view of Bender (US 2008/0052291) in view Shukla et al. (2010/0257578).

With respect to claim 27, Belinkiy, Lai and Bender teach the system of claim 22, but do not explicitly teach wherein the identity credential comprises a public certificate, and the program instructions are further executable to cause the delegation service to select the delegation policy for the delegated access credential based at least in part on the public certificate.
Belinkiy teaches a delegation policy (0034, 0035) but does not explicitly a public certificate.
However, Shukla teaches wherein the identity credential comprises a public certificate ([0017; examiners note: the user is associated with the public key which is the public certificate), and the program Instructions are further executable to cause the delegation service to select the delegation policy for the delegated access credential based at least in part on the public certificate ([0017,Upon receiving the request, the computing environment may verify the authenticity of the authorization token against the cryptographic public key, and may perform the requested accessing if the authorization token is authenticated and indicates an authorized accessing by the requester]; examiners note: the authorization access token is compared with the public key which is a public certificate to authorize the access). One of ordinary skill in the art would recognize that public certificate of Shukla could be incorporated with assigning delegated access credential of Belinky/Lai/Bender to further improve the system to add extra security to the data to prevent unauthorized data access.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate authorized access of Shukla into the system to Belinky/Lai/Bender to have a secured system. The motivation would be to have a system which will only authorize access of data from the table to specific users to prevent unauthorized access.

Claim 36 is rejected on the same basis of rejection of claim 27.

Claims 28, 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belinkiy et al. (2012/0159577) and in view of Lai (US 2005/0044197) and in view Bender et al. (2008/0052291) and in view of Doran et at. (US 2014/0006095).

With respect to claim 28, Belinkiy, Lai, Bender in combination teach the system of claim 22, Belinkiy further teaches wherein the program instructions are further executable to cause the delegation service to: create the delegation policy ([0063, The IdP creates a delegation]; [0014, XACML delegation deals with creation of new policies and tracing back "trusted policies"]; [0057]; examiners note: the system creates a delegation policy) store the delegation policy in a delegation policy data store (fig. 4, 0101; examiner’s note: the delegation assertions are stored, the assertion includes delegation policy).
Belinkiy, Lai and Bender in combination do not explicitly teach creating a delegation policy, in response to a delegation policy creation request.
However, Doran teaches creating a delegation policy, in response to a delegation policy creation request ([0031, The method 200 includes receiving a request to create a business rule for controlling access to a cloud service, as illustrated at block 202]; examiners note: the delegator creates the privilege the delegate can person). One of ordinary skill in the art would recognize that the request for creating a delegation policy could be incorporated with assigning delegated access credential of Belinky/Lai/Bender to further improve the system to only create the delegation policy if the policy is needed.
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date to incorporate receiving a request to create a delegation policy of Doran into the system to Belinky/Lai/Bender to have an efficient system. The motivation would be to have a system which will create delegation policies only in response to a 
policy request to save time.
Claim 40 is rejected on the same basis of rejection of claim 28.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATIMA P MINA whose telephone number is (571)270-3556. The examiner can normally be reached Monday - Friday 9:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mariela Reyes can be reached on 571-270-1006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/FATIMA P MINA/Examiner, Art Unit 2159 
                                                                                                                                                                                                 /AMRESH SINGH/ Primary Examiner, Art Unit 2159