DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the communication dated on 11/03/2022.
Claims 1, 3, 8, 10, 15 and 17 have been amended and all other claims are previously presented.
Claims 1-20 are submitted for examination.
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Priority
This application filed on March 30, 2021 does not claim any priority.

Examiner’s Note
Claims 15-20 are directed toward a computer program product. A paragraphs 67-68 of specification describes, the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire. Thus Claims 15-20 are compliant with 35 U.S.C. 101.
Response to Arguments
Applicant’s amendment, filed on November 03, 2022, has claims 1, 3, 8, 10, 15 and 17 amended and all other claims previously presented. Among the amended claims, claims , 1, 8 and 15 are independent ones, and thus, the amendment necessitates a new ground of rejection.
 Applicant’s remark, filed on November 03, 2022 on bottom of page 8 and top of page 9 regarding, “Applicant respectfully disagrees with the Examiner's characterization of MA and NIE and maintains that MA, NIE are silent as to "determining one or more security limitations have occurred," and/or "returning a response, responsive to determining the one or more security limitations have occurred, wherein the response is based on the evaluation by the policy evaluator," as recited in claims 1, 8, and 15. As such, Applicant respectfully submits that Ma, in view of NIE each fail to teach or suggest any of the aforementioned features”, has been considered and found persuasive, however newly cited art by Narayanaswami et al. (US # 2020/0177637) discloses,  at action 1420, data-deficient transactions that apply to the objects are actively processed by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions. (Fig. 14(1420), ¶352). At action 1620 where a determination is made whether the content file being attempted to share is sensitive. This determination is made by retrieving metadata about the content file from metadata store 196 that confirms if the content file includes sensitive data. In one implementation, the metadata is retrieved by looking up a file profile of the content file in the supplemental data store or metadata store 196. (Fig. 16(1620), ¶362). At action 1640, based on the multi-part policy, a content inspection rule is applied to find strings and interrelated strings in the sensitive content that are subject to content control, as discussed supra. In one implementation, a classification engine 127 is used to determine if the extracted content matches the arguments defined in the applicable content inspection rule, as discussed supra. (Fig. 16(1640), ¶364).  The multi-part string search pattern matches the two or more non-contiguous strings based on semantic proximity between the two or more non-contiguous strings. In some implementations, the content inspection rule includes a plurality of multi-part string search patterns directed to compliance with Health Insurance Portability and Accountability Act (HIPAA) privacy or security regulations. In other implementations, the content inspection rule includes a plurality of multi-part string search patterns directed to compliance with payment card industry (PCI) data security standards. In yet other implementations, the content inspection rule includes a plurality of multi-part string search patterns directed to compliance with personally identifiable information (PII) data security standards.  The content inspection rule includes a plurality of multi-part string search patterns directed to trade secret data identified as confidential. In another implementation, the content inspection rule includes a plurality of multi-part string search patterns directed to source code. In yet another implementation, the content inspection rule includes a plurality of multi-part string search patterns directed to technical specifications. In a further implementation, the content inspection rule includes a plurality of multi-part string search patterns directed to customer or employee lists with financial data regarding the customer or employees. (¶367-¶368). At action 1720 where a determination is made whether the content file type being attempted to share is sensitive. This determination is made by retrieving metadata about the content file from metadata store 196 that confirms if the content file type is prohibited from being uploaded, downloaded, or modified. In one implementation, this is done by determining a true file type of the content file when it first traversed the active proxy platform and storing the true file type in the metadata store 196. (Fig. 17(1720), ¶394). The alert sub-engine 173 sends out notifications to network administrators upon detection of potential breach or leakage of sensitive data. The coach sub-engine 174 educates the users performing the content-level activity about more secure alternative cloud services pre-sanctioned by the users' organization. The justification sub-engine 175 seeks justification from the users performing the content-level activity regarding why their particular transaction (e.g. uploading a spreadsheet) via a cloud service should be permitted. The quarantine sub-engine 176 temporarily holds the transmitted data in a quarantine folder at the cloud service pending a quarantine approver's ratification or rejection. Based on the quarantine approver's decision, the content is either transmitted to the cloud service or not. The encryption sub-engine 177 performs document specific encryption of the content by deriving a per-document key from a combination of a triplet-key using a hash key derivation function (HKDF). The enhancement sub-engine 179 performs at least one of set-up authentication, multi-factor authentication, and re-authentication. In one example of re-authentication, a user or device identified as a compromised user or device based on detection of anomalous activity on an application or cloud service, the user or device is logged out of the application session and the user or device is required to re-login to initialize a new application session. (¶182). At action 1510, active analysis of access requests for the independent object stores is combined with inspection of objects in the independent object stores. Each analysis and inspection generates and persists object metadata. At action 1520, manipulation of the objects is actively controlled by applying rules that utilize the persisted metadata. (Fig. 15(1510, 1520), ¶357-¶358). At action 1650, a security action is triggered based on the multi-part policy responsive to finding the strings and interrelated strings subject to content control in the parsed stream, as discussed supra. In some implementations, a security engine 128 access one or more content policies 181 to determine which ones of the security action should be take based on the type of the classified content. In other implementations, the security engine 128 can include a plurality of sub-engines for each of the different types of security actions, including a block sub-engine, a bypass sub-engine, a remediate sub-engine, a justification sub-engine, a quarantine sub-engine, an encryption sub-engine, and other suitable security action engines. In one implementation, the security action is triggered responsive to finding threshold occurrences of the strings and interrelated strings subject to content control in the parsed stream. In some implementations, the security action includes quarantining the content. In one implementation, a quarantine folder is created at the CCS in which the content is conditionally stored pending ratification or rejection by a quarantine approver. In one implementation, conditionally storing the content item in the quarantine folder includes generating data representing a tombstone file for the content that identifies the content and storing the tombstone file at a destination (file path or folder) where the uploading user desired to upload the content. In another implementation, conditionally storing the content item in the quarantine folder includes encrypting the content item. In some implementations, the quarantine folder is created in a second CCS different from the CCS to which the content could have been transmitted. The decision of the quarantine approver regarding transmission of the content to the CCS is stored and subsequent requests for transmitting the content to the CCS are processed based on the decision of the quarantine approver. In some implementations, responsive to ratification or rejection by the quarantine approver, the tombstone file is either replaced with the content or it is deleted. In one implementation, data identifying at least one multi-part string search pattern is generated and presented to the quarantine approver. This data identifies at least one string in the quarantined content that is subject to content control.  In some implementations, the security action includes requiring justification of using the CCS API in use for the content in the parsed stream as a condition of completing the function or the activity being performed. In other implementations, the security action includes generating one or more coaching messages that identify a more enterprise-ready alternative to the CCS API in use. In one implementation, the enterprise-ready alternative to the CCS API is identified using a cloud confidence Index™ (CCI) that is determined based on at least one of data encryption policies of a CCS, disaster management policies of the CCS, number of data centers supporting the CCS, and compliance certifications of the data centers. In some implementations, the security action includes document specific encryption of the content. In one implementation, the document specific encryption includes accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and receiving a triplet-key and a triplet-key identifier used to uniquely identify the triplet-key. For a document that has a document identifier (ID), the method further includes deriving a per-document key from a combination of the triplet-key, the document ID and a salt, using the per-document key to encrypt the document, and forwarding the encrypted document, the document ID, the salt, and the triplet-key identifier. (¶369-¶375). At action 1740, based on the multi-part policy, a content inspection rule is applied to find strings and interrelated strings in the sensitive content that are subject to content control, as discussed supra. In one implementation, a classification engine 127 is used to determine if the extracted content matches the arguments defined in the applicable content inspection rule, as discussed supra. At action 1750, a security action is triggered based on the multi-part policy responsive to finding that the retrieved true file type matches the prohibited file type. For example, if the detected file type is “.text” but the true file type is “.PDF” and the prohibited file type is “.PDF,” then a security action that prevents upload, download, and modification of the content file is triggered. In some implementations, a security engine 128 access one or more content policies 181 to determine which ones of the security action should be take based on the type of the classified content. In other implementations, the security engine 128 can include a plurality of sub-engines for each of the different types of security actions, including a block sub-engine, a bypass sub-engine, a remediate sub-engine, a justification sub-engine, a quarantine sub-engine, an encryption sub-engine, and other suitable security action engines. (Fig. 17(1740, 1750), ¶396-¶397). Thus Narayanaswami teaches, a security event has occurred and based on occurred security event a response is returned.
Applicant further recites similar remarks as listed above for dependent claims2-7, 9-14 and 16-20. Please see response for remarks in above paragraph 10 that clearly shows how the cited prior arts MA, NIE, Alison and Narayanaswami clearly teaches the claimed limitations.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over   Yong-you MA (CN PUB. # CN 104935608A, hereinafter “MA”), and further in view of Zhi, NIE (CN PUB. # CN 112187931A, hereinafter “NIE”), and further in view of Narayanaswamy et al. (US PGPUB. # US 2020/0177637, hereinafter “Narayanaswamy”).

Referring to Claims 1, 8 and 15:
Regarding Claim 1, MA teaches,
A method for preserving confidentiality of metadata in decentralized policies, the method comprising: 
generating, via a processor, one or more encrypted policies associated with a policy creator; (Abstract, “generating authentication data set, the authentication data set includes user attribute information and security policy after encrypting”, Page-2, Lines 11-13, Page-2, Lines 20-21, “privacy policy in the encrypted”, Claim 1, i.e. one or more encrypted policies are generated)
generating [token] metadata associated with a user utilizing the one or more encrypted policies; (Abstract, “the method comprising: generating authentication data set, the authentication data set includes user attribute information”, Page 2, Lines 12-13, “step one, generating the authentication data set, the authentication data set includes user attribute information”, Page-2, Lines 19-28, “request of the attribute declaration to collect attribute information corresponding to the user”, Claim 1, i.e. user attributes are considered as metadata associated with a user)
encrypting the [token] metadata to form encrypted [token] metadata; (Abstract, “the authentication data set includes user attribute information and security policy after encrypting”, Page-2, Lines 12-13, “step one, generating the authentication data set, the authentication data set includes user attribute information and security policy after encrypting”, Page-2, Lines 19-28, “ generating the authentication data set, the authentication data set includes user attribute information and security policy after encrypting”, i.e. user attributes (metadata) are encrypted)
sending the one or more encrypted policies and the encrypted [token] metadata to a policy evaluator, wherein the policy evaluator evaluates the one or more encrypted policies and the encrypted [token] metadata; (Abstract, “cloud platform server obtains the authentication data set, performs a decryption operation, the user authentication, if the authentication is passed, deleting the user attribute information according to the security policy, returning the received information to the authentication module, allowing the user to use the service”, Page-2, Lines 14-15, “cloud platform server obtains the authentication data set”,  Page-2, Lines 33-40, Claim 1, i.e. cloud platform server is considered as a policy evaluator. The cloud platform server receives (sent by the client) attribute data and encrypted policies for evaluation) and 
MA does not teach explicitly,
generating token [metadata associated with a user utilizing the one or more encrypted policies];
encrypting the token [metadata] to form encrypted token [metadata];
[sending the one or more encrypted policies] and the encrypted token [metadata to a policy evaluator, wherein the policy evaluator evaluates the one or more encrypted policies] and the encrypted token [metadata];
determining one or more security limitations have occurred; and 
returning a response, responsive to determining the one or more security limitations have occurred, wherein the response is based on the evaluation by the policy evaluator.
However, NIE teaches,
generating token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, i.e. token is generated) [metadata associated with a user utilizing the one or more encrypted policies];
encrypting the token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, “wherein the service request carries the token”,  i.e. token is encrypted) [metadata] to form encrypted token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, “wherein the service request carries the token”,  i.e. token is encrypted) [metadata];
[sending the one or more encrypted policies] and the encrypted token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, Page-5, Lines 43-44,  i.e. encrypted token is generated and sent for a service request) [metadata to a policy evaluator, wherein the policy evaluator evaluates the one or more encrypted policies] and the encrypted token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, Page-5, Lines 43-44,  i.e. encrypted token is generated and evaluated) [metadata];
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of NIE with the invention of MA.
MA teaches, generating encrypted policies and encrypted user attributes and send it to the evaluator for an evolution. NIE teaches, generating and encrypting a token. Therefore, it would have been obvious to have generating and encrypting a token of NIE with generating encrypted policies and encrypted user attributes and send it to the evaluator for an evolution of MA to manage an inactive session between a client and a server and providing services when requested by a client utilizing an encrypted token.
KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of MA and NIE does not teach explicitly,
determining one or more security limitations have occurred; and 
returning a response, responsive to determining the one or more security limitations have occurred, wherein the response is based on the evaluation by the policy evaluator.
	However, Narayana teaches,
determining one or more security limitations have occurred; (Fig. 14(1420), ¶352, “ data-deficient transactions that apply to the objects are actively processed by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions”, Fig. 16(1620, 1640), ¶362, ¶364, ¶367-¶368, Fig. 17(1720), ¶394, i.e. it is determined that one or more security limitations have occurred) and 
returning a response, responsive to determining the one or more security limitations have occurred, wherein the response is based on the evaluation by the policy evaluator. (¶182, Fig. 15(1510, 1520), ¶357, “active analysis of access requests for the independent object stores is combined with inspection of objects in the independent object stores”, ¶358, “manipulation of the objects is actively controlled by applying rules that utilize the persisted metadata”, Fig. 16(1650), ¶369-¶375,  Fig. 17(1740, 1750), ¶396-¶397, i.e. policy is evaluated and a response is provided based on determining one or more security limitations have occurred).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Narayanaswamy with the invention of MA in view of NIE.
MA in view of NIE teaches, generating encrypted policies and encrypted user attributes and send it to the evaluator for an evolution and generating and encrypting a token. Narayanaswami teaches, providing a response after evaluating a policy when a security event has occurred . Therefore, it would have been obvious to provide a response after evaluating a policy when a security event has occurred of Narayanaswami into the teachings of MA in view of NIE to prevent leakage of sensitive data and protecting data while utilizing cloud services. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 8, it is a system Claim of above method Claim 1 and therefore Claim 8 is rejected with the same rationale as applied against Claim 1 above.
NIE teaches a processor and memory Page-4, Lines 25-27.

Regarding Claim 15, it is a computer program product Claim of above method Claim 1 and therefore Claim 15 is rejected with the same rationale as applied against Claim 1 above.

Referring to Claims 2, 9 and 16:
Regarding Claim 2, rejection of Claim 1 is included and for the same motivation MA does not teach explicitly,
The method of claim 1, wherein encrypting token metadata to form the encrypted token metadata further includes: 
configuring the encrypted token metadata into a JSON web token (JWT token).
However, NIE teaches,
The method of claim 1, wherein encrypting token metadata to form the encrypted token metadata further includes: 
configuring the encrypted token metadata into a JSON web token (JWT token). (Page 6, Lines 21-26, “the service request can include a client pre-stored JWT (json webtoken) token”, Page 6, Lines   40-50, ”using the private key to encrypt and generate JWT token. wherein the authentication server further defines the long period of the token based on the configuration file, namely the valid period information of the token, and stored in the load data of the JWT token”,  Page 7, Lines, 1-3, “the playload is obtained after performing base64 encryption processing to the original playload; signature (signature) is according to JWT specification, using the private key to encrypt the JWT metadata (i.e., the header and playload)”).

Regarding Claim 9, rejection of Claim 8 is included and Claim 9 is rejected with the same rationale as applied against Claim 2 above.

Regarding Claim 16, rejection of Claim 15 is included and Claim 16 is rejected with the same rationale as applied against Claim 2 above.

Referring to Claims 3, 10 and 17:
Regarding Claim 3, rejection of Claim 2 is included and for the same motivation MA does not teach explicitly,
The method of claim 2, further comprising: obtaining, by the policy evaluator, the JWT token.
However, NIE teaches,
The method of claim 2, further comprising: obtaining, by the policy evaluator, the JWT token. (Page 6, Lines, 47-51, “the user uses the JWT token to access the resource server. wherein the generated JWT token is in the form of: The JWT token includes header (header), playload (load), and signature (signature) three-part data”, Page 7, Lines 5-10, “when the client sends the service request to the server, the server does not directly respond to the service request, but will firstly use the gateway filter to intercept the service request, and after the interception is successful, then verifying the token in the service request”, i.e. server is considered as policy evaluator and the server (policy evaluator) obtains the JWT token). 

Regarding Claim 10, rejection of Claim 9 is included and Claim 10 is rejected with the same rationale as applied against Claim 3 above.

Regarding Claim 17, rejection of Claim 16 is included and Claim 17 is rejected with the same rationale as applied against Claim 3 above.

Referring to Claims 4, 11 and 18:
Regarding Claim 4, rejection of Claim 1 is included and for the same motivation MA teaches,
The method of claim 1, wherein the policy evaluator evaluates the one or more encrypted policies and the encrypted [token] metadata includes: 
determining an evaluation result, wherein the evaluation result is based on the evaluation of the one or more encrypted policies and the encrypted [token] metadata by the policy evaluator; (Abstract, “cloud platform server obtains the authentication data set, performs a decryption operation, the user authentication, if the authentication is passed, deleting the user attribute information according to the security policy, returning the received information to the authentication module, allowing the user to use the service”, Page-2, Lines 14-15, “cloud platform server obtains the authentication data set”,  Page-2, Lines 33-40, Claim 1, i.e. cloud platform server is considered as a policy evaluator. The cloud platform server receives (sent by the client) attribute data and encrypted policies for evaluation, and determines user authentication (evaluation result)) and
 	performing a decision based on the evaluation result. (“cloud platform server after the authentication of the user is passed”, “indicating permission to use service”, i.e. based on the user authentication (evaluation) allows user to use the service). 
	MA does not teach explicitly,
The method of claim 1, [wherein the policy evaluator evaluates the one or more encrypted policies and the encrypted] token [metadata includes: 
determining an evaluation result, wherein the evaluation result is based on the evaluation of the one or more encrypted policies and the encrypted] token [metadata by the policy evaluator];
However, NIE teaches,
The method of claim 1, [wherein the policy evaluator evaluates the one or more encrypted policies and the encrypted] token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, i.e. token is generated) [metadata includes: 
determining an evaluation result, wherein the evaluation result is based on the evaluation of the one or more encrypted policies and the encrypted] token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, i.e. token is generated) [metadata by the policy evaluator];

Regarding Claim 11, rejection of Claim 8 is included and Claim 11 is rejected with the same rationale as applied against Claim 4 above.

Regarding Claim 18, rejection of Claim 15 is included and Claim 18 is rejected with the same rationale as applied against Claim 4 above.

Referring to Claims 5, 12 and 19:
Regarding Claim 5, rejection of Claim 1 is included and for the same motivation MA teaches,
The method of claim 1, wherein the policy evaluator stores the one or more encrypted policies generated by the policy creator. (Page 2, Lines 35-38, “after successfully decrypting the authentication data set starting the integrity self-check, the calculated value and the previously stored value of the privacy policies”, Page 5, Lines 12-15, Claim 3, “after successfully decrypting the authentication data set starting the integrity self-check, the calculated value and the previously stored value of the privacy policies”, i.e. server (policy evaluator) stores one or more encrypted policies).

Regarding Claim 12, rejection of Claim 8 is included and Claim 12 is rejected with the same rationale as applied against Claim 5 above.

Regarding Claim 19, rejection of Claim 15 is included and Claim 19 is rejected with the same rationale as applied against Claim 5 above.

Referring to Claims 6, 13 and 20:
Regarding Claim 6, rejection of Claim 1 is included and for the same motivation MA teaches,
The method of claim 1, wherein sending the one or more encrypted policies and the encrypted token metadata to the policy evaluator includes: [passing, by a resource server], the one or more encrypted policies and the encrypted token metadata to the policy evaluator. (Abstract, “cloud platform server obtains the authentication data set, performs a decryption operation, the user authentication, if the authentication is passed, deleting the user attribute information according to the security policy, returning the received information to the authentication module, allowing the user to use the service”, Page-2, Lines 14-15, “cloud platform server obtains the authentication data set”,  Page-2, Lines 33-40, Claim 1, i.e. cloud platform server is considered as a policy evaluator. The cloud platform server receives (sent by the client) attribute data and encrypted policies for evaluation)
MA does not teach explicitly,
The method of claim 1, [wherein sending the one or more encrypted policies and the encrypted token metadata to the policy evaluator includes:] passing, by a resource server, [the one or more encrypted policies and the encrypted token metadata to the policy evaluator].
However, NIE teaches,
The method of claim 1, [wherein sending the one or more encrypted policies and the encrypted token metadata to the policy evaluator includes:] passing, by a resource server, (Abstract, “ obtaining the service request sent by the client through the preset gateway filter“, Page-2, Lines 18-19 “the server does not directly respond to the service request, but will firstly use the gateway filter to intercept the service request, and after the interception is successful, then verifying the token in the service request; and verifying whether the client user sending the service request has the service access authority”, Page-4, Lines 7-8, Page 4, Lines 33-37, Page-5, Lines 43-44, i.e. Examiner submits that data passing through gateway filter is considered as passing through a resource server) [the one or more encrypted policies and the encrypted token metadata to the policy evaluator].

Regarding Claim 13, rejection of Claim 8 is included and Claim 13 is rejected with the same rationale as applied against Claim 6 above.

Regarding Claim 20, rejection of Claim 15 is included and Claim 20 is rejected with the same rationale as applied against Claim 6 above.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over   Yong-you MA (CN PUB. # CN 104935608A, hereinafter “MA”), and further in view of Zhi, NIE (CN PUB. # CN 112187931A, hereinafter “NIE”), and further in view of Narayanaswamy et al. (US PGPUB. # US 2020/0177637, hereinafter “Narayanaswamy”), and further in view of Alison et al. (US PGPUB. # US 2013/0254850, hereinafter “Alison”).

Referring to Claims 7 and 14:
Regarding Claim 7, rejection of Claim 6 is included and MA teaches,
The method of claim 6, further comprises: 
determining an evaluation result, wherein the evaluation result is based on the evaluation of the one or more encrypted policies and the encrypted [token] metadata by the policy evaluator; (Abstract, “cloud platform server obtains the authentication data set, performs a decryption operation, the user authentication, if the authentication is passed, deleting the user attribute information according to the security policy, returning the received information to the authentication module, allowing the user to use the service”, Page-2, Lines 14-15, “cloud platform server obtains the authentication data set”,  Page-2, Lines 33-40, Claim 1, i.e. cloud platform server is considered as a policy evaluator. The cloud platform server receives (sent by the client) attribute data and encrypted policies for evaluation, and determines user authentication (evaluation result))
performing a decision based on the evaluation result, wherein the policy evaluator performs the decision; . (“cloud platform server after the authentication of the user is passed”, “indicating permission to use service”, i.e. based on the user authentication (evaluation) allows user to use the service).
MA does not teach explicitly, 
[determining an evaluation result, wherein the evaluation result is based on the evaluation of the one or more encrypted policies and the encrypted] token [metadata by the policy evaluator];
forwarding the evaluation result to the resource server; and 
generating, via the resource server, the response, wherein the response is returned to the user by the resource server.
However, NIE teaches,
[determining an evaluation result, wherein the evaluation result is based on the evaluation of the one or more encrypted policies and the encrypted] token (Page-6, Lines 35-50, “using the private key to encrypt and generate JWT token”, i.e. token is generated)  [metadata by the policy evaluator];
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of NIE with the invention of MA.
MA teaches, generating encrypted policies and encrypted user attributes and send it to the evaluator for an evolution. NIE teaches, generating and encrypting a token. Therefore, it would have been obvious to have generating and encrypting a token of NIE with generating encrypted policies and encrypted user attributes and send it to the evaluator for an evolution of MA to manage an inactive session between a client and a server and providing services when requested by a client utilizing an encrypted token.
KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of MA, NIE and Narayanaswami does not teach explicitly,
forwarding the evaluation result to the resource server; and 
generating, via the resource server, the response, wherein the response is returned to the user by the resource server.
However, Alison teaches,
forwarding the evaluation result to the resource server; (Fig. 3(330, 340), ¶29, “the intermediate server 250 may receive an access token from the social-networking system”, i.e. intermediate server is considered as resource server) and 
generating, via the resource server, the response, wherein the response is returned to the user by the resource server. (Fig. 3(350), ¶29, “At step 350, the intermediate server 250 may transmit a first response to the mobile client device 122 indicating the software application 240 is authorized, i.e. intermediate server is considered as resource server and the intermediate server provides a response to a user).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Alison with the invention of MA in view of NIE and Narayanaswami.
MA in view of NIE and Narayanaswami teaches, generating encrypted policies and encrypted user attributes and send it to the evaluator for an evolution and generating and encrypting a token providing a response after evaluating a policy when a security event has occurred. Alison teaches, utilizing an intermediate server for communication. Therefore, it would have been obvious to have utilize an intermediate server for communication of Alison into the teachings of MA in view of NIE and Narayanaswami to conserve resources of an intermediate server and have a separate evaluation server for evaluation. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 14, rejection of Claim 13 is included and Claim 14 is rejected with the same rationale as applied against Claim 7 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Bhargav-Spantzel et al. (US PGPUB. # US 2018/0183586) discloses, an authentication policy for implementing a user authentication factor (or multiple factors) may be deployed at a client computing device to control generation and use of a cryptographic key. Operations for generating a cryptographic key in accordance with an authentication policy may include: receiving the authentication policy from a policy broker, generating the cryptographic key in response to receipt of the user authentication factor defined by the authentication policy, generating attestation data that indicates compliance with the authentication policy, and communicating the attestation data to the policy broker. Operations for using the cryptographic key in accordance with the authentication policy may include: receiving a request to access the cryptographic key, and accessing the cryptographic key in response to successful receipt of the user authentication factor defined by the authentication policy.
Gelman et al. (US PAT. # US 10,263,787) discloses, receiving, at a first decentralized application, a signature associated with a first public key, receiving data representing one or more permissions specified by a trusted root application and signed by the trusted root application, signing a second public key associated with a second decentralized application, signing data representing one or more permissions specified by the first decentralized application, and providing the signature associated with the second public key and the signed data representing one or more permissions specified by the first decentralized application, in order to thereby provide trust between the first decentralized application and the second decentralized application.
Miller et al. (US PGPUB. # US 2017/0132621) discloses, a method for verifying a cryptographic transaction includes requesting a portion of the blockchain comprising a merkle tree path; verifying a value of the cryptocurrency key using simplified payment verification; and bundling the cryptographic transaction, a block header of the cryptographic transaction, a plurality of block headers subsequent the block header of the cryptographic transaction, and the merkle tree path thereby forming a cryptographic currency receipt.
Sathyadevan et al. (US PGPUB. # US 2014/0075568) discloses, a system for protecting data managed in a cloud-computing network from malicious data operations includes an Internet-connected server and software executing on the server from a non-transitory physical medium, the software providing a first function for generating one or more security tokens that validate one or more computing operations to be performed on the data, a second function for generating a hash for each token generated, the hash detailing, in a secure fashion, the operation type or types permitted by the one or more tokens, a third function for brokering two-party signature of the one or more tokens, and a fourth function for dynamically activating the one or more signed tokens for a specific time window required to perform the operations permitted by the token.
Srinivasan et al. (US PGPUB. # US 2013/0086645) discloses, a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARSHAN I DHRUV/           Primary Examiner, Art Unit 2498