Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, 5-13, 15-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Chowdhury et al, US 2018/0232259.

Regarding claim 1, Chowdhury teaches a system for enforcing control policies across software as a service (SaaS) platforms (Fig 4, system 230), the system comprising: 
one or more server devices accessible over a network, the one or more server devices being configured to: 
provide access to a security control platform over a network (Fig. 4, identity management system 232), the security control platform being configured to execute functions associated with creating and enforcing control policies on accounts provided by a plurality of SaaS platforms (paragraph 0063: the controller 248 may retrieve a set of rules (which may also be referred to as a “policy”) corresponding to the former position and a set of rules corresponding to the new position from the rules repository 246. In some embodiments, these sets of rules may indicate which SaaS applications should have accounts for the corresponding user/role and configurations of those accounts, like permissions and features to enable or disable.); 
integrate the accounts provided by each of the plurality of SaaS platforms with the security control platform (paragraph 0063: these rules may be sent to the rules engine 252, which may compare the rules to determine differences from a current state, for instance, configurations to change or accounts to add or remove. In some embodiments, the rules engine 252 may update records in the identity repository 254 to indicate those changes, for instance, removing accounts, changing groups to which users belong, changing permissions, adding accounts, removing users from groups, and the like.); 
generate, using the security control platform, control policies to be enforced on the accounts provided by the plurality of SaaS platforms (paragraph 0063:  the rules engine 252 may be configured to update the identity repository 254 based on rules in the rules repository 256 to determine third-party SaaS application account configurations based on changes in roles of users, for instance received from the administrator computing device 244, at the direction of controller 248.); 
monitor, using the security control platform, activity events generated by each of the accounts integrated with the security control platform (0039:  the rules engine 252 may be configured to update the identity repository 254 based on rules in the rules repository 256 to determine third-party SaaS application account configurations based on changes in roles of users, for instance received from the administrator computing device 244, at the direction of controller 248.); and 
transmit, using the security control platform, commands over the network to the plurality of SaaS platforms, wherein the commands are configured to enforce the control policies on the accounts integrated with the security control platform and at least a portion of the commands are transmitted in response to the activity events monitored by the security control platform (0063:  the controller 248 may respond to these updates by instructing the data sync module 252 translate the modified nodes and edges into API commands, using a variant of the system 10 of FIG. 1 send those API commands to the corresponding third-party SaaS applications.).

Regarding claim 2, Chowdhury teaches the system of claim 1, wherein: the security control platform centralizes enforcement of control policies on the accounts provided by the plurality of SaaS platforms; and the security control platform is external to each of plurality of SaaS platforms and remotely enforces the control policies over a network (See paragraph 0063, as cited above, and Fig. 4, SaaS applications 234, 236,  identity management system 232).  

Regarding claim 3, Chowdhury teaches the system of claim 1, wherein one or more of the control policies include file sharing control policies that are configured to control or manage sharing of files by the accounts provided by the plurality of SaaS platforms (0045: the worker processes may be configured to share an API connection credential, like a temporary access token.  0046: The worker process may share that access token with other worker processes communicating with the same API, and each worker process may append the shared access token to API commands to authenticate the commands, without maintaining session data unique to a given client device. That said, embodiments are also consistent with the older traditional approach.).  

Regarding claim 5, Chowdhury teaches the system of claim 1, wherein: the activity events include metadata describing activities of the accounts provided by the SaaS platforms; the metadata included in the activity events varies across the plurality of SaaS platforms; the security control platform executes an event normalization function that normalizes metadata associated with the activity events generated by the plurality of SaaS platforms (0063:  the controller 248 may respond to these updates by instructing the data sync module 252 translate the modified nodes and edges into API commands, using a variant of the system 10 of FIG. 1 send those API commands to the corresponding third-party SaaS applications.).  

Regarding claim 6, Chowdhury teaches the system of claim 5, wherein: in response to determining that an activity event generated by a SaaS platform does not include sufficient information to assess whether one or more of the control policies apply, the event normalization function retrieves or requests additional information from the SaaS platform pertaining to the activity event (0060: In response to this transmission, the identity management system may retrieve from memory and updated set of account configurations for the user in the new role, and records of these new account configurations may be created in a graph database in the identity management system 232. 0066: all members of a group may be retrieved relatively quickly by requesting all nodes connected to a node correspond to the group by an edge that indicates membership.).  

Regarding claim 7, Chowdhury teaches the system of claim 1, wherein: the security control platform is configured to transmit a security verification request to one or more users in response to detecting a share event included in the activity events; the security verification request includes options that enable the one or more users to approve or deny sharing of the one or more files (0045: server-client sessions are maintained, and session-specific security credentials are sent from the server to client. These credentials may be appended to API commands by the process to authenticate the commands and cause the API to cause the target system to act on a corresponding account's data.).  

Regarding claim 8, Chowdhury teaches the system of claim 7, wherein the security verification request is transmitted to a user that initiated the share event to enable self-verification of the share event (0046: a worker process may request an access token from an authentication server that is different from the API server, e.g., by sending a password and user name, and the authentication server may respond with an access token. ).  

Regarding claim 9, Chowdhury teaches the system of claim 1, wherein the security control platform is configured to generate and enforce one or more control policies pertaining to file events (0057: a manager may have permission to add or delete a defect-tracking ticket, while a lower-level employee may only be allowed to add notes or advance state of the ticket in a workflow. Or certain employees may have elevated access to certain email accounts or sensitive human resources related documents. Each time an employee arrives, leaves, or changes roles, different sets of SaaS user accounts may need to be added, deleted, or updated. Thus, many businesses are facing a crisis of complexity, as they attempt to manage roles in permissions across a relatively large organization using a relatively large number of SaaS services with relatively fine-grained feature-access controls.).  

Regarding claim 10, Chowdhury teaches the system of claim 1, wherein the security control platform is configured to generate and enforce one or more control policies pertaining to user events (0063: the controller 248 may retrieve a set of rules (which may also be referred to as a “policy”) corresponding to the former position and a set of rules corresponding to the new position from the rules repository 246. In some embodiments, these sets of rules may indicate which SaaS applications should have accounts for the corresponding user/role and configurations of those accounts, like permissions and features to enable or disable.).  

As per claims 11-13 and 15-17, this is a method version of the claimed system discussed above in claims 1-3 and 5-10 wherein all claimed limitations have also been addressed and/or cited as set forth above.

As per claims 18-20, this is a product version of the claimed system discussed above in claims 1-3 and 5-10 wherein all claimed limitations have also been addressed and/or cited as set forth above.

Allowable Subject Matter
Claims 4 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is an examiner’s statement of reasons for allowance: 
Chowdhury lacks or fails to make obvious by combination:
a first control policy configured to control expirations of files that are shared using one or more of the accounts provided by the plurality of SaaS platforms; 
a second control policy configured to prohibit files from being shared with one or more specified users using one or more of the accounts provided by the plurality of SaaS platforms; 
a third control policy configured to control sharing of files with public privileges using one or more of the accounts provided by the plurality of SaaS platforms; 
a fourth control policy configured to control sharing of inactive files using one or more of the accounts provided by the plurality of SaaS platforms; 
a fifth control policy configured to control sharing of files with users or accounts that do not utilize multi-factor authentication using one or more of the accounts provided by the plurality of SaaS platforms; and 
a sixth control policy configured to implement data retention rules on files associated with one or more of the accounts provided by the plurality of SaaS platforms.  
These limitations in conjunction with other limitations of claims 1 and 11 are not specifically disclosed or remotely suggested in the prior art of record.  A review of claims 4 and 14, indicate that claims 4 and 14 are allowable over the prior art of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2020/0394110 to Ramohalli Gopala Rao et al. teaches Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434