DETAILED ACTION
This communication is in response to Applicant’s amendment filed on September 08, 2022. Claims 2, 8-10, and 14-16 have been amended. Claims 1-18 are pending and are directed towards METHOD AND APPARATUS FOR SECURELY MANAGING COMPUTER PROCESS ACCESS TO NETWORK RESOURCES THROUGH DELEGATED SYSTEM CREDENTIALS.
Examiner acknowledges Applicant’s amendment to specification and claims, and therefore withdraws the previous objections to the specification, and the 35 USC § 112(b) rejections. However, examiner maintains the drawing objections and the claims interpretation under 35 USC § 112(f), and the rejection under 35 USC § 103 is maintained. The rejection is stated below.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings are objected to because the replacement sheet of Figures 5, 6a, 6b, and 7 filed on 05/14/2021 are blurry and not clear.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
In addition to Replacement Sheets containing the corrected drawing figure(s), applicant is required to submit a marked-up copy of each Replacement Sheet including annotations indicating the changes made to the previous version.  The marked-up copy must be clearly labeled as “Annotated Sheets” and must be presented in the amendment or remarks section that explains the change(s) to the drawings.  See 37 CFR 1.121(d)(1).  Failure to timely submit the proposed drawing and marked-up copy will result in the abandonment of the application.

Claim Objections
Claim 1 objected to because of the following informalities: 
Claim 1 recites the limitation “wherein each said agent” which should rather be “wherein said agent” since there is only “an agent” claimed in the previous limitation.  
Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “autonomous computer processes configured to, agent is configured to,” in claims 1 and 14.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Response to Arguments
Applicant's arguments filed on 09/08/2022 have been fully considered but they are not persuasive.
Applicant’s argues that there is no indication in the primary reference Huh or the secondary reference Chamarajnager that the client includes anything which can be construed as an autonomous computer process, the client of Huh does not include autonomous computer process, a token module or an agent. 

In Response:
Examiner respectfully disagrees with Applicant’s assertion. The primary reference Huh explicitly discloses in para [0082] that (A client may indicate a terminal used by a user) which has a direct access to the access control system 400 as explained in Fig. 4 and related paragraphs in the specification. 
Given the broadest reasonable interpretation for the claimed autonomous computer process, and in light of the disclosure of the current invention (Another example of autonomous processes are services and microservices running on cloud platforms that must access secure resources on the platform. To get access, these services and microservices request security secrets from the network resource server. Spec, para [0006]) which is taught by the primary reference as cited in rejections below. In addition to that, and for further clarification (An access control system 400 may include a collaborative service server 410 and a cloud service server 420. The access control system 400 may be provided by a single cloud service provider. Huh, para [0081]) (The cloud service server 420 may authenticate the user. To use a cloud computing service, the user may subscribe to the cloud service server 420 providing the cloud computing service to users. The user may enter a user identifier (ID), a user password, and user personal information into the cloud service server 420. The cloud service server 420 may issue an ID desired by the user to the user after user authentication. The user may transmit a user authentication request to the collaborative service to server 410. The collaborative service server 410 enables the user authentication to be performed by the cloud service server 420 through redirection of the user authentication request. The cloud service server 420 may encrypt the user personal information and store the encrypted user personal information. The cloud service server 420 enables the user personal information to not remain in the cloud service server 420 through the encryption and storage. Huh, para [0083]-[0084])
Therefore, the user can use his terminal to access the collaborative service to server 410 which is part of the cloud service server to communicate with the access token issuing unit as shown in Fig. 5 and related paragraphs (The access token issuing unit 520 may issue an access token of the service based on a service access request of the user, user authentication, and a service right. The access token may include information associated with the user authentication and the right information. When a request for an access to a service is received from the user, the access token issuing unit 520 may issue the access token based on the user authentication result provided from the cloud service server 420. The cloud service server 420 may receive, from the user service list database 530, right information associated with the service subscribed to by the user and security policy information associated with the service, an may use the right information and the security policy information in order to issue the access token. Huh, para [0095]). 
Therefore, given the broadest reasonable interpretation the user includes both the autonomous computer process and the token module. As explained in the previous rejection, the primary reference Huh does not explicitly teach an agent as another component of the plurality of machines. Therefore, a second reference Chamarajnager was cited to teach an agent with the same functionality as the claimed agent (The components of the networked environment 100 can be utilized to enroll the gateway 111 with the management service 120 and securely obtain gateway credentials 140 and other information to communicate and authenticate with the management service 120. The gateway 111 can communicate with the management service 120 for management of the IoT devices 113 that connect to the network 112 through the gateway 111. Chamarajnager, para [0013]) (The enrollment can include transmission of a request to enroll the gateway to a management service address and installation of an enrollment policy received from the management service, for example, in response to the request. Chamarajnager, para [0010]) (The gateway management agent 139 can be an agent, an application, or other instructions executable by the gateway 111. The gateway management agent 139 can facilitate communications between the gateway 111 and the management service 120 and can implement actions on the gateway. Chamarajnager, para [0036]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, that the combination of both Huh and Chamarjnager teach the claimed features for the same rationales given in the below rejection. 

Allowable Subject Matter
Claims 4 and 14 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claims 5-10 and 15-18 are objected by dependency.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 1-3 and 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Huh et al. US 2015/0046971 A1 (hereinafter “Huh”) in view of Chamarajnager et al. US 2019/0356542 A1 (hereinafter “Chamarajnager”)

As per claim 1, Huh teaches a system comprising: 
a network resource server including an administration module, an authentication service, a token management module and an enrollment and policy module (collaborative service server of a cloud computing service, including: a user service list database to store right information of a user associated with a service subscribed to by the user and security policy information associated with the service; and an access token issuing unit to issue an access token of the service. Huh, para [0014]) (The cloud service server may further include a policy administration unit to set to or correct a right of the user, a service policy, and a role. Huh, para [0022]); 
a plurality of machines communicatively coupled to said network resource server (each of users corresponds to at least one role. Each role corresponds to at least one permission. For example, each user may be assigned with predetermined roles, and each role may be assigned with predetermined permissions. Huh, para [0073]) (A communication cloud service refers to a cloud computing service for a group of predetermined users. The communication cloud service may assign an access right only to members of a predetermined group. Members of a group may share data, an application, and the like through the communication cloud service. Huh, para [0008]), each said machine including a plurality of autonomous computer processes configured to request resource access from said network resource server, a token module (In response to a request for a new service from the user, the user service list database may update the right information and the security policy information associated with the service subscribed to by the user. Huh, para [0020]) (authorize an access of the user to the service when information associated with the access token matches the access control list. Huh, para [0021])(The user service list database 530 may store right information of a user associated with a service subscribed to by the user and security policy information associated with the service. Huh, para [0092])  
Huh does not explicitly teach an agent wherein each said agent is configured to enroll a corresponding one of said plurality of machines with said network resource server, and accept machine policies and login credentials from said enrollment and policy module.
However, Chamarajnager teaches an agent wherein each said agent is configured to enroll a corresponding one of said plurality of machines with said network resource server, and accept machine policies and login credentials from said enrollment and policy module (The components of the networked environment 100 can be utilized to enroll the gateway 111 with the management service 120 and securely obtain gateway credentials 140 and other information to communicate and authenticate with the management service 120. The gateway 111 can communicate with the management service 120 for management of the IoT devices 113 that connect to the network 112 through the gateway 111. Chamarajnager, para [0013]) (The enrollment can include transmission of a request to enroll the gateway to a management service address and installation of an enrollment policy received from the management service, for example, in response to the request. Chamarajnager, para [0010]) (The gateway management agent 139 can be an agent, an application, or other instructions executable by the gateway 111. The gateway management agent 139 can facilitate communications between the gateway 111 and the management service 120 and can implement actions on the gateway. Chamarajnager, para [0036]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Huh in view of Chamarajnager. One would be motivated to do so, to ensure secure management communications. (Chamarajnager, para [0002]).

As per claim 2, Huh and Chamarajnager teach the system defined by claim 1, 
wherein the token module determines an available one of said resource scopes that contains a resource for which access is requested by one of said autonomous computer process running on said one of said plurality of machines (The user service list database 530 may store right information of a user associated with a service subscribed to by the user and security policy information associated with the service. Huh, para [0092]) (When the user uses the existing service, the collaborative service server 410 may search the user service list database 530 for right information associated with the service desired by the user in operation 870. When the existing service is used, existing right information and security policy information associated with the existing service may be used. For example, when the existing service is used, a right policy and a security policy do not change and thus, existing right information and security to policy information may be used. Huh, para [0127]).
Huh does not explicitly teach wherein after one of said plurality of machines is enrolled with said network resource server, if said token module does not know what resource scopes are available on the one machine, the token module issues a request to said agent on the one machine for available resource scopes and the agent returns a list of available resource scopes to the token module.
However, Chamarajnager teaches wherein after one of said plurality of machines is enrolled with said network resource server, if said token module does not know what resource scopes are available on the one machine, the token module issues a request to said agent on the one machine for available resource scopes and the agent returns a list of available resource scopes to the token module (The management service 120 can transmit various software components to the gateway 111 which are then installed, configured, or implemented by the gateway management instructions 153. Such software components can include, for example, additional client applications, resources, libraries, drivers, device configurations, or other similar components that require installation on the gateway 111 as specified by the enterprise or an administrator of the management service 120. The management service 120 can further cause policies to be implemented on a gateway 111. Policies can include, for example, restrictions or permissions pertaining to capabilities of a gateway 111. For instance, policies can require certain hardware or software functions of the gateway 111 to be enabled or be disabled during a certain time period or based on a particular location. Such policies can be implemented by the gateway management instructions. Chamarajnager, para [0040]) (The management service 120 can also transmit various software components to the IoT device 113 which are then installed, configured, or implemented by the IoT management application 167. Such software components can include, for example, additional applications 195, resources, libraries, drivers, device configurations, or other similar components that require installation on the IoT device 113 as specified by an administrator of the management service 120. The management service 120 can further cause policies to be implemented on the IoT device 113. Policies can include, for example, restrictions or permissions pertaining to capabilities of an IoT device. Chamarajnager, para [0042]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Huh in view of Chamarajnager. One would be motivated to do so, to identify the available resource scopes. (Chamarajnager, para [0002]).

As per claim 3, Huh and Chamarajnager teach the system defined by claim 2 wherein said token module includes a set of available resource scopes available on said one machine (authorize an access of the user to the service when information associated with the access token matches the access control list. Huh, para [0021]) (The user service list database 530 may store right information of a user associated with a service subscribed to by the user and security policy information associated with the service. Huh, para [0092])  

As per claim 11, Huh and Chamarajnager teach the system defined by claim 1 wherein the administration module receives from an administrator a request to modify an existing machine policy by adding a new scope access definition to the machine policy to add resources available through the machine policy and define additional scope restrictions for machines affected by the machine policy (The user service list database 530 may periodically update the right information and the security policy information. In response to a request for a new service from the user, the user service list database 530 may update the right information and the security policy information associated with the service subscribed to by the user. Huh, para [0020] [0093]), 
the administration module passing the machine policy modifications to the enrollment and policy module, the enrollment and policy module determining the machines affected by the machine policy by reading an affected machines list, the enrollment and policy module sending the machine policy modification to corresponding agents on the affected machines list, which corresponding agents store the machine policy modification on a corresponding machine (Each of service providers may manage the right of the user, the service policy, and the role. When information is additionally generated or corrected, each of the service providers may transmit the additionally generated or corrected information to the policy information unit 620. The additionally generated information may include the right of the user, the service policy, and the role. Based on the additionally generated or changed information, the policy information unit 620 may update the right of the user, the service policy, or the role. Huh, para [0102])( When the request for using the other service is received, new right information and security policy information may be updated in an access token of the cloud service server 420 corresponding to the other service. Using the access token with the updated new right information and security policy information, the user may use the other service. Huh, para [0135]), 

As per claim 12, Huh and Chamarajnager teach the system defined by claim 11 wherein the machine policy modification includes adding a new policy or deleting an existing policy (The user service list database 530 may periodically update the right information and the security policy information. In response to a request for a new service from the user, the user service list database 530 may update the right information and the security policy information associated with the service subscribed to by the user. Huh, para [0093]). 

As per claim 13, Huh and Chamarajnager teach the system defined by claim 11 wherein the enrollment and policy module stores the machine policy modification and enforces the machine policy modification (The collaborative service server 410 may include a policy enforcement unit 510. The policy enforcement unit 510 may be a PEP […] The policy enforcement unit 510 may include an access token issuing unit 520 and a user service list database 530. Huh, para [0090]-[0091]).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Respectfully Submitted

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492