Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the amendment filed 12/09/2022. 
In the amendment, Claims 1-3, 6, 14, 18-22 are amended; claims 1, 15 and 22 are independent claims. Claims 1-22 are pending in this application. THIS ACTION IS MADE FINAL. 

Claim Objections
Claims 12 and 16 are objected to because of the following informalities: 
Regarding claim 12, claim 12 recites the limitation “a workgroup identity spans.” To positively recite active steps of the claimed method, it’s suggested the aforementioned limitation be further amended to “spanning, by a workgroup identity;” (emphasis added).
Regarding claim 16, claim 16 recites the limitation “the software-as-a-service platform supports,” To properly recite embodiments and associate functions of the claimed system, it’s suggested that the aforementioned limitation be further amended to ““the software-as-a-service platform configured to support;” (emphasis added). Claim 




Response to Arguments
The claim objections to claims 2-3, 6, 14 and 18-21 are withdrawn. The claim objections to claims 12 and 16 are maintained because claim 12 currently does not recite active steps of the claimed method and claim 16 does not recite embodiments and associate functions of the claimed system. 
The 35 U.S.C. 101 rejection to claim 22 is withdrawn as per amendment filed 12/09/2022. 
Applicant’s arguments in the instant Amendment, filed on 12/09/2022 with respect to the limitations below, have been fully considered but they are not persuasive. 
Applicant argues that on (pages 10-11): that Bansal’s description of “derived access token” would not lead one to “the limited temporary derived credentials are based on a policy-based access control definition,” as recited by claim 1. Bansal is fundamentally different from claim 1 in that it describes “the derived access token has the same privileges/claims as the request access token.” By contrast, claim 1 recites “the limited temporary derived credentials are based on a policy-based access control definition.” 
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., the limited temporary derived credentials provide more limited access than the underlying credentials [i.e. because applicant is arguing that Bansal discloses having the same privileges/claims as the request access token]) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Further, in paragraph [0407] a policy-based access control is defined as (e.g. based on identity, identity memberships, or the like). 
Bansal discloses derived credentials in the form of a token that according to a policy defines the expiration time of the token [limited temporary derived credentials]. The policy in Bansal is regarding identity management (See Bansal, [0002], [0212], [0213]; also [0189]-[0197]). 

Applicant argues that on (page 12) that Bansal is different than claim 1 because the motivation in Bansal is to solve problems with a “finite validity time.” Applicant argues that the motivation is different in the instant application because credentials are based on a policy-based access control definition. Bansal’s motivation is to have the same set of scopes as an original token. 
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Richardson and Gholami which are both analogous in the art of network security to include discovering a cloud provider account for an identity accessing the software-as-a-service platform, wherein the limited temporary derived credentials are based on a policy-based access control definition, and the limited temporary derived credentials are limited to rights permitted in the policy-based access control definition. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Applicant argues that on (page 12): that Bansal also fails to disclose discovering a cloud provider account. 
The Examiner respectfully disagrees with the applicant’s arguments because Bansal discloses discovering a cloud provider account for an identity accessing a software-as-a-service platform (See Bansal, [0002], [0044], [0052] & [0054]; also see [0018], [0189]-[0197], [0024]). 

Applicant argues that on (pages 14-16): that Bansal fails to explicitly disclose or suggest in claim 15: “a mapping between identities accessing a software-as-a-service platform and cloud provider accounts” as well as “based on the mapping, discovering a cloud provider account for an identity accessing the software-as-a-service platform.” 

The Examiner respectfully disagrees with the applicant’s arguments because Bansal discloses a mapping between identities accessing a software-as-a-service platform and a cloud system that contains accounts [cloud provider accounts] (see Bansal, [0044], [0054], [0062]-[0063]; also see [0065]-[0067]). Bansal further discloses based on the mapping, discovering a cloud system that provides an account [cloud provider account] for an identity accessing the SAAS [software-as-a-service platform] (see Bansal, [0044], [0054], [0062]-[0063]; also see [0065]-[0067]). 

Applicant’s arguments (pages 17-18): Gholami’s description of “security policy domain,” would not lead one to “providing the limited temporary derived credentials for use by the identity to access the genomic digital data resources at the cloud provider account according to the policy-based access control,” as recited by claim 22. There is no mention of “providing the limited temporary derived credentials…according to the policy-based access control.” 
The Examiner respectfully disagrees with the applicant’s arguments because Gholami discloses sending a request to a user management module for one-time passwords which are derived from a Public ID of the Yubikey token valid for the cloud provider account. BiobankCloud stores genomic data and allows for access control on the data (see Gholami, Pages 106-113). The one-time password is provided for use by the user to access genomic data stored in a BioBankCloud account according to policy (see Gholami, Pages 106-113). 

Applicant's arguments (page 13 and 16-18): Additionally, as to dependent claims 2-14 and 16-21 the Applicant argues that the claims are dependent directly or indirectly from a respective one of claims of independent claims 1, 15 and 22 and are therefore distinguished from the cited art at least by virtue or allowable at least based on their additionally recited patentable subject matter.
The Examiner respectfully submits that the dependent claims 2-14 and 16-21 are rejected at least based on the rationale and response presented to the argument for their respective base claims, and response presented to the argument for their respective base claims, and the reference applied to the claims 2-14 and 16-21. 

Therefore, in view of the above reasons, the Examiner maintains the rejection with the cited prior art.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 4-7, 9-11, 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114) in view of Richardson et al (“Richardson,” CN111625346, see Google Translation) and further in view of Bansal et al (“Bansal,” US 20180077138). 

Regarding claim 1, Gholami discloses a computer-implemented method comprising:
Gholami discloses sending a request to a credentials management service for limited temporary derived credentials valid for the cloud provider account;  (Gholami, Pages 109-111, Right Column Under Section Access Control describes sending a request to a user management module [credentials management service] for One-Time Passwords which are derived from a public ID of the Yubikey token [limited temporary derived credentials] valid for the cloud provider account; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
receiving the limited temporary derived credentials valid for the cloud provider account, (Gholami, Pages 109-111, Right Column Under Section Access Control; Section B. User Management; Section C. Custom Authentication Realm disclose a receiving One-Time Passwords which are derived from the public ID of the Yubikey token [limited temporary derived credentials] valid for the cloud provider; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
and providing the limited temporary derived credentials for use by the identity, (Gholami, Pages 109-111, Right Column Under Section Access Control; Section B. User Management; Section C. Custom Authentication Realm disclose and providing the One-Time Passwords which are derived from the public ID of the Yubikey token [limited temporary derived credentials] for use by the identity; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
Gholami fails to explicitly disclose in a computing system supporting a plurality of tenants accessing genomic computing services in a software-as-a-service platform that orchestrates access to genomic digital data resources via policy-based access control,
However, in an analogous art, Richardson discloses in a computing system supporting a plurality of tenants accessing genomic computing services in a software-as-a-service platform that orchestrates access to genomic digital data resources via policy-based access control (Richardson, Page 3, Line 55, tenants; Page 8, Lines 3 & , genome sequencing; Page 8, Line 16, SaaS (Software-as-a-service); Page 5, Lines 19-21, enhanced security policies for access). 
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Richardson with the method/system of Gholami to include in a computing system supporting a plurality of tenants accessing genomic computing services in a software-as-a-service platform that orchestrates access to genomic digital data resources via policy-based access control. One would have been motivated to provide services to cloud users from a high performance computing environment (Richardson, Page 4, Lines 10-11).  
Gholami and Richardson fail to explicitly disclose discovering a cloud provider account for an identity accessing the software-as-a-service platform, wherein the limited temporary derived credentials are based on a policy-based access control definition, and the limited temporary derived credentials are limited to rights permitted in the policy-based access control definition. 
However, in an analogous art, Bansal discloses discovering a cloud provider account for an identity accessing the software-as-a-service platform, (Bansal, [0044], [0052] & [0054] describe discovering a cloud provider account for an identity accessing the software-as-a-service platform)
wherein the limited temporary derived credentials are based on a policy-based access control definition, (Bansal, [0212], [0213] describes derived credentials in form of token that according to policy defines an expiration time of the token [limited temporary derived credentials]; also see [0189]-[0197]).
and the limited temporary derived credentials are limited to rights permitted in the policy-based access control definition, (Bansal, [0212], [0213] describes derived credentials in form of token that according to policy defines an expiration time of the token [limited temporary derived credentials]; also see [0189]-[0197]).
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include discovering a cloud provider account for an identity accessing the software-as-a-service platform, wherein the limited temporary derived credentials are based on a policy-based access control definition, and the limited temporary derived credentials are limited to rights permitted in the policy-based access control definition. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 4, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 1. 
Bansal further discloses further comprising: receiving policy-based access control configuration information for the plurality of tenants; (Bansal, [0064], [0070], [0101] describes further comprising: receiving policy-based access control configuration information for the plurality of tenants)
wherein the limited temporary derived credentials are limited to rights indicated in the policy-based access control configuration information, (Bansal, [0212], [0213] describes derived credentials in form of token that according to policy defines an expiration time of the token [limited temporary derived credentials]; also see [0189]-[0197]). 
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include further comprising: receiving policy-based access control configuration information for the plurality of tenants; wherein the limited temporary derived credentials are limited to rights indicated in the policy-based access control configuration information. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 5, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 1. 
Bansal further discloses further comprising: receiving underlying credentials for the cloud provider account; (Bansal, [0051], [0212], [0213] describes further comprising: receiving underlying request access tokens [credentials] for the cloud provider account; also see [0189]-[0197]).
wherein the limited temporary derived credentials are derived from the underlying credentials, (Bansal, [0189]-[0197] describes wherein the limited temporary derived credentials are derived from the underlying credentials)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include further comprising: receiving underlying credentials for the cloud provider account, wherein the limited temporary derived credentials are derived from the underlying credentials. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 6, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 1. 
Bansal further discloses further comprising: supporting, by the software-as-a-service platform limited temporary derived credentials for a plurality of cloud provider types, (Bansal, [0018], [0189]-[0197], [0024] describes wherein: the software-as-a-service platform supports limited temporary derived credentials for a plurality of cloud provider types)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include wherein: the software-as-a-service platform supports limited temporary derived credentials for a plurality of cloud provider types. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 7, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 6. 
Bansal further discloses wherein: discovering the cloud provider account comprises discovering a cloud provider type of the cloud provider account, (Bansal, [0018], [0189]-[0197], [0024] describes wherein: the software-as-a-service platform supports limited temporary derived credentials for a plurality of cloud provider types)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include wherein: discovering the cloud provider account comprises discovering a cloud provider type of the cloud provider account. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]).  

Regarding claim 9, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 1. 
Bansal further discloses wherein: the identity is one of a plurality of different identity types supported by the software-as-a-service platform, (Bansal, [0054], [0067], [0140], [0152], describe wherein: the identity is one of a plurality of different identity types supported by the software-as-a-service platform)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include wherein: the identity is one of a plurality of different identity types supported by the software-as-a-service platform. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 10, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 9. 
Bansal further discloses wherein: the identity is of type “application.” (Bansal, [0067], [0081], application)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include wherein: the identity is of type “application.” One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 11, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 9. 
Bansal further discloses the identity is of type “workgroup,” (Bansal, [0081], groups)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include the identity is of type “workgroup,” One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 13, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 1. 
Bansal further discloses wherein: the identity types supported by the software-as-a-service platform comprise: (Bansal, [0054], [0067], [0140], [0152], describe wherein: the identity types supported by the software-as-a-service platform)
application; (Bansal, [0067], [0081], application)
tenant; (Bansal, [0069] and [0121], tenant)
workgroup; and (Bansal, [0081], groups)
and user (Bansal, [0018], [0081], [0020], user)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include wherein: the identity types supported by the software-as-a-service platform comprise: application; tenant; workgroup and user. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 

Regarding claim 14, Gholami, Richardson and Bansal disclose the method of claim 1. 
Richardson further discloses wherein: the method further comprises storing, by the cloud provider account a genomic digital data resource; (Richardson, Page 8, Lines 1-5 describe wherein: the cloud provider account stores a genomic digital data resource)
access to the genomic digital data resource is controlled by a role identifier linked to a policy-based access control definition; (Richardson, Pages 8, Line 3, genome sequencing; Page 4, Line 15 describes a role identifier; Page 5, Lines 19-21, enhanced security policies for access)
and the method further comprises: responsive to a request for access to the genomic digital data resource, providing the role identifier specified in the policy-based access control definition for the request for access, (Richardson, Pages 8, Line 3, genome sequencing; Page 4, Line 13-15 describes a request for access and a role identifier; Page 5, Lines 19-21, enhanced security policies for access)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Richardson with the method/system of Gholami to include wherein: the method further comprises storing, by the cloud provider account a genomic digital data resource; access to the genomic digital data resource is controlled by a role identifier linked to a policy-based access control definition; and the method further comprises: responsive to a request for access to the genomic digital data resource, providing the role identifier specified in the policy-based access control definition for the request for access. One would have been motivated to provide services to cloud users from a high-performance computing environment (Richardson, Page 4, Lines 10-11).  

Claims 2 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114), Richardson et al (“Richardson,” CN111625346, see Google Translation) in view of Bansal et al (“Bansal,” US 20180077138) and further in view of Hasan et al (“Hasan,” US 20150372857).

Regarding claim 2, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 1. 
Gholami, Richardson and Bansal fail to explicitly disclose further comprising: supporting, by the software-as-a-service platform, multiple different cloud provider accounts per a single tenant.
However, in an analogous art, Hasan discloses further comprising: supporting, by the software-as-a-service platform, multiple different cloud provider accounts per a single tenant, (Hasan, [0011], [0027], [0009] describes and the software-as-a-service platform supports multiple different cloud provider accounts per tenant)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hasan with the method/system of Gholami, Richardson and Bansal to include further comprising: supporting, by the software-as-a-service platform, multiple different cloud provider accounts per a single tenant. One would have been motivated to provide an extension of a single tenant cloud across multiple cloud providers (Hasan, [0002]).

Regarding claim 3, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 1. 
Gholami, Richardson and Bansal fail to explicitly disclose further comprising: supporting, by the software-as-a-service platform, multiple different cloud provider accounts per a single tenant.
However, in an analogous art, Hasan discloses further comprising: supporting, by the software-as-a-service platform, multiple different cloud provider accounts per a single tenant, (Hasan, [0011], [0027], [0009] describes and the software-as-a-service platform supports multiple different cloud provider accounts per tenant)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hasan with the method/system of Gholami, Richardson and Bansal to include further comprising: supporting, by the software-as-a-service platform, multiple different cloud provider accounts per a single tenant. One would have been motivated to provide an extension of a single tenant cloud across multiple cloud providers (Hasan, [0002]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114), Richardson et al (“Richardson,” CN111625346, see Google Translation) and further in view of Bansal et al (“Bansal,” US 20180077138) and further in view of Yu et al (“Yu,” US 20210092105). 

Regarding claim 8, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 7. 
Gholami, Richardson and Bansal disclose wherein: the credentials management service is external to the software-as-a-service platform.
However, in an analogous art, Yu discloses wherein: the credentials management service is external to the software-as-a-service platform (Yu, [0033]-[0034], 202, 208 FIG 2 shows the credential manager as part of the server not the SAAS platform)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yu with the method/system of Gholami, Richardson and Bansal to include wherein: the credentials management service is external to the software-as-a-service platform. One would have been motivated to provide credential control among a plurality of client devices (Yu, [0001]). 

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114), Richardson et al (“Richardson,” CN111625346, see Google Translation) in view of Bansal et al (“Bansal,” US 20180077138) and further in view of Harar et al (“Harar,” US 20210224194).

Regarding claim 12, Gholami, Richardson and Bansal disclose the computer-implemented method of claim 11. 
Gholami, Richardson and Bansal fail to explicitly disclose wherein: a workgroup identity spans a plurality of the tenants of the software-as-a- service platform.
However, in an analogous art, Harar discloses wherein: a workgroup identity spans a plurality of the tenants of the software-as-a- service platform, (Harar, [0074], [0027], [0151], describes wherein: a workgroup identity spans a plurality of tenants of the software-as-a-service platform)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Harar with the method/system of Gholami, Richardson and Bansal to include wherein: a workgroup identity spans a plurality of the tenants of the software-as-a- service platform. One would have been motivated to provide improved efficiency during computations in a distributed computing system (Harar, [0004]).

Claims 15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal et al (“Bansal,” US 20180077138) and further in view of Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114). 

Regarding claim 15, Bansal discloses a multi-tenant, cloud-based system comprising:
one or more processors; (Bansal, [0184], processor)
memory coupled to the one or more processors; (Bansal, [0184] describes memory coupled to the one or more processors)
a mapping between identities accessing a software-as-a-service platform and cloud provider accounts; (Bansal, [0044], [0054], [0062]-[0063] describes a mapping between identities accessing a software-as-a-service platform and cloud provider accounts; also see [0065]-[0067])
a policy store comprising policy-based access control definitions; (Bansal, [0066], [0096], [0106], [0109]-[0110], [0162], describes a policy store comprising policy-based access control definitions). 
wherein the memory comprises computer-executable instructions causing the one or more processors to perform operations comprising: (Bansal, [0184] describes memory coupled to the one or more processors)
based on the mapping, discovering a cloud provider account for an identity accessing the software-as-a-service platform; (Bansal, [0044], [0054], [0062]-[0063] describes discovering a cloud provider account for an identity accessing the software-as-a-service platform; also see [0065]-[0067])
Bansal fails to explicitly disclose a genomic digital data resource linked to a role identifier and stored at a given cloud provider account external to the software-as-a-service platform; sending a request to a credentials management service for limited temporary derived credentials valid for the cloud provider account; receiving the limited temporary derived credentials valid for the cloud provider account; and providing the limited temporary derived credentials or use by the identity to access the genomic digital data resource. 
However, in an analogous art, Gholami discloses a genomic digital data resource linked to a role identifier and stored at a given cloud provider account external to the software-as-a-service platform; (Gholami, Page 109, Section IV. BioBankCloud Security Framework; FIG 4, Page 111, Under Section Authorization and Table 1 describes a genomic digital data resource linked to a role identifier and stored at a given cloud provider account external to the software-as-a-service platform; also see pages 106-113)
sending a request to a credentials management service for limited temporary derived credentials valid for the cloud provider account; (Gholami, Pages 109-111, Right Column Under Section Access Control describes sending a request to a user management module [credentials management service] for One-Time Passwords which are derived from a public ID of the Yubikey token [limited temporary derived credentials] valid for the cloud provider account; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
receiving the limited temporary derived credentials valid for the cloud provider account; and (Gholami, Pages 109-111, Right Column Under Section Access Control; Section B. User Management; Section C. Custom Authentication Realm disclose a receiving One-Time Passwords which are derived from the public ID of the Yubikey token [limited temporary derived credentials] valid for the cloud provider; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
providing the credentials for use by the identity to access the genomic digital data resource (Gholami, Pages 109-111, Right Column Under Section Access Control; Section B. User Management; Section C. Custom Authentication Realm disclose and providing the One-Time Passwords which are derived from the public ID of the Yubikey token [limited temporary derived credentials] for use by the identity; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gholami with the method/system of Bansal to include a genomic digital data resource linked to a role identifier and stored at a given cloud provider account external to the software-as-a-service platform; sending a request to a credentials management service for limited temporary derived credentials valid for the cloud provider account; receiving the limited temporary derived credentials valid for the cloud provider account; and providing the limited temporary derived credentials or use by the identity to access the genomic digital data resource. One would have been motivated to provide a security framework for genomics analysis (Gholami, Page 106, Introduction). 

Regarding claim 17, Bansal and Gholami disclose the system of claim 15. 
Bansal further discloses evaluated at a time of a request for access (Bansal, [0200], [0019], [0034] and [0087] describe evaluated at a time of request for access)
Gholami further discloses wherein the memory further comprises computer-executable instructions causing the one or more processors to perform operations comprising: granting access to the genomic digital data resource according to a policy- based access control definition, (Gholami, Pages 109-111, Right Column Under Section Access Control describes using a OTP (one-time password) to grant access to genomic data stored in BioBankCloud; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gholami with the method/system of Bansal to include wherein the memory further comprises computer-executable instructions causing the one or more processors to perform operations comprising: granting access to the genomic digital data resource according to a policy- based access control definition. One would have been motivated to provide a security framework for genomics analysis (Gholami, Page 106, Introduction). 



Regarding claim 18, Bansal and Gholami disclose the system of claim 15. 
Bansal further discloses wherein: the identity is one of a plurality of different identity types supported by the software-as-a-service platform, (Bansal, [0054], [0067], [0140], [0152], describe wherein: the identity is one of a plurality of different identity types supported by the software-as-a-service platform)

Regarding claim 19, Bansal and Gholami disclose the system of claim 15. 
Bansal further discloses wherein: the identity is of type “application,” (Bansal, [0067], [0081], application)

Regarding claim 20, Bansa and Gholami disclose the system of claim 15. 
Bansal further discloses wherein: the identity is of type “workgroup,” (Bansal, [0081], groups)

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Bansal et al (“Bansal,” US 20180077138), in view of Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114) and further in view of Hasan et al (“Hasan,” US 20150372857).

Regarding claim 16, Bansal and Gholami disclose the system of claim 15. 
Bansal and Gholami fail to explicitly disclose wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant; and the software-as-a-service platform supports multiple different cloud provider accounts per tenant.
However, in an analogous art, Hasan discloses wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant; (Hasan, [0011], [0027], [0009] describes wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant)
and the software-as-a-service platform supports multiple different cloud provider accounts per tenant, (Hasan, [0011], [0027], [0009] describes and the software-as-a-service platform supports multiple different cloud provider accounts per tenant)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hasan with the method/system of Bansal and Gholami to include wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant; and the software-as-a-service platform supports multiple different cloud provider accounts per tenant. One would have been motivated to provide an extension of a single tenant cloud across multiple cloud providers (Hasan, [0002]).

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Bansal et al (“Bansal,” US 20180077138), Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114) and further in view of Harar et al (“Harar,” US 20210224194). 

Regarding claim 21, Bansal and Gholami disclose the system of claim 20. 
Bansal and Gholami fail to explicitly disclose wherein: a workgroup identity spans a plurality of tenants of the software-as-a-service platform.
However, in an analogous art, Harar discloses wherein: a workgroup identity spans a plurality of tenants of the software-as-a-service platform, (Harar, [0074], [0027], [0151], describes wherein: a workgroup identity spans a plurality of tenants of the software-as-a-service platform)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Harar with the method/system of Bansal and Gholami to include wherein: a workgroup identity spans a plurality of tenants of the software-as-a-service platform. One would have been motivated to provide improved efficiency during computations in a distributed computing system (Harar, [0004]). 

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Gholami et al (“Gholami,” “A Security Framework for Population-Scale Genomics Analysis,” 2015, IEEE, Pages 106-114), Richardson et al (“Richardson,” CN111625346, see Google Translation) in view of Bansal et al (“Bansal,” US 20180077138) and further in view of Hasan et al (“Hasan,” US 20150372857). 

Regarding claim 22, Gholami discloses one or more non-transitory computer-readable storage media comprising:
Gholami discloses sending a request to a credentials management service for limited temporary derived credentials valid for the cloud provider account; (Gholami, Pages 109-111, Right Column Under Section Access Control describes sending a request to a user management module [credentials management service] for One-Time Passwords which are derived from a public ID of the Yubikey token [limited temporary derived credentials] valid for the cloud provider account; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
receiving the limited temporary derived credentials valid for the cloud provider account; (Gholami, Pages 109-111, Right Column Under Section Access Control describes receiving a OTP (One-Time Password) which is derived from the public key of the Yubikey token valid for the BioBankCloud; Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
providing the limited temporary derived credentials for use by the identity to access the genomic digital data resources at the cloud provider account according to the policy-based access control; (Gholami, Pages 109-111, Right Column Under Section Access Control describes providing the OTP (one-time password) for use by the user to access the genomic data stored in a BioBankCloud account according to policy Page 106-107 describe BiobankCloud which stores genomic data and allows for access control on the data; also see pages 106-113)
Gholami fails to explicitly disclose computer-executable instructions capable of causing a computing system to perform the following in a computing system supporting a plurality of tenants accessing genomic computing services in a software-as-a-service platform that orchestrates access to genomic digital data resources via policy-based access control. 
However, in an analogous art, Richardson discloses computer-executable instructions capable of causing a computing system to perform the following in a computing system supporting a plurality of tenants accessing genomic computing services in a software-as-a-service platform that orchestrates access to genomic digital data resources via policy-based access control, (Richardson, Page 3, Line 55, tenants; Page 8, Lines 3 & , genome sequencing; Page 8, Line 16, SaaS (Software-as-a-service); Page 5, Lines 19-21, enhanced security policies for access).
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Richardson with the method/system of Gholami to include in a computing system supporting a plurality of tenants accessing genomic computing services in a software-as-a-service platform that orchestrates access to genomic digital data resources via policy-based access control. One would have been motivated to provide services to cloud users from a high performance computing environment (Richardson, Page 4, Lines 10-11).  
Gholami and Richardson fail to explicitly disclose discovering a cloud provider account for an identity accessing the software-as- a-service platform. 
However, in an analogous art, Bansal discloses discovering a cloud provider account for an identity accessing the software-as- a-service platform, (Bansal, [0044], [0052], [0054] describe discovering a cloud provider account for an identity accessing the software-as-a-service platform)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal with the method/system of Gholami and Richardson to include discovering a cloud provider account for an identity accessing the software-as- a-service platform. One would have been motivated to provide identity management in a cloud system (Bansal, [0002]). 
Gholami, Richardson and Bansal fail to explicitly disclose wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant; and the software-as-a-service platform supports multiple different cloud provider accounts per tenant. 
However, in an analogous art, Hasan discloses wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant; (Hasan, [0011], [0027], [0009] describes wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant)
and the software-as-a-service platform supports multiple different cloud provider accounts per tenant (Hasan, [0011], [0027], [0009] describes and the software-as-a-service platform supports multiple different cloud provider accounts per tenant)
Therefore, it would have  been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hasan with the method/system of Gholami, Richardson and Bansal to include wherein: the software-as-a-service platform supports multiple different cloud provider account types per tenant; and the software-as-a-service platform supports multiple different cloud provider accounts per tenant.  One would have been motivated to provide an extension of a single tenant cloud across multiple cloud providers (Hasan, [0002]). 








Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/JAMES J WILCOX/Examiner, Art Unit 2439            



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439