Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the application 16/952,987 filed on 11/19/2020.
Claims 1-20 are currently pending; claims 1, 11 and 19 are independent claims.  Claims 1-20  have been examined.  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-22 of copending Application No. 16/953,014. Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 1-20 of the instant application are encompassed by limitations recited in claims 1-22 of copending Application No. 16/953,014 (see table below).    
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Instant Patent Application No. 16/952,987
Patent Application Serial No. 16/953,014
1. In a digital medium environment for graph-based access control, a method implemented by at least one computing device, the method comprising: 

generating a next generation access control (NGAC) graph having a bifurcated structure with a user section and an object section; 

modeling users as user elements in the user section of the NGAC graph; 

modeling resources as object elements in the object section of the NGAC graph; 

configuring multiple policy classes utilizing a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph, the composable policy class structure comprising: 

a policy class as enforceable access criteria by which the users are allowed or denied access to the resources; 

an exclusion default object node of the policy class instantiated in the object section of the NGAC graph; 

an exclusion default user node of the policy class instantiated in the user section of the NGAC graph; and 

an association that indicates the exclusion default object node granting all policy permissions of the policy class to the exclusion default user node.  



1. In a digital medium environment for graph-based access control, a method implemented by at least one computing device, the method comprising: 

generating a next generation access control (NGAC) graph configured with multiple policy classes as enforceable access criteria by which users are allowed or denied access to resources, the NGAC graph having a bifurcated structure with a user section that includes the users modeled as user elements and an object section that includes the resources modeled as object elements; 

modeling policy binding nodes as user attributes in the user section of the NGAC graph, the policy binding nodes modeled for each of the multiple policy classes and each of the policy binding nodes assigned to a corresponding one of the multiple policy classes; 

assigning a user element as a member of a policy binding node, the user element being contained by the corresponding policy class, and the policy binding node delineating at least one policy permission on an object element and granting the policy permission on the object element to the user element; and 

evaluating the NGAC graph with a graph evaluation procedure to determine graph analysis information relative to at least one of the user element, the granted policy permission, or the object element based in part on a singular traversal path through the NGAC graph between the user element and the object element via the policy binding node.  


11. In a digital medium environment for graph-based access control, a method implemented by at least one computing device, the method comprising: 

executing an instantiation of a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes modeled with a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph; 

receiving a request for a user element to access an object element of a resource in conformance with a granted access permission implemented in the NGAC graph; 

computing an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource; and 

returning, in response to the request, the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph.  





10. In a digital medium environment for graph-based access control, a method implemented by at least one computing device, the method comprising: 

executing an instantiation of a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes modeled with a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph; 

modeling policy binding nodes as user attributes in the NGAC graph, the policy binding nodes modeled for each of the multiple policy classes and each of the policy binding nodes assigned to a corresponding one of the multiple policy classes, and the policy binding nodes delineating at least one policy permission on an object element for the user elements that are assigned as members of one or more of the policy binding nodes; 

receiving a request to evaluate the NGAC graph with a graph evaluation procedure to determine graph analysis information relative to at least one of the user elements, the object elements, or granted policy permissions of the multiple policy classes; and 

returning, in response to the request, the determined graph analysis information determined utilizing the graph evaluation procedure.  

19. A computing device implemented for graph-based access control in a digital medium environment, the computing device comprising: 

a memory to maintain a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes modeled with a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph; 

a policy decision module implemented at least partially in computer hardware to: 

receive a request to access an object element of a resource in conformance with an access permission granted to a user element implemented in the NGAC graph; 

compute an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource; and 

initiate a response to the request as the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph.  

15. A computing device implemented for graph-based access control in a digital medium environment, the computing device comprising: 

a memory to maintain a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes; 

a graph module implemented at least partially in computer hardware to model policy binding nodes as user attributes in the NGAC graph, the policy binding nodes modeled for each of the multiple policy classes and each of the policy binding nodes assigned to a corresponding one of the multiple policy classes, one or more of the policy binding nodes delineating at least one policy permission on an object element, and 

a user element assigned as a member of one of the policy binding nodes is contained by the corresponding policy class and the policy binding node grants the policy permission on the object element to the user element: and 

a policy decision module implemented at least partially in the computer hardware to evaluate the NGAC graph with a graph evaluation procedure to determine graph analysis information relative to at least one of the user element. the granted policy permission, or the object element.  




Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-18 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more.
. Regarding claim 1, Claim 1 is directed to the abstract idea of organizing human activity by setting up steps to get approval based on a form without significantly more by reciting the limitations generating a next generation access control graph, modeling users as user elements, modeling resources as object elements, and configuring multiple policy classes. The aforementioned steps are “mental processes” as broadly interpreted said steps could be performed in the human mind and/or with pen and paper. Therefore, the claim recites an abstract idea. 
The claim does not recite any additional steps that could be considered as ‘applying the abstract idea into a practical application.’ It’s noted that the claim recites the steps of ‘instantiate each of the multiple policy classes in the NGAC graph.’ However, the aforementioned steps also could be considered as ‘mental processes.’ Therefore, the claim fails to integrate the abstract idea into a practical application. 
Also, the claim does not recite any additional elements that could be considered as significantly more. It’s noted that the claims recite additional elements (i.e., allowed or denied access, granting all policy permissions).  However, said additional elements are recited at a high-level of generality (i.e., allowed, denied instantiated, granting,  etc.,) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Therefore, the claims are not integrated into a practical application nor significantly more. 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic graph implementation as evidenced by Naono (US20050267663).  Naono (US20050267663) discloses, in paragraph 0221, “Even if the parameters can be adjusted, a balance satisfying the user’s policy cannot be acquired because a plurality of control nodes determine internal parameters individually as described in the aforementioned conventional examples.” Generic computer components (“automatically”) recited as performing generic computer functions that are well understood, routine and conventional activities amount to no more than implementing the abstract idea with a generic computerized system.  Therefore, the claim is directed to non-statutory subject matter.
Therefore, claim 1 is directed to non-statutory subject matter.
Regarding claims 2-10, these claims inherit the deficiencies from the parent claim 1.
Regarding claims 11-18, these claims are rejected for similar reasons for the rejection of claims 1-10.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019.
Regarding claim 11, Basnet disclose in a digital medium environment for graph-based access control, a method implemented by at least one computing device, the method comprising (Basnet, page 134, right column, line 13, methodology);
executing an instantiation of a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes modeled with a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph (Basnet, page 132, right column, lines 8-13, policy machine PM and next generation access control NGAC are used interchangeably, line 49, implement NGAC framework, page 133, left column, line 3, NGAC graph, lines 13-16, NGAC constructs, basic policy elements, relationships,  lines 18-23 and 32-36, users, objects, policy classes);
receiving a request for a user element to access an object element of a resource in conformance with a granted access permission implemented in the NGAC graph (Basnet, page 134, FIG. 3, request “Can I access X’s calorie data?” “What privileges to I have?”).
Basnet discloses NGAC graph, users, objects, policy classes, but does not explicitly disclose computing an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource; and returning, in response to the request, the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph.  
However, in an analogous art, Saxena discloses computing an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource (Saxena, paragraph 0070, classes of objects, classes of actors, access control policies, determining);
returning, in response to the request, the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph (Saxena, paragraph 0071, conditions and entity attributes for granting access or denying access, paragraph 0177, policy grants permissions, policy denies access).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxena with the computing device/ method of Basnet to include computing an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource; and returning, in response to the request, the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph.
One would have been motivated to provide benefits for determining derived access control policies corresponding to an entity cluster (810). (Saxena, paragraphs 0277 and 0278).
Regarding claim 19, Basnet discloses a computing device implemented for graph-based access control in a digital medium environment, the computing device comprising (Basnet, 1st page, last two lines, computer): 
a memory to (Basnet, page 132, right column, lines 39-43, in-memory representation of the graph);
maintain a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes modeled with a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph (Basnet, page 132, right column, lines 8-13, policy machine PM and next generation access control NGAC are used interchangeably, line 49, implement NGAC framework, page 133, left column, line 3, NGAC graph, lines 13-16, NGAC constructs, basic policy elements, relationships,  lines 18-23 and 32-36, users, objects, policy classes);
a policy decision module implemented at least partially in computer hardware to (Basnet, page 132, left column, line 53, policy machine);
receive a request to access an object element of a resource in conformance with an access permission granted to a user element implemented in the NGAC graph (Basnet, page 134, FIG. 3, request “Can I access X’s calorie data?” “What privileges to I have?”).
Basnet discloses NGAC graph, users, objects, policy classes, but does not explicitly disclose compute an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource; and initiate a response to the request as the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph.  
However, in an analogous art, Saxena discloses compute an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource (Saxena, paragraph 0070, classes of objects, classes of actors, access control policies);
initiate a response to the request as the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph (Saxena, paragraph 0071, conditions and entity attributes for granting access or denying access, paragraph 0177, policy grants permissions, policy denies access).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxena with the computing device/ method of Basnet to include compute an access control decision across the multiple policy classes utilizing the NGAC graph as a basis to evaluate whether the user element is authorized to access the object element of the resource; and initiate a response to the request as the access control decision that indicates to allow or deny the user element access to the object element of the resource based on the evaluation utilizing the NGAC graph.
One would have been motivated to provide benefits for determining derived access control policies corresponding to an entity cluster (810). (Saxena, paragraphs 0277 and 0278).
Claims 1-4, 8, 12-14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019, and Li (CN105095777), published November 25, 2015.
Regarding claim 1, Basnet disclose in a digital medium environment for graph-based access control, a method implemented by at least one computing device, the method comprising (Basnet, page 134, right column, line 13, methodology);
generating a next generation access control (NGAC) graph having a bifurcated structure with a user section and an object section (Basnet, page 132, right column, lines 8-13, policy machine PM and next generation access control NGAC are used interchangeably, line 49, implement NGAC framework, page 133, left column, line 3, NGAC graph, lines 13-16, NGAC constructs, basic policy elements, relationships,  lines 18-23 and 32-36, users, objects, policy classes)
Basnet discloses NGAC graph, users, objects, policy classes, but does not explicitly disclose modeling users as user elements in the user section of the NGAC graph; modeling resources as object elements in the object section of the NGAC graph; configuring multiple policy classes utilizing a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph; a policy class as enforceable access criteria by which the users are allowed or denied access to the resources; an association that indicates the exclusion default object node granting all policy permissions of the policy class to the exclusion default user node.  
However, in an analogous art, Saxena discloses modeling users as user elements in the user section of the NGAC graph (Saxena, paragraph 0146, model graph includes user; paragraph 0146, model graph created, bifurcated encompasses user path to specified object);
modeling resources as object elements in the object section of the NGAC graph (Saxena, paragraph 0146, model graph includes object); 
configuring multiple policy classes utilizing a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph (Saxena, paragraph 0070, classes of objects, classes of users, paragraph 0146, set of policies, user, object),
a policy class as enforceable access criteria by which the users are allowed or denied access to the resources (Saxena, paragraph 0070, classes of objects, classes of actors, access control policies, paragraph 0071 access control policies, denying access, granting access);
an association that indicates the exclusion default object node granting all policy permissions of the policy class to the exclusion default user node (Saxena, paragraph 0146, node, association encompasses determination whether user has access, object, user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saxena with the computing device/ method of Basnet to include modeling users as user elements in the user section of the NGAC graph; modeling resources as object elements in the object section of the NGAC graph; configuring multiple policy classes utilizing a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph; a policy class as enforceable access criteria by which the users are allowed or denied access to the resources; an association that indicates the exclusion default object node granting all policy permissions of the policy class to the exclusion default user node.
One would have been motivated to provide benefits for determining derived access control policies corresponding to an entity cluster (810). (Saxena, paragraphs 0277 and 0278).
Basnet and Saxena disclose NGAC graph, object, policy class, and user, but do not explicitly disclose the composable policy class structure comprising: an exclusion default object node of the policy class instantiated in the object section of the NGAC graph; an exclusion default user node of the policy class instantiated in the user section of the NGAC graph.
However, in an analogous art, Li discloses the composable policy class structure comprising (Li, 4th page, line 23, implementation, 4th page, lines 39-40, attribute is character description of user);
an exclusion default object node of the policy class instantiated in the object section of the NGAC graph (Li, 2nd page, lines 29-30, 6th page, lines 25-26, exclusion default object node encompasses blacklist, object);
an exclusion default user node of the policy class instantiated in the user section of the NGAC graph (Li, 3rd page, lines 4-5, 7th page, lines 29-30, user, blacklist, access control policy).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Li with the computing device/ method of Basnet and Saxena to include modeling users as user elements in the user section of the NGAC graph; modeling resources as object elements in the object section of the NGAC graph; configuring multiple policy classes utilizing a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the NGAC graph; a policy class as enforceable access criteria by which the users are allowed or denied access to the resources; an association that indicates the exclusion default object node granting all policy permissions of the policy class to the exclusion default user node.
One would have been motivated to provide benefits for providing a multi-mode access control policy under a cloud environment setting and execution method to solve the problem for frequently changing the user permission or attribute value change frequently (Li, 2nd page, lines 20-24).
Regarding claim 2, Basnet, Saxena, and Li disclose the method as recited in claim 1 and NGAC graph, users, objects, policy classes.  Basnet discloses wherein the association indicates that the object elements contained as members of the exclusion default object node grant all of the policy permissions to the user elements that are members of the exclusion default user node (Basnet, page 135, left column, lines 23-28, “Patients are allowed to possess read and write privileges over their records, since the institute does not consider knowledge of these features to be in any way a detrimental to the patient, and also believes that incorrect alteration of this data by the patient would not result in any significant harm.”).
Regarding claim 3, Basnet, Saxena, and Li disclose the method as recited in claim 2 and NGAC graph, users, objects, policy classes.   Basnet discloses wherein the policy permissions granted by the object elements allow the users to perform operations on contents of the object elements that represent the resources (Basnet, page 135, left column, lines 23-28, “Patients are allowed to possess read and write privileges over their records, since the institute does not consider knowledge of these features to be in any way a detrimental to the patient, and also believes that incorrect alteration of this data by the patient would not result in any significant harm.”).
Regarding claim 4, Basnet, Saxena, and Li disclose the method as recited in claim 1 and NGAC graph, users, objects, policy classes.  Li discloses wherein:  one or more the user elements that represent the users in the user section of the NGAC graph are each contained as a member of the policy class via the exclusion default user node of the policy class (Li, 3rd page, lines 4-5, 7th page, lines 29-30, user, blacklist, access control policy);
one or more the object elements that represent the resources in the object section of the NGAC graph are each contained as a member of the policy class via the exclusion default object node of the policy class (Li, 2nd page, lines 29-30, 6th page, lines 25-26, exclusion default object node encompasses blacklist, object).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 8, Basnet, Saxena, and Li disclose the method as recited in claim 1 and NGAC graph, users, objects, policy classes.  Saxena discloses further comprising: modeling a policy node in the user section of the NGAC graph, wherein one or more of the user elements that each represent a respective user in the user section of the NGAC graph are assigned as a member of the policy node (Saxena, paragraph 0145, model access control graph, modeling analysis, policies, nodes).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 12, Basnet and Saxena disclose the method as recited in claim 11. 
wherein the composable policy class structure comprises: a policy class as enforceable access criteria by which the user elements are allowed or denied access to the object elements that represent the resources (Saxena, paragraph 0070, classes of objects, classes of actors, access control policies, paragraph 0071 access control policies, denying access, granting access); 
an association that indicates the object elements contained as members of the exclusion default object node grant all policy permissions of the policy class to the user elements that are members of the exclusion default user node (Saxena, paragraph 0146, user, node, object, policies, model graph, specified actor, specified object).
Basnet and Saxena disclose NGAC graph, users, objects, policy classes, but do not explicitly disclose an exclusion default object node of the policy class and an exclusion default user node of the policy class.
However, in an analogous art, Li discloses an exclusion default object node of the policy class (Li, 2nd page, lines 29-30, 6th page, lines 25-26, exclusion default object node encompasses blacklist, object);
an exclusion default user node of the policy class (Li, 3rd page, lines 4-5, 7th page, lines 29-30, user, blacklist, access control policy).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Li with the computing device/ method of Basnet and Saxena to include an exclusion default object node of the policy class and an exclusion default user node of the policy class.
One would have been motivated to provide benefits for providing a multi-mode access control policy under a cloud environment setting and execution method to solve the problem for frequently changing the user permission or attribute value change frequently (Li, 2nd page, lines 20-24).
Regarding claim 13, Basnet, Saxena, and Li disclose the method as recited in claim 12.  Basnet discloses wherein the policy permissions granted by the object elements allow the user elements to perform operations on contents of the object elements that represent the resources (Basnet, page 135, left column, lines 23-28, “Patients are allowed to possess read and write privileges over their records, since the institute does not consider knowledge of these features to be in any way a detrimental to the patient, and also believes that incorrect alteration of this data by the patient would not result in any significant harm.”).
Regarding claim 14, Basnet, Saxena, and Li disclose the method as recited in claim 12.  Li discloses wherein: one or more the user elements are each contained as a member of the policy class via the exclusion default user node of the policy class (Li, 3rd page, lines 4-5, 7th page, lines 29-30, user, blacklist, access control policy);
one or more the object elements are each contained as a member of the policy class via the exclusion default object node of the policy class (Li, 2nd page, lines 29-30, 6th page, lines 25-26, exclusion default object node encompasses blacklist, object).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 20, Basnet and Saxena disclose computing device as recited in claim 19.  Saxena disclose wherein the policy decision module is configured to model the multiple policy classes utilizing the composable policy class structure, which comprises: a policy class as enforceable access criteria by which the user elements are allowed or denied access to the object elements that represent the resources (Saxena, paragraph 0070, classes of objects, classes of actors, access control policies, paragraph 0071 access control policies, denying access, granting access);
an association that indicates the object elements contained as members of the exclusion default object node grant all policy permissions of the policy class to the user elements that are members of the exclusion default user node (Saxena, paragraph 0146, user, node, object, policies, model graph, specified actor, specified object).  The motivation is the same as that of the claim from which this claim depends.
Basnet and Saxena do not explicitly disclose an exclusion default object node of the policy class; an exclusion default user node of the policy class.
However, in an analogous art, Li discloses an exclusion default object node of the policy class (Li, 2nd page, lines 29-30, 6th page, lines 25-26, exclusion default object node encompasses blacklist, object);
an exclusion default user node of the policy class (Li, 3rd page, lines 4-5, 7th page, lines 29-30, user, blacklist, access control policy).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Li with the computing device/ method of Basnet and Saxena to include an exclusion default object node of the policy class; an exclusion default user node of the policy class.
One would have been motivated to provide benefits for providing a multi-mode access control policy under a cloud environment setting and execution method to solve the problem for frequently changing the user permission or attribute value change frequently (Li, 2nd page, lines 20-24).




Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019, and Li (CN105095777), published November 25, 2015, and further in view of Xing (US20160036860), PCT filed March 14, 2014.
Regarding claim 5, Basnet, Saxena, and Li disclose the method as recited in claim 1. 
Basnet, Saxena, and Li disclose NGAC graph, users, objects, policy classes, access control policies (e.g. Saxena, paragraph 0070, classes, access control policies).
Basnet, Saxena, and Li do not explicitly disclose the composable policy class structure is repeatable, from which the multiple policy classes are instantiated in the NGAC graph, including different types of policy classes; and the method further comprising computing a single access control decision based on the multiple, different types of policy classes in the NGAC graph.  
However, in an analogous art, Xing discloses wherein: the composable policy class structure is repeatable, from which the multiple policy classes are instantiated in the NGAC graph, including different types of policy classes (Xing, paragraph 0104, 0105, repeated, policies);
the method further comprising computing a single access control decision based on the multiple, different types of policy classes in the NGAC graph (Xing, paragraph 0082, hierarchy policy structure arranged in different classes, paragraph 0052, single point, access control decisions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xing with the computing device/ method of Basnet, Saxena, and Li to include an exclusion default object node of the policy class and an exclusion default user node of the policy class.
One would have been motivated to provide users with the benefits of enabling flexible definition of policies and to amend and /or delete defined policies in an efficient way  (Xing, paragraph 0007).
Regarding claim 6, Basnet, Saxena, Li, and Xing disclose the method as recited in claim 1. Xing discloses wherein the single access control decision is based on a strict evaluation mode configured as an intersection of the policy permissions granted by the object elements to access the resources for the user elements (Xing, paragraph 0063, decision, evaluation, permitted).  The motivation is the same as that of the claim from which this claim depends.




Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019, Li (CN105095777), published November 25, 2015, and Xing (US20160036860), PCT filed March 14, 2014, and further in view of Arnold (US5936860), filed March 28, 1997.
Regarding claim 7, Basnet, Saxena, Li, and Xing disclose the method as recited in claim 5.
 Basnet, Saxena, Li, and Xing discloses RBAC (Basnet, page 132, left column, lines 13-39, RBAC), but does not explicitly disclose wherein the multiple, different types of policy classes include at least a location policy class and a role-based access control (RBAC) policy class.  
However, in an analogous art, Arnold discloses wherein the multiple, different types of policy classes include at least a location policy class and a role-based access control (RBAC) policy class (Arnold, col. 11, line 60, through col. 12, line 9, location choose policy, class).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Arnold with the computing device/ method of Basnet, Saxena, Li, and Xing to include an exclusion default object node of the policy class and an exclusion default user node of the policy class.
One would have been motivated to provide users with the benefits of  performing warehouse control functioning and that permitting a framework user to add extensions for specific processing features  (Arnold, abstract).
Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019, and Li (CN105095777), published November 25, 2015, and further in view of Maes (US20170302531), PCT filed September 30, 2014.
Regarding claim 9, Basnet, Saxena, and Li disclose the method as recited in claim 9.
Basnet, Saxena, and Li do not explicitly disclose modeling separable policy bindings in the user section of the NGAC graph, each separable policy binding corresponding to one of the multiple policy classes, and wherein a separable policy binding is assigned to the corresponding one of the multiple policy classes.  
However, in an analogous art, Maes discloses further comprising: modeling separable policy bindings in the user section of the NGAC graph, each separable policy binding corresponding to one of the multiple policy classes, and wherein a separable policy binding is assigned to the corresponding one of the multiple policy classes (Maes, paragraph 0113, separating the design, separate pieces, policies, paragraph 0027, graph, paragraph 0171, binding policies, node, user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Arnold with the computing device/ method of Basnet, Saxena, and Li to include modeling separable policy bindings in the user section of the NGAC graph, each separable policy binding corresponding to one of the multiple policy classes, and wherein a separable policy binding is assigned to the corresponding one of the multiple policy classes.
One would have been motivated to provide users with the benefits of  discovered or inferred topologies can be prescribed and managed by the system through binding policies  (Maes, paragraph 0171).
Regarding claim 10, Basnet, Saxena, Li, and Maes disclose the method as recited in claim 9.  Maes discloses wherein the policy node is assigned to the separable policy bindings in the user section of the NGAC graph (Maes, paragraph 0113, separating the design, separate pieces, policies, paragraph 0027, graph, paragraph 0171, binding policies, node, user).  The motivation is the same as that of the claim from which this claim depends.



Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019, and further in view of Xing (US20160036860), PCT filed March 14, 2014.
Regarding claim 15, Basnet and Saxena disclose the method as recited in claim 11. 
Basnet and Saxena disclose NGAC graph, users, objects, policy classes, access control policies (e.g. Saxena, paragraph 0070, classes, access control policies).
Basnet and Saxena do not explicitly disclose the access control decision is computed as a single access control decision across different types of the multiple policy classes in the NGAC graph; and the single access control decision is based on a strict evaluation mode configured as an intersection of the policy permissions granted by the object elements to access resources for the user elements.  
However, in an analogous art, Xing discloses wherein: the access control decision is computed as a single access control decision across different types of the multiple policy classes in the NGAC graph (Xing, paragraph 0082, hierarchy policy structure arranged in different classes, paragraph 0052, single point, access control decisions, paragraph 0104, 0105, repeated, policies);
the single access control decision is based on a strict evaluation mode configured as an intersection of the policy permissions granted by the object elements to access resources for the user elements (Xing, paragraph 0063, decision, evaluation, permitted).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xing with the computing device/ method of Basnet, Saxena, and Li to include the access control decision is computed as a single access control decision across different types of the multiple policy classes in the NGAC graph; and the single access control decision is based on a strict evaluation mode configured as an intersection of the policy permissions granted by the object elements to access resources for the user elements.
One would have been motivated to provide users with the benefits of enabling flexible definition of policies and to amend and /or delete defined policies in an efficient way  (Xing, paragraph 0007).
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019, and Xing (US20160036860), PCT filed March 14, 2014, and further in view of Arnold (US5936860), filed March 28, 1997.
Regarding claim 16, Basnet, Saxena, and Xing disclose the method as recited in claim 15 and RBAC (Basnet, page 132, left column, lines 13-39, RBAC).  
Basnet, Saxena, and Xing do not explicitly disclose wherein the different types of the multiple policy classes in the NGAC graph include two or more of a location policy class, a role-based access control (RBAC) policy class, or a time policy class.
However, in an analogous art, Arnold discloses wherein the different types of the multiple policy classes in the NGAC graph include two or more of a location policy class, a role-based access control (RBAC) policy class, or a time policy class (Arnold, col. 11, line 60, through col. 12, line 9, location choose policy, class).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Arnold with the computing device/ method of Basnet, Saxena, and Xing to include wherein the different types of the multiple policy classes in the NGAC graph include two or more of a location policy class, a role-based access control (RBAC) policy class, or a time policy class.
One would have been motivated to provide users with the benefits of  performing warehouse control functioning and that permitting a framework user to add extensions for specific processing features  (Arnold, abstract).




Claims 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Basnet, Rejina, Subhojeet Mukherjee, Vignesh M. Pagadala, and Indrakshi Ray. "An efficient implementation of next generation access control for the mobile health cloud." In 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131-138. IEEE, 2018, in view of Saxena (US2019/0327271), filed April 19, 2019, and further in view of Maes (US20170302531), PCT filed September 30, 2014.
Regarding claim 17, Basnet and Saxena disclose the method as recited in claim 11. 
Basnet and Saxena do not explicitly disclose wherein: the NGAC graph includes separable policy bindings that each correspond to one of the multiple policy classes; and the separable policy bindings are each assigned to the corresponding one of the multiple policy classes.  
However, in an analogous art, Maes discloses wherein: the NGAC graph includes separable policy bindings that each correspond to one of the multiple policy classes (Maes, paragraph 0113, separating the design, separate pieces, policies, paragraph 0027, graph, paragraph 0171, binding policies, node, user);
the separable policy bindings are each assigned to the corresponding one of the multiple policy classes (Maes, paragraph 0113, separating the design, separate pieces, policies, paragraph 0027, graph, paragraph 0171, binding policies, node, user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Arnold with the computing device/ method of Basnet and Saxena to include wherein: the NGAC graph includes separable policy bindings that each correspond to one of the multiple policy classes; and the separable policy bindings are each assigned to the corresponding one of the multiple policy classes.
One would have been motivated to provide users with the benefits of  discovered or inferred topologies can be prescribed and managed by the system through binding policies  (Maes, paragraph 0171).
Regarding claim 18, Basnet, Saxena, and Maes discloses the method as recited in claim 17.  Maes discloses wherein: the NGAC graph includes a policy node assigned to the separable policy bindings (Maes, paragraph 0113, separating the design, separate pieces, policies, paragraph 0027, graph, paragraph 0171, binding policies, node, user).  Saxena discloses one or more of the user elements that each represent a respective user are assigned as a member of the policy node (Saxena, paragraph 0145, model access control graph, modeling analysis, policies, nodes).  The motivation is the same as that of the claim from which this claim depends.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368. The examiner can normally be reached 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.J.M/Examiner, Art Unit 2439             



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439