DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 04/02/2026. Claims 1, 10, and 11 amended. and 9-11 are amended. Claims 2-5 are cancelled. Claim 12 newly added. Claims 1, and 6-12 are pending in this examination.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This examination is in response to US Patent Application No. 17/579,523.
Examiner Note
Applicant’s submitting new title below obviates previously raised specification objection.
Examiner withdraws the second set of rejection submitted in the last office action.
Applicant is encouraged to review the relevant references mentioned at the conclusion section of this office action.
The processor has been described in the specification as: [the term "processor" refers to hardware in a broad sense. Examples of the processor include general processors (e.g., CPU: Central Processing Unit) and dedicated processors (e.g., GPU: Graphics Processing Unit, ASIC: Application Specific Integrated Circuit, FPGA: Field Programmable Gate Array, and programmable logic device)].
Claim Objections
Claims 1, 10, and 11 are objected to because of the following informalities: these claims recite” after receiving the log-out request, specify the managed terminal that is away from the managing terminal by the predetermined distance or more as a log-out target” which is redundant limitation to the preceding limitation. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, and 6-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
The independent claims 1, 10, and 11 recite “receive, from a managing terminal, a first log-out request to log the managing terminal out from the network” which renders the claim indefinite, because if the managing terminal request a log-out from the information processing apparatus , and it is logged-out from the network , the managed terminal automatically will disconnect from network since the managed terminal only can access the network through the managing terminal and further, there will be no need for the information processing apparatus send a second log-out to an access point to log-out the managing terminal and there will be no need to change the managing user to delegated managing user. Applicant in the first log-out request may add a limitation that before logging the terminal out , check to see if other terminals are connected to it and request that the other managed terminal to be logged out before the managing terminal get logged out. In latter limitations such as “in a case where the first log-out request includes specification of location information about the managing terminal used by the managing user, specify a managed terminal that is away from the managing terminal by a predetermined distance or more as a log-out target; after receiving the log-out request, specify the managed terminal that is away from the managing terminal by the predetermined distance or more as a log-out target, wherein the location information is a relationship between a distance from a beacon to the specified managed terminal and a distance from the beacon to the managing terminal”. In these limitations Applicant adds more detail to the first log-out request, but in the first limitation mentioned above, the managed terminal is already logged -out by the information processing apparatus.
Applicant specification states [According to the first exemplary embodiment, when the managing terminal 30 issues a log-out request, the managed terminal 40 that is being managed by the managing terminal 30 is forcibly logged out. Accordingly, before a managing user who is managing a managed user moves out of the network system, the managed user is caused to be logged out. Thus, a situation in which there is no managing user available to manage the managed user may be prevented…..In the case where a log-out request transmitted from the managing terminal 30 specifies another managing user, the managing terminal changing part 114 delegates management of a managed user by changing a user managing a managed user from the managing user who has issued the log-out request to another managing user. In the first exemplary embodiment described above, at the time when a managing user logs out, a managed user who is being managed by the managing user is forcibly logged out, so that absence of a user who manages the managed terminal 40 is avoided].
The independent claims 1, 10, and 11 recite “ access point” and the related limitations in the claim renders the claimed limitations indefinite because the claimed limitations indicate that the apparatus and managed terminals are connected to this access point , however there is no indication of managing terminal connection to this access point, but the specification states that [As information on a connection source AP, an access point ID is set as identification information about the access point 2 to which the managing terminal 30 is being wirelessly
connected…As information on a connection source AP, an access point ID is set as identification information about the access point 2 to which the managed terminal 40 is being wirelessly connected… The log-out request unit 31 of the managing terminal 30 requests the authentication server 10 to log the managing terminal 30 out in accordance with a predetermined operation performed by a managing user (step 5311). Although the access point 2 relays the log-out request from the managing terminal 30 to the authentication server 10].
The independent claims 1, 10, and 11 recite “ transmit, to the access point, a second log-out request to log the managed terminal out from the network by the access point” which renders the claim indefinite , and this limitation contradicts what is stated in the specification [The authentication server 10 logs the managing terminal 30 and the managed terminal 40 as log-out targets out in response to a log-out request from the managing terminal 30].
Examiner maps the claimed limitation under the broadest reasonable interpretation.
Claims 6-9 do not cure the deficiency of claim 1 and are rejected under 35 USC 112, 2nd paragraph, for their dependency upon claim 1.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1, and 6-12 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.
The independent claims 1, 10, and 11 recite transmit, to the access point, a second log-out request to log the managed terminal out from the network by the access point” , which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA the inventor(s), at the time the application was filed, had possession of the claimed invention.
Applicant is kindly requested to show the examiner support in the original disclosure for the new or amended claims. See MPEP 714.02 and 2163.06 (“Applicant should specifically point out the support for any amendments made to the disclosure").
Claims 6-9 do not cure the deficiency of claim 1 and are rejected under 35 USC 112, 1st paragraph, for their dependency upon claim 1.
Response to Argument
Applicant’s arguments with respect to claims 1, and 10-11 for newly added limitation have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, and 6-11 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US8,806,593) issued to Raphel, and in view of YOO CHI HOON(KR 20170023597 A), hereinafter, “HOON”.
Regarding claims 1, 10 and 11, Raphel discloses an information processing apparatus comprising: a processor configured to: connect to a network; receive, from a managing terminal, a first log-out request to log the managing terminal out from the network [Abstract, Guest accounts arise in a variety of ways. Hotels, Coffee Shops, internet cafes, internet kiosks, etc. (equated to Managed terminals) provide internet access to its guests, aka customers. Cloud based security services (equated to managed terminal) can serve as a platform for supporting efficient and safe guest account management. Guest accounts are managed by the cloud service and are associated and disassociated( equated to log-in and log-out) with individuals as needed by the guest account provider (equated to access point). The cloud service can also provide a guest account provider with greater control over guest account usage and accountability], and [(4) In conventional guest management environments, guest users are enabled to access network resources through an enterprise network using a guest user account. A guest user account may be created for a guest for a limited time. Guest account credentials of the guest account may be provided to the guest to use the guest account using any of a variety of techniques]; and
While Raphel discloses identify a managed terminal that is being managed by the managing terminal wherein the managed terminal is not permitted to log into the network and is permitted to log into the network only by the managing terminal and by another managing terminal which is permitted to log into the network; identify an access point to which the managed terminal is being connected to among a plurality of access points; and transmit, to the access point, a second log-out request to log the managed terminal out from the network by the access point. [Abstract, Guest accounts arise in a variety of ways. Hotels, Coffee Shops, internet cafes, internet kiosks, etc. (equated to Managed terminals) provide internet access to its guests, aka customers. Cloud based security services (equated to managed terminal) can serve as a platform for supporting efficient and safe guest account management. Guest accounts are managed by the cloud service and are associated and disassociated( equated to log-in and log-out) with individuals as needed by the guest account provider (equated to access point). The cloud service can also provide a guest account provider with greater control over guest account usage and accountability], and [(4) In conventional guest management environments, guest users are enabled to access network resources through an enterprise network using a guest user account. A guest user account may be created for a guest for a limited time. Guest account credentials of the guest account may be provided to the guest to use the guest account using any of a variety of techniques]; and
in a case where the first log-out request includes specification of location information about the managing terminal used by the managing user, specify a managed terminal that is away from the managing terminal by a predetermined distance or more as a log-out target; after receiving the log-out request, specify the managed terminal that is away from the managing terminal by the predetermined distance or more as a log-out target, [ Col. 10 lines 57-67, Col. 11 lines 1-23…. The cloud-based security system may also allow users to be grouped under organizational units such as (Engineering, Sales, Marketing, Guests, etc.) and/or along enterprise facilities such as (Manufacturing, Research, Operations, etc.). Guests may be guests to a specific facility where each facility may have a Guest user group. In various implementations, administration of guests may involve the administration of a Guest user group under an organizational unit, facility or the enterprise as a whole. Administrative responsibilities may reside in whole with, or distributed among, front desk personnel, unit/facility system administrators and/or enterprise system administrators].
, and [Col. 11 lines 24-67, Cloud based security services are usually sold in a per seat pricing model. Depending on the volume of guests, more cloud-based security accounts may be subscribed in a very short time to absorb the surge in the guests, while a relatively small pool of accounts may be kept allocated. For example, enterprises may choose to have a small number of accounts for their visitors and may organize the accounts in a per location (department, building, etc.) manner.... Policies may have been chosen at an enterprise level, a location level and/or at a user group level. Irrespective of the specific mechanism used, one or more security policies may be associated with guest accounts individually and/or in specified groupings], and [ Col. 13 lines 32-36, In various implementations, system can allow the guest administrator to dissociate a guest account, dissociate all guest accounts of a given group and/or location, and/or associate an account with a user, a time limit and/or a temporary password or other credentials (equated to predetermined operation)], and [Claim 6. The method of claim 1, and further comprising the steps of K) assigning a time limit to the first guest account and L) logging-out the first guest account when the time limit has passed].
Raphel does not explicitly disclose; however, HOON discloses wherein the location information is a relationship between a distance from a beacon to the specified managed terminal and a distance from the beacon to the managing terminal [ Abstract, Disclosed are a system for providing real-time group information and a service providing method thereof. In the system, a terminal service system provides detail information of a beacon to a plurality of terminals positioned within a receivable range of the beacon transmitted from a beacon transmitter, and calculates a probability of being included in the same group between terminals by receiving information of a relay beacon transmitted and received by the plurality of terminals. An application service system performs grouping for determining a terminal included in the same group by using information on the probability calculated in the terminal service system, and provides information on the performed grouping and information of the terminal included in the same group to the terminal for an application service], and [Page 2, 3rd para. There are various types of location recognition methods using the short distance communication technology, but since the launch of Apple's iBeacon, a method of utilizing the beacon has become popular. A position recognition method using a beacon periodically broadcasts a light message called a beacon, and the terminal receives a beacon message and inquires the unique ID value contained in the message to the server to acquire the position of the beacon transmitter Method], and [Page 7, last para. The beacon transmitting and receiving unit 210 receives the beacon transmitted from the fixed beacon transmitter 100 or the relay beacon transmitted from the other terminal 200 and also transmits the beacon transmitted from the beacon transmitter 100 to the other terminal 200 And transmits the relay beacon to the outside. At this time, the beacon transmission / reception unit 210 can distinguish whether the beacon transmitted from the beacon transmitter 100 or the beacon transmitted from the other terminal 200 is via the UUID of the received beacon], and
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Raphel by incorporating “ Beacon technology (beacon transmitting and receiving unit) ”, as taught by HOON. One could have been motivated to do so in order to provide various information and services by using the local location recognition technology and communication technology, [ HOON, Abstract, Page 2].
Regarding claim 6, Raphel discloses, wherein the managed terminal to be logged out is specified by the managing user [Col. 11 lines 42-53, Guest accounts may be terminated in a relatively small, fixed time period. For example, Kiosks, internet cafes, coffee shops and hotels may provide access for a limited time period. The time period may be known in advance or may be known at the end of usage. For example, a visitor may request access for 1 hour and may renew the access for another hour. Enterprise hosts may provide internet access to their visitors while they are present in the enterprise. It may be desirable for the Enterprise to provide internet access such that the visitor is protected from malicious content, limited in their bandwidth usage, and preferably isolated from the on-premise security appliances], and [ Col. 13 lines 32-36, In various implementations, system can allow the guest administrator to dissociate a guest account, dissociate all guest accounts of a given group and/or location, and/or associate an account with a user, a time limit and/or a temporary password or other credentials], and [Claim 6. The method of claim 1, and further comprising the steps of K) assigning a time limit to the first guest account and L) logging-out the first guest account when the time limit has passed], and [ Col. 14 lines 36-46, the logout operation may be validated for access using existing mechanisms such as domain cookies. A verification is preferably performed to assure that the user performing logout is in fact the user currently associated with the guest account. Additionally, administrative logouts may be performed using an administrative management screen. No guest user verification is necessary when an administrative logout occurs. FIG. 8 depicts an example guest account management screen that may support administrative logout and/or other guest account actions such as dynamic modification of time out and/or expiration periods associated with a guest account].
Regarding claim 7, Raphel discloses, wherein the predetermined operation further comprises an operation for receiving a log-out request to log the managed terminal out, and wherein the processor is configured to, in a case where the log-out request includes specification of a managed terminal, identify the specified managed terminal as a log- out target[ Col. 10 lines 57-67, Col. 11 lines 1-53, Cloud based security may provide a number of administrative roles for the safe implementation of its security policies. For example, a specific administrative role may be allocated to the creation of enterprise-wide security policies. Another role can be created for user administration and policy association with users. Another role can be devoted for configuration of the system and its operation. A fourth role can be management of special users such as visitors/guests. This distribution of responsibility may make security breaches less frequent as breaches may require security lapses at multiple levels. The present application discusses exemplary methods, systems and software that support the role of managing guest accounts. Such a role maybe associated with a front desk which performs visitor administration or with other local or remote enterprise administrator(s). An enterprise may have multiple guest accounts each having a user identity, but no real user attached. An enterprise may have multiple user groups which are Guests, and each such Guest group may have an independent guest group administrator. The term "guest administrator" refers to the administrator of one or more guest groups and/or locations. The cloud-based security system may also allow users to be grouped under organizational units such as (Engineering, Sales, Marketing, Guests, etc.) and/or along enterprise facilities such as (Manufacturing, Research, Operations, etc.). Guests may be guests to a specific facility where each facility may have a Guest user group. In various implementations, administration of guests may involve the administration of a Guest user group under an organizational unit, facility or the enterprise as a whole. Administrative responsibilities may reside in whole with, or distributed among, front desk personnel, unit/facility system administrators and/or enterprise system administrators... Guest accounts may be terminated in a relatively small, fixed time period. For example, Kiosks, internet cafes, coffee shops and hotels may provide access for a limited time period. The time period may be known in advance or may be known at the end of usage. For example, a visitor may request access for 1 hour and may renew the access for another hour. Enterprise hosts may provide internet access to their visitors while they are present in the enterprise. It may be desirable for the Enterprise to provide internet access such that the visitor is protected from malicious content, limited in their bandwidth usage, and preferably isolated from the on-premises security appliances].
Regarding claim 8, Raphel discloses, wherein the predetermined operation further comprises an operation for receiving a log-out request to log the managed terminal out, and wherein the processor is configured to, in a case where the log-out request does not include specification of a managed terminal, identify managed terminals used by all the managed users under management by the managing user as log-out targets[ Col. 10 lines 57-67, Col. 11 lines 1-53, Cloud based security may provide a number of administrative roles for the safe implementation of its security policies. For example, a specific administrative role may be allocated to the creation of enterprise-wide security policies. Another role can be created for user administration and policy association with users. Another role can be devoted for configuration of the system and its operation. A fourth role can be management of special users such as visitors/guests. This distribution of responsibility may make security breaches less frequent as breaches may require security lapses at multiple levels. The present application discusses exemplary methods, systems and software that support the role of managing guest accounts. Such a role maybe associated with a front desk which performs visitor administration or with other local or remote enterprise administrator(s). An enterprise may have multiple guest accounts each having a user identity, but no real user attached. An enterprise may have multiple user groups which are Guests, and each such Guest group may have an independent guest group administrator. The term "guest administrator" refers to the administrator of one or more guest groups and/or locations. The cloud-based security system may also allow users to be grouped under organizational units such as (Engineering, Sales, Marketing, Guests, etc.) and/or along enterprise facilities such as (Manufacturing, Research, Operations, etc.). Guests may be guests to a specific facility where each facility may have a Guest user group. In various implementations, administration of guests may involve the administration of a Guest user group under an organizational unit, facility or the enterprise as a whole. Administrative responsibilities may reside in whole with, or distributed among, front desk personnel, unit/facility system administrators and/or enterprise system administrators... Guest accounts may be terminated in a relatively small, fixed time period. For example, Kiosks, internet cafes, coffee shops and hotels may provide access for a limited time period. The time period may be known in advance or may be known at the end of usage. For example, a visitor may request access for 1 hour and may renew the access for another hour. Enterprise hosts may provide internet access to their visitors while they are present in the enterprise. It may be desirable for the Enterprise to provide internet access such that the visitor is protected from malicious content, limited in their bandwidth usage, and preferably isolated from the on-premises security appliances].
Regarding claim 9, Raphel discloses, wherein the predetermined operation further comprises an operation for receiving a managing user change request including specification of a delegated managing user, and wherein the processor is configured to, in response to the managing user change request, delegate management of the managed user who has been under management by the managing user to the delegated managing user[Col. 10 lines 57-67, Col. 11 lines 1-53, Cloud based security may provide a number of administrative roles for the safe implementation of its security policies. For example, a specific administrative role may be allocated to the creation of enterprise-wide security policies. Another role can be created for user administration and policy association with users. Another role can be devoted for configuration of the system and its operation. A fourth role can be management of special users such as visitors/guests. This distribution of responsibility may make security breaches less frequent as breaches may require security lapses at multiple levels. The present application discusses exemplary methods, systems and software that support the role of managing guest accounts. Such a role maybe associated with a front desk which performs visitor administration or with other local or remote enterprise administrator(s). An enterprise may have multiple guest accounts each having a user identity, but no real user attached. An enterprise may have multiple user groups which are Guests, and each such Guest group may have an independent guest group administrator. The term "guest administrator" refers to the administrator of one or more guest groups and/or locations. The cloud-based security system may also allow users to be grouped under organizational units such as (Engineering, Sales, Marketing, Guests, etc.) and/or along enterprise facilities such as (Manufacturing, Research, Operations, etc.). Guests may be guests to a specific facility where each facility may have a Guest user group. In various implementations, administration of guests may involve the administration of a Guest user group under an organizational unit, facility or the enterprise as a whole. Administrative responsibilities may reside in whole with, or distributed among, front desk personnel, unit/facility system administrators and/or enterprise system administrators... Guest accounts may be terminated in a relatively small, fixed time period. For example, Kiosks, internet cafes, coffee shops and hotels may provide access for a limited time period. The time period may be known in advance or may be known at the end of usage. For example, a visitor may request access for 1 hour and may renew the access for another hour. Enterprise hosts may provide internet access to their visitors while they are present in the enterprise. It may be desirable for the Enterprise to provide internet access such that the visitor is protected from malicious content, limited in their bandwidth usage, and preferably isolated from the on-premises security appliances].
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US8,806,593) issued to Raphel, and in view of YOO CHI HOON(KR 20170023597 A), hereinafter, “HOON”, and further in view of Tandon ( US8429708).
Regarding claim 12, Raphel, and HOON do not explicitly disclose, however, Tandon discloses in a case where a delegated managing user is specified in the first log-out request, avoid the managed terminal used by a managed user who has been under management by a managing user is logged out, by changing a user managing the managed user from the managing user to the delegated managing user [Col. 9 lines 62-67- Col. 10 lines 1-6, It is not uncommon for a lesser-privileged administrator to be granted permissions on thousands of objects over the lifetime of their employment in that capacity. Also, in many cases delegated administrators may themselves be allowed to further sub-delegate administrative authority to other delegated administrators and users. Over a long period of time, hundreds of administrative personnel and users may end up having permissions granted to them on thousands of different objects in the Active Directory. Over time, it may also very well be that while the administrative responsibilities assigned to delegated administrator may change], and [Col.11 lines 12-20, Thus at any given point in time, an ordinary user or a delegated administrator of the system may very well be entitled to creating new user accounts or groups, resetting the passwords of or disabling a large number of user accounts, modifying potentially sensitive and confidential information on user accounts, modifying the group membership of a large number of security groups each of which in turn may have been used at thousands of places in the system to specify access on thousands of resources, etc].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Raphel, and HOON by incorporating “Microsoft Windows based information systems”, as taught by Tandon. One could have been motivated to do so in order to offer a powerful capability that allows administrators to distribute and delegate the various aspects of management of these resources between a large number of relatively less powerful administrators and between the users of the system themselves. [ Tandon, Col. 9 lines 16-25].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Joshi ( US7398311) [Col. 8 lines 13-57, In one embodiment, the system of FIG. 1 includes means for providing and managing identity profiles, and means for defining and managing authentication and authorization policies. In one implementation, user identity and authentication/authorization information is administered through delegable Administration roles. Certain users are assigned to Administration roles, thus conferring to them the rights and responsibilities of managing policy and/or user identities in specific portions of the directory and web name spaces. The capability to delegate Administration duties enables a site to scale administratively by empowering those closest to the sources of policy and user information with the ability to manage that information. A role is a function or position performed by a person in an organization. An administrator is one type of role. In one embodiment, there are at least five different types of administrators: System Administrator, Master Access Administrator, Delegated Access Administrator, Master Identity Administrator, and Delegated Identity Administrator. A System Administrator serves as a super user and is authorized to configure the system deployment itself and can manage any aspect of the system. A Master Access Administrator is assigned by the system administrator and is authorized to configure the Access Management System. The Master Access Administrator can define and configure Web Gates, Access Servers, authentication parameters, and policy domains. In addition, Master Access Administrators can assign individuals to Delegated Access Administrator roles. A Delegated Access Administrator is authorized to create, delete and/or update policies within their assigned policy domain (described below), and create new policy domains subordinate to their assigned policy domains. A Delegated Access Administrator may also confer these rights to others. A Master Identity Administrator, assigned by the System Administrator, is authorized to configure the Identity Management System, including defining and configuring end user identities and attributes, per attribute access control, who may perform new user and deactivate (revocation) user functions. Master Identity Administrators may also designate individuals to Delegate Identity Administrator roles. A Delegated Identity Administrator is selectively authorized to perform new user and deactivate user functions].
Shah (US2019/0386977) [see FIG. 2, ¶¶62-69... when an electronic device (e.g., satellite device 216) (equated to managed user) attempts to communicatively couple to a local network, the cloud system 206 may prompt a network administrator to specify whether the electronic device should be granted network access. For example, a notification may be presented on the user device 212 associated with the network administrator (e.g., first user 208). In some embodiments, the notification also prompts the first user 208 to categorize the electronic device by, for example, specifying what limitations, if any, should be instituted to restrict network access.... The first user 208(equated to managing user) may also be able to alter other preferences via the mobile application 210 on the user device 212. For example, the first user 208 may establish a guest network for a certain period (e.g., a day, week, or an indefinite period). As another example, the network administrator (equated to managing user) may specify that electronic devices should be permitted to access the guest network ...these modifications may also be established for a predetermined period (e.g., two hours, four hours, eight hours) ... the network access device 202(equated to managed terminal) is configured to install a tag on each electronic device that connects to the local network. The tag can remain on an electronic device regardless of whether it is still connected to the local network. For example, the network access device 202 may install a tag on a smartphone that requests access to the local network... Data related to these features can be transmitted to the cloud system 206. Accordingly, the cloud system 206 may generate a profile for each electronic device that specifies expected/average feature values. Upon discovering a feature value exceeding a certain threshold (e.g., 150% of the average feature value), the cloud system 206 may alert the first user 208... Different actions can then be taken if abnormal feature values are discovered. For example, the cloud system 206 may prompt the network administrator to specify whether a potentially infected electronic device should be prevented from accessing the network via the network access device or monitored more closely. Similarly, the network administrator may opt to run/install malware protection since the cloud system 206 has discovered a possible unauthorized access... Each profile can be stored in the network access device 202, the cloud system 206, or any combination thereof. In some embodiments, a similar profile is generated for the network access device 202... As noted above, if abnormal feature value(s) are discovered for an electronic device, the first user 208 may opt to automatically restrict network access by the electronic device. Such a feature may be referred to as a “kill switch.” Whether network access is restricted may be based on a comparison of the feature value(s) associated with an electronic device with a single profile...], and [¶¶50-52, 79-87].
HASE((US2018/0330066)) [ Abstract, the image forming apparatus is an authorization device that gives authority to use of the image forming apparatus. To the host user, the authority to use of the image forming apparatus is given. The image forming apparatus evaluates depth of a relationship between a host user and a guest user different from the host user, on a service used by a plurality of users. Based on the evaluation results, the image forming apparatus gives the authority to use of the image forming apparatus to the guest user. This makes it possible to provide an authorization device capable of improving convenience while securing security].
Barak (US2013/0227699) [ 0054] In some implementations, image use control module 305 may also check the status (e.g., via sending requests and receiving indications thereof) of the connection between use control agent 301 and various components of virtual appliance machine 107 (e.g., an agent monitor control 311). In some implementations, image use control module 305 further performs shutdowns of and prevents access to guest virtual machine 109 when virtual appliance machine 107 returns an indication that the status of the image is "inactive" (or other status that indicates a shutdown is needed to protect the integrity of guest virtual machine 109). Accordingly, image use control agent 305 may actively monitor (i.e., perform periodic status checks) image statuses stored on virtual appliance machine 107 and prevent the use of inactive/dormant guest virtual machines].
Bogsanyl (US8639492) [ 7. The computer implemented method of claim 1, further comprising: in response to receiving a shutdown request from the native virtual machine, terminating the guest virtual machine, wherein the request for termination is generated at completion of an execution of the program].
Nakajima (US2013/0174151) [ [0095] According to the above embodiment, when logout is requested of the guest OS which runs in the guest virtual machine, the guest OS is requested to change from the normal state to the sleep state. When the guest OS changes to the sleep state, a memory image file which indicates data in the storage region of the memory used by the guest OS is prepared. Then, when it is requested to start the guest virtual machine, the disk image file which indicates data in the storage region of the storage device which was assigned to the virtual machine when the memory image file was prepared is set in the hypervisor, and data stored in the first storage region is restored in the second storage region of the memory assigned to the virtual machine, based on the memory image file. When the data is restored in the second storage region, the hypervisor is requested to return the operating system from the sleep state to the normal state. Thereby, it is possible to shorten the wait time required until the guest virtual machine becomes available, when the guest virtual machine is started or the login user is changed].
PENG, Long-teng(CN 115333881 A) According to one exemplary implementation of the present disclosure, the administrator can be allowed to add new participants to the network conference. For example, it can allow the administrator to generate new conference link for the new participant and send the conference link. An administrator may be allowed to update the participant ' s participation authority and/or delete the participant from the network conference. For example, if a certain guest is found to be inappropriate speech, then temporarily adjusting the participation authority of the guest to the participation authority of the audience. Alternatively and/or additionally, the conference connection between the terminal device of the guest and the server 150 can be disconnected, so as to delete the guest from the network conference. For example, the assistant can help the speaker to operate the shared screen of the object, such as, adjusting the page of the presentation document, and so on.
Yasuma (US2014/0012894) [0043] The server 107 pre-stores the association between users, devices owned by each user, and the association between each user and devices owned by the user based on an input from each user. These pieces of stored information may be imported, for example, from a social networking service (SNS) on the Internet. [0048] Returning to FIG. 15, an edge 1522 indicates the association between the user A 103 and devices associated with the user A 103. Edges 1523 and 1524 indicate the associations between the user B 104 and devices associated with the user B 104. FIGS. 17A, 17B, and 17C illustrate details of information about the association between user and device managed by the server 107. FIG. 17A illustrates information about the association between the user A 103 (the node 1501) and a device (the node 1503). The starting node is the identifier 1 of the user A 103 (the node 1501). The ending node is the identifier 3 of the device (the node 1503). The association between the user A 103 and the device indicates that the association type is "OWNED" and "PRIVATE", and the association intensity is "100". FIG. 17B illustrates information about the association between the user B 104 (the node 1502) and a device (the node 1504). The starting node is the identifier 2 of the user B 104 (the node 1502). The ending node is the identifier 4 of the device (the node 1504). The association between the user B 104 and the device indicates that the association type is "RENTAL", "BUSINESS" and the association intensity is "0".], and 0123] The following describes a case where the company worker of the node 2201 constructs an association with a device of the node 2204 (the company worker of the node 2201 associates himself or herself with the device of the node 2204). The company worker can request the server 107 to register the association with the node 2204 by instructing the server 107 to construct an association. A registration request may be made when the company worker of the node 2201 holds up a Near Field Communication (NFC) card (into which his or her ID is input) to the device of the node 2204 and the node 2204 requests the server 107 to make a registration. Referring to FIG. 23, since the device of the node 2204 is managed by the administrator (the node 2202 having the association "COWORKER" with the node 2201), an association 2227 newly determined has the association type "OWNED BY COMPANY" and the association intensity "50". Thus, corresponding to the association (the association 2221) between users, an association of a device with another user can be automatically determined and set].
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHAHRIAR ZARRINEH/Primary Examiner, Art Unit 2496