Detailed Action
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
Claims 1, 9, and 17 have been amended. Claims 4, 12, and 20 have been canceled. Claims 1-3, 5-11, and 13-19 are pending and rejected in the application. This action is Final.
Response to Arguments
Applicant Argues:
The Examiner rejected Claims 1-3, 5-11 and 13-19 under 35 U.S.C. 112(a), first paragraph, as failing to comply with the written descript requirement. Regarding claims 1, 9, and 17, the Office indicates that "wherein the DAC policy comprises enabling access to items in a first subdomain of a first domain based on determining a user has access to a requested item in a second subdomain of a second domain," is allegedly not found in the specification. Applicant respectfully disagrees.
Examiner Responds:
Applicant’s, claims 1-3, 5-11, and 13-19, 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, arguments have been fully considered and are persuasive. Therefore, the rejection under 35 U.S.C. §112(a) is withdrawn.
Applicant Argues:
Applicant respectfully asserts that the cited references fail to teach or suggest at least the above-emphasized portions of amended independent claim 1. In particular, the cited references do not teach or suggest defining a DAC definition implementing the DAC policy, wherein the DAC definition comprises one or more conditionals, deriving a relationship between one or more items based on the one or more conditionals in the DAC definition, wherein the relationship determines whether access permission to the first item is enabled, and responsive to determining the derived attribute of the target item is satisfied and deriving the relationship, enabling access to the first item, as recited by the amended independent claims. The cited references appear to be silent regarding defining a DAC definition implementing a DAC policy, deriving a relationship between one or more items based on one or more conditionals in a DAC definition, much less using the derived relationship to enable access to a first item.
Examiner Responds:
Applicant's 35 USC § 103 arguments with respect to claims 1-3, 5-11, and 13-19 have been considered but are moot in view of the new ground(s) of rejection.
Claim Rejections – 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 5, 6, 9, 10, 13, 14, 18, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kandasamy et al. U.S. Patent Publication (2012/0151552; hereinafter: Kandasamy) in view of Lei U.S. Patent Publication (2012/0095988; hereinafter: Lei) and further in view of Alstrin et al. U.S. Patent Publication (2008/0021883; hereinafter: Alstrin) and further in view of Naldurg et al. U.S. Patent Publication (2008/0104665; hereinafter: Naldurg)
Claims 1, 9, and 17
As to claims 1, 9, and 17, Kandasamy discloses a system comprising:
a memory device storing instructions (paragraph[0048], the reference describes using memory for application operations.); and
a processing device communicatively coupled to the memory device, wherein the processing device executes the instructions to (paragraph[0050], the reference describes using a processor and memory for application operations.):
apply a mandatory access control (MAC) policy and domain access control (DAC) policy to an item type, wherein the DAC policy comprises enabling access to items in a first subdomain of a first domain based on determining a user has access to a requested item in a second subdomain of a second domain (paragraph[0043]-paragraph[0044], the reference describes using a mandatory access and domain-based access control (i.e., domain access control, as claimed). The reference describes giving access to all domains (i.e., first subdomain of a first domain, as claimed) based on a request from in a domain (i.e., second subdomain of a second domain, as claimed).);
receive, from a processing device, a request to access a first item in a data structure, wherein the first item comprises the item type (paragraph[0031], the reference describes requesting data.).
defining a DAC definition implementing the DAC policy, wherein the DAC definition comprises one or more conditionals (Figure 2, paragraph[0032], the reference describes creating a domain access policy with one or more permissions (i.e., permission, as claimed).);
define a policy combining rule specifying that access to the first item is enabled according to an override based on a combination of whether the MAC policy, the DAC policy, or both provide access to the first item (paragraph[0032], the reference describes using access control policies on data based on the mandatory access and domain-based access control.);
based on the policy combining rule, determine whether the derived attribute of the target item is satisfied (paragraph[0034], the reference describes using both access and domain controls to determine which data a user is allowed to access. The Examiner interprets the term whether as optional.);
Kandasamy does not appear to explicitly disclose receive, at a processing device, a request to access a first item in a data structure, wherein the first item comprises the item type;
responsive to receiving the request, execute a query definition comprising the MAC, wherein the query definition includes an execution path for traversing the data structure, and executing the query definition cause the processing device to convert the query definition into a database programming language that enables traversing, using the execution path in the data structure, one or more relationships between the first item and one or more other items to identify a target item;
defining a derived attribute in the query definition specifying the first item to be accessed, wherein the query definition comprises a logical representation to determine one or more values of the derived attribute;
deriving a relationship between one or more items based on the one or more conditionals in the DAC definition, wherein the relationship determines whether access permission to the first item is enabled;
and
responsive to determining the derived attribute of the target item is satisfied and deriving the relationship, enable access to the first item.
However, Lei discloses responsive to receiving the request, execute a query definition comprising the MAC, wherein the query definition includes an execution path for traversing the data structure (Figure 2, paragraph[0025], the reference describes receiving a query expression (i.e., query definition, as claimed) that includes a protected column (i.e., MAC, as claimed).), and executing the query definition cause the processing device to convert the query definition into a database programming language that enables traversing (paragraph[0026], the first query is transformed into a new query expression (i.e., a database programing language, as claimed) that queries a database (that enables traversing, as claimed).), using the execution path in the data structure, one or more relationships between the first item and one or more other items to identify a target item (paragraph[0027], the reference describes the new query that includes relationships between the first query SNN and new query SNN.);
Based on the policy combining rule, determine whether a derived attribute of the target item is satisfied (paragraph[0035], the reference determines which subset values (i.e., target item) that will meet the new expression requirements.);
responsive to determining the derived attribute of the target item is satisfied and deriving the relationship, enable access to the first item (paragraph[0040], the reference describes returning the new query results based on policy attributes in the new expression.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kandasamy with the teachings of Lei to transform a query expression based on the access policy which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kandasamy with the teachings of Lei to quickly optimize queries related to tables that are subject to access control policies (Lei: paragraph[0002]).
The combination of Kandasamy and Lei do not appear to explicitly disclose
defining a derived attribute in the query definition specifying the first item to be accessed, wherein the query definition comprises a logical representation to determine one or more values of the derived attribute;
deriving a relationship between one or more items based on the one or more conditionals in the DAC definition, wherein the relationship determines whether access permission to the first item is enabled;
However, Alstrin discloses defining a derived attribute in the query definition specifying the first item to be accessed, wherein the query definition comprises a logical representation to determine one or more values of the derived attribute (paragraph[0074], the reference describes defining parameters (i.e., attribute, as claimed) in a baseline query definition (i.e., query definition, as claimed) dynamically (e.g., figure 3) (i.e., a logical representation, as claimed).). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kandasamy with the teachings of Lei and Alstrin to dynamically define values in a query definition which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kandasamy with the teachings of Lei and Alstrin to quickly determine deference between a new and old snapshot with generating an additional snapshot (Alstrin: paragraph[0006]).
The combination of Kandasamy, Lei, and Alstrin do not appear to explicitly disclose deriving a relationship between one or more items based on the one or more conditionals in the DAC definition, wherein the relationship determines whether access permission to the first item is enabled;
However, Naldurg discloses deriving a relationship between one or more items based on the one or more conditionals in the DAC definition, wherein the relationship determines whether access permission to the first item is enabled (paragraph0063]-paragraph[0065], the reference describes creating a relationship based on access rights. The Examiner interprets the element “whether” as optional.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kandasamy with the teachings of Lei, Alstrin, and Naldurg to create access relationships which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kandasamy with the teachings of Lei, Alstrin, and Naldurg to efficiently analyze and detect explicit information-flow vulnerabilities in access control configurations (Naldurg: paragraph[0006]).
Claims 2, 10, and 18
As to claims 2, 10, 18, the combination of Kandasamy, Lei, Alstrin, and Naldurg discloses all the elements in claim 1, as noted above, and Kandasamy further disclose wherein the MAC policy includes a condition that indicates to enable access to the first item when the attribute is satisfied (paragraph[0025], the reference describes the conditions to access data.).
Claims 5 and 13
As to claims 5 and 13, the combination of Kandasamy, Lei, Alstrin, and Naldurg discloses all the elements in claim 1, as noted above, and Lie further disclose wherein the processing device is further to:
implement a role based access control policy for the first item (paragraph[0028], the reference discloses changing the data based on the access policy for a user(i.e., implement a role, as claimed).);
determine a role of the entity that made the request(paragraph[0026], the reference describes determining the users access rights based on the access policy.);
based on the role of the entity and the derived attribute, determine whether to enable access to the first item (paragraph[0039], the reference describes determining whether a user has access based on the users credentials (i.e., the role, as claimed).).
Claims 6 and 14
As to claims 6 and 14, the combination of Kandasamy, Lei, Alstrin, and Naldurg discloses all the elements in claim 1, as noted above, and Lei disclose wherein access is enabled if the role is a certain level or if the derived attribute is satisfied (paragraph[028]-paragraph[00029], the reference describes determining when access is granted based on the policy and user credentials (i.e., role is a certain level).).
Claims 3, 11, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kandasamy et al. U.S. Patent Publication (2012/0151552; hereinafter: Kandasamy) in view of Lei U.S. Patent Publication (2012/0095988; hereinafter: Lei) and further in view of Alstrin et al. U.S. Patent Publication (2008/0021883; hereinafter: Alstrin) and further in view of Naldurg et al. U.S. Patent Publication (2008/0104665; hereinafter: Naldurg) and further in view of Vepa et al. U.S. Patent Publication (2015/0089575; Vepa)
Claims 3, 11, and 19
As to claims 3, 11, and 19, the combination of Kandasamy, Lei, Alstrin, and Naldurg discloses all the elements in claim 1, as noted above, but do not appear to explicitly disclose wherein the target item is a parent item of the first item.
However, Vepa discloses wherein the target item is a parent item of the first item (paragraph[0139], the reference describes the system determining a parent data among a plurality of data.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kandasamy with the teachings of Lei, Alstrin, Naldurg, and Vepa to create access rights on object which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Kandasamy with the teachings of Lei, Alstrin, Naldurg, and Vepa to quickly avoid wasteful duplication of access rights by implementing a global container that contains policies that are applicable to multiple separate applications in the environment (Vepa: paragraph[0013]).
Claims 7, 8, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Kandasamy et al. U.S. Patent Publication (2012/0151552; hereinafter: Kandasamy) in view of Lei U.S. Patent Publication (2012/0095988; hereinafter: Lei) and further in view of Alstrin et al. U.S. Patent Publication (2008/0021883; hereinafter: Alstrin) and further in view of Naldurg et al. U.S. Patent Publication (2008/0104665; hereinafter: Naldurg) and further in view of Chari et al. U.S. Patent Publication (2014/0196104; Chari)
Claims 7 and 15
As to claims 7 and 15, the combination of Kandasamy, Lei, Alstrin, and Naldurg discloses all the elements in claim 1, as noted above, but do not appear to explicitly disclose wherein access is enabled if the role is a certain level and if the derived attribute is satisfied.
However, Chari discloses wherein access is enabled if the role is a certain level and if the derived attribute is satisfied (paragraph[0026], the reference describes determining the user role and attributes to access data.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kandasamy with the teachings of Lei, Alstrin, Naldurg, and Chari to set roles which would result in the invention. The skilled artisan would have been motivated to improve the teachings of Kandasamy with the teachings of Lei, Alstrin, Naldurg, and Chari to efficiently generate role-based access control policies that minimize a risk profile of resulting risk-averse roles and assignments to those risk-averse roles (Chari: paragraph[0007]).
Claims 8 and 16
As to claims 8 and 16, the combination of Kandasamy, Lei, Naldurg, and Alstrin discloses all the elements in claim 1, as noted above, but do not appear to explicitly disclose wherein the processing device is further to define the derived attribute for a plurality of item types, wherein the derived attribute comprises a uniform data type for each of the plurality of item types.
However, Chari discloses wherein the processing device is further to define the derived attribute for a plurality of item types, wherein the derived attribute comprises a uniform data type for each of the plurality of item types (paragraph[0026], the reference describes a system setting access rights for data.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Kandasamy with the teachings of Lei, Alstrin, Naldurg, and Chari to set roles which would result in the invention. The skilled artisan would have been motivated to improve the teachings of Kandasamy with the teachings of Lei, Alstrin, Naldurg, and Chari to efficiently generate role-based access control policies that minimize a risk profile of resulting risk-averse roles and assignments to those risk-averse roles (Chari: paragraph[0007]).
Final Rejection
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAWAUNE A CONYERS whose telephone number is (571)270-3552. The examiner can normally be reached on M-F 8:00am-4:30pm EST. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571) 270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DAWAUNE A CONYERS/Primary Examiner, Art Unit 2152
June 11, 2026