Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
1. This action is responsive to communication filed on: 26 January 2026 with acknowledgement of an original application filed on 21 December 2022 and that this application is a continuation of a provisional application with an earlier filing date of 21 December 2021.
2. Claims 1-2, 4-9, 11-16, and 18-21, are currently pending. Claims 1, 8, and 15, are independent claims. Claims 1, 5, 8, 12, 15, and 19, have been amended. Claims 3, 10, and 17, have been canceled.
Response to Arguments
3. Applicant's arguments filed 26 January 2026 have been fully considered however they are not persuasive. The 112 rejections in previous Office Action are withdrawn due to amendment. The Dezonno et al. reference was removed from the below rejection due to amendment. Due to amendments of claims 5, 12, and 19, these claims are rejected with a newly introduced prior art reference.
I) In response to Applicant’s argument beginning on page 6, “Claim 1-21 stand rejected…Applicant respectfully traverses the rejections…The Office Action cites to Parameshwaran as discloses the following portions of claim 1: “and a privilege to perform the request for the access is evaluated to determine whether the actor is permitted to access the object, the privilege is dynamically generated based at least on part upon an API operation that is exposed, wherein a privilege schema is used to map the privilege to an endpoint, the privilege scheme corresponding to a data structure that identifies and API endpoint, a path, an operation, and an operation ID”…Parameshwaran is directed to controlling access to an API itself – rather than teaching the use of an API to do something like perform an action for the granting of privilege to an actor as claimed…There is simply no disclosure in the Abstract of Parameshwaran regarding using the API to grant a privilege for an actor to access an object, where the privilege is dynamically determined using the API”.
The Examiner disagrees with argument for multiple reasons. It appears the Applicant’s representative is twisting the wording of the presented claim and making arguments out of context. The Examiner notes the claim limitation that the Parameshwaran/’431 reference was utilized for is copied below:
“the privilege is dynamically generated based at least on part upon an API operation that is exposed, wherein a privilege schema is used to map the privilege to an endpoint, the privilege schema corresponding to a data structure that identifies an API endpoint, a path, an operation, and an operation ID”
The Applicant then argues the Parameshwaran/’431 reference ‘does not teach the use of an API to do something like perform an action for the granting of privilege to an actor as claimed’. This feature is not what is stated in the claim. As noted above the claim states “the privilege is dynamically generated based at least on part upon an API operation that is exposed”.
According to the claim language, ‘privileges are generated based upon the API operation being executed’. The Examiner notes the Parameshwaran/’431 reference teaches what is claimed i.e. granting privileges based in part on an API operation. Note in the Abstract it states: “Controlling an (API) access action in a security-sensitive computing system includes, for an action to be performed, selecting from an operator account database an available operator account, generating a unique action tag which encompasses an identifier for the API access action and a unique API access key for executing the API access action; maintaining a dynamic access list having a mapping of the identifier of the API access action and the unique API access key and a selected operator account; granting, via the dynamic access list and the unique action tag, to the selected operator account an authorization for the API access to the security-sensitive computing system limited to performing the mapped API access”. Note the terms API access action as well as API access are interpreted equivalent to “API operation” as stated in the claims. In addition, the Parameshwaran/’431 reference teaches/suggests mapping the API operation with an identifier of the API access action. Paragraphs 2, 17, and 41-42 also teach these details. Therefore, the Applicant’s argument is not persuasive.
Claim Rejections – 35 USC § 103
4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
5. Claims 1-2, 4, 6-9, 11, 13-16, 18, and 20-21, are rejected under 35 U.S.C. 103 as being unpatentable over Deen et al. U.S. Patent Application Publication No. 2015/0381452 (hereinafter Deen) in view of Xiong et al. U.S. Patent Application Publication No. 2011/0219425 (hereinafter Xiong) in further view of Parameshwaran et al. U.S. Patent Application Publication No. 2022/0188431 (hereinafter ‘431).
As to dependent claim 1, “A computer implemented method, comprising: receiving a request for access to an object in a computing system by an actor” is taught in Deen paragraph 28, note Deen teaches in paragraphs 3 and 10 that an actor can also be termed a user, in addition the Applicant’s disclosure teaches and actor is a user, see paragraph 63 “The actor may be any of a user, machine, and/or service”;the following is not explicitly taught in Deen:
“dynamically applying a role and an access level to the actor” however Xiong teaches assigning user roles as well as multi-dimensional constraints (i.e. which is interpreted equivalent to ‘access level’) in the Abstract and paragraphs 2 and 20;
“wherein a set of conditions the object meets for a role for the actor is reviewed to determine whether to grant the actor access to the object rather than using a static definition of constraints for access to the object” however Xiong teaches the system performs role-validation and constraint-validation for each received access request as well as multi-dimensional constraints are also evaluated for user permissions in paragraphs 20, 25, and 35-36;
“and providing access to the object in the computing system based at least in part upon the role, the privilege, and the access level that was dynamically applied to the actor” however Xiong teaches granting (i.e. providing) access to protected object based on part the user (i.e. actor) role and changing (i.e. dynamically applied) constraints in paragraph 17.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a detecting virtual private network usage taught in Deen to provide a role and access level (i.e. multi-dimensional constraints) to a user (i.e. actor). One of ordinary skill in the art would have been motivated to perform such a modification because existing role-based access control (RBAC) needs to be improved see Xiong paragraph 1. the following is not explicitly taught in Deen, and Xiong:
“and a privilege to perform the request for access is evaluated to determine whether the actor is permitted to access the object, the privilege is dynamically generated based at least on part upon an API operation that is exposed, wherein a privilege schema is used to map the privilege to an endpoint, a path, an operation, and an operation ID” however ‘431 teaches maintaining a dynamic access list which is evaluated to determine whether access is allowed based on the mapped API access in the Abstract, Figure 1, paragraphs 2, 17, and 41-42, note the ‘mapped API access’ is interpreted equivalent to an API operation.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a detecting virtual private network usage taught in Deen and Xiong to provide a means to limit access based on API operation and mapping of privileges to an endpoint, a path an operation, and an operation ID. One of ordinary skill in the art would have been motivated to perform such a modification to control access in a security sensitive computing system, see ‘431 paragraphs 1. As to dependent claim 2, “The method of claim 1, wherein the role and the access level are dynamically applied to the actor using a multi-factor approach based at least in part upon conditions, attributes and policies corresponding to the object and/or the actor” is taught in Xiong paragraphs 20, 25, and 35-36.
As to dependent claim 4, “The method of claim 1, wherein a set of privileged are granted to the actor for the object that correspond to the role and the access level” is disclosed in Xiong paragraphs 20, 25, and 35-36.
As to dependent claim 6, “The method of claim 1, wherein real-time events are considered as inputs to dynamically determine the role and/or the access level” is shown in Xiong paragraphs 24 and 42, note an enterprise decision that is subsequently made is interpreted equivalent to a “real-time event” / also a run-time role changes are also interpreted equivalent to a “real-time event”.
As to dependent claim 7, “The method of claim 1, wherein each of the object and the actor are tested against a condition in a conditional role” is disclosed in Xiong paragraphs 20, 24-25, and 42.
As to independent claim 8, this claim is directed to a computer program product executing the method of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 9, 11, and 13-14, these claims contain substantially similar subject matter as claims 2, 4, 6-7; therefore, they are rejected along similar rationale.
As to independent claim 15, this claim is directed to a system executing the method of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 16, 18, and 20-21, these claims contain substantially similar subject matter as claims 2, 4, 6-7; therefore, they are rejected along similar rationale.
6. Claims 5, 12, and 19, are rejected under 35 U.S.C. 103 as being unpatentable over Deen et al. U.S. Patent Application Publication No. 2015/0381452 (hereinafter Deen) in view of Xiong et al. U.S. Patent Application Publication No. 2011/0219425 (hereinafter Xiong) in further view of Parameshwaran et al. U.S. Patent Application Publication No. 2022/0188431 (hereinafter ‘431) in further view of Hoff et al. U.S. Patent Application Publication No. 2011/0078606 (hereinafter ‘606).
As to dependent claim 5, the following is not explicitly taught in Deen, Xiong, and ‘431:
“The method of claim 4, wherein the set of privileged are dynamically determined based at least in part upon feature flags” however ‘606 teaches ‘upon activation of specific settings , a user can use certain features or be limited in the functions that the user can perform…For example, a business document may be associated with a set of flags in the customizing table. Activation of the set of flags can enable features in the application program’ in paragraph 25.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a detecting virtual private network usage taught in Deen, ‘431, and Xiong to provide a means to utilize feature flags. One of ordinary skill in the art would have been motivated to perform such a modification because to ensure specificity as individually developed business software, a large amount of customizing settings are required in standard business software therefore improvements are needed see ‘606 paragraphs 2-3.
As to dependent claims 12 and 19, these claims contain substantially similar subject matter as claim 5; therefore, they are rejected along similar rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
7. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ELLEN TRAN/Primary Examiner, Art Unit 2433 12 February 2026