MULTI-TENANCY AUTHORIZATION FRAMEWORK FOR HIERARCHICAL RESOURCES OF A DATA MANAGEMENT SYSTEM

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted by applicant dated 12/22/2025 and 01/06/2026 and 02/02/2026 have been considered by the examiner. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/22/2025 has been entered. Response to Amendments Arguments are rendered moot in view of new rejections made in response to applicant’s amendments. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3, 5, 7-10, 12-13, 15, 17, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dageville (US20220207169A1) in view of Rapp (US 20060230363 A1). Regarding claim 1, Dageville teaches a method, comprising: receiving, by a data management system, an indication of an assignment of a first computing object of a data management cluster to a tenant of the data management system (Fig. 1. Fig. 5. Para [0019]. Para [0026]- [0030]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/third computing object, which in turn contains table object T1 and view object V1.), wherein the data management cluster is operable to provide protection for data sources associated with a plurality of tenants of the data management system (Fig. 1. Para [0016]: multi-tenant database or data warehouse that supports many different customer accounts A1, A2, A3, An, etc. Customer accounts may be separated by multiple security controls, including different data storage locations associate with the costumer, and different account-level encryption keys.); identifying, by the data management system in response to the indication of the assignment of the first computing object to the tenant, a hierarchical relationship between the first computing object and one or more second computing objects, wherein the hierarchical relationship comprises the one or more second computing objects being lower within an object hierarchy than the first computing object (Fig. 1. Fig. 4. Fig. 5. Para [0019]. Para [0026]- [0030]. Para [0043]. Para [0051]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1, which in turn contains table object T1 and view object V1. The request component may identify a resource with which the alias object is linked, such as a database or table in a sharer account.); assigning, by the data management system in response to the indication of the assignment of the first computing object to the tenant, the first computing object to the tenant (Para [0032]: a customer account A1 contains role R1, which has grants to all objects in the object hierarchy. Assuming these grants are usage grants between R1 and D1, D2, S1, S2.); and assigning, by the data management system in response to the indication of the assignment of the first computing object to the tenant (Para [0032]: a customer account A1 contains role R1, which has grants to all objects in the object hierarchy. Assuming these grants are usage grants between R1 and D1, D2, S1, S2 and select grants between R1 and T1, V1, F2, Q2, T2 a user with activated role R1 can see all objects and read data from all tables, views, and sequences and can execute function F2 within account A1.). Dageville does not explicitly disclose (perform an action) the one or more second computing objects automatically to the tenant, wherein the automatic assignment of the one or more second computing objects by the data management system is based at least in part on the one or more second computing objects being lower within the object hierarchy than the first computing object. Rapp does disclose (perform an action) the one or more second computing objects automatically to the tenant, wherein the automatic assignment of the one or more second computing objects by the data management system is based at least in part on the one or more second computing objects being lower within the object hierarchy than the first computing object (Fig. 12. Para [0082]: adding children objects to a sub-hierarchy of which the source object is the root node results in an automatic inheritance of the respective object assignments in the persistent data entry mode.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dageville with the teachings of Rapp to include (perform an action) the one or more second computing objects automatically to the tenant, wherein the automatic assignment of the one or more second computing objects by the data management system is based at least in part on the one or more second computing objects being lower within the object hierarchy than the first computing object in order to allow child objects to automatically adopt object assignments from their parent object (Rapp Para [0082]). Regarding claim 3, Dageville in view of Rapp teaches the method of claim 1, further comprising: receiving, by the data management system, an indication of a second assignment of a third computing object of the data management cluster to a second tenant of the data management system (Dageville Fig. 1. Fig. 5. Para [0019]. Para [0026]- [0030]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/third computing object, which in turn contains table object T1 and view object V1 (fourth computing objects).); identifying, by the data management system in response to the indication of the second assignment of the third computing object to the second tenant, a second hierarchical relationship between the third computing object and one or more fourth computing objects, wherein the hierarchical relationship comprises the one or more fourth computing objects being lower within a second object hierarchy than the third computing object (Dageville Fig. 1. Fig. 4. Fig. 5. Para [0019]. Para [0026]- [0030]. Para [0043]. Para [0051]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/third computing object, which in turn contains table object T1 and view object V1/fourth computing objects. The request component may identify a resource with which the alias object is linked, such as a database or table in a sharer account.); assigning, by the data management system in response to the indication of the assignment of the third computing object to the second tenant, the third computing object to the second tenant (Dageville Para [0032]: a customer account A1 contains role R1, which has grants to all objects in the object hierarchy. Assuming these grants are usage grants between R1 and D1, D2, S1, S2 (third computing object).); and assigning, by the data management system in response to the indication of the assignment of the third computing object to the second tenant, the one or more fourth computing objects to the second tenant based at least in part on the one or more fourth computing objects being lower within the object hierarchy than the third computing object (Dageville Para [0032]: a customer account A1 contains role R1, which has grants to all objects in the object hierarchy. Assuming these grants are usage grants between R1 and D1, D2, S1, S2 (third computing object) and select grants between R1 and T1, V1, F2, Q2, T2 (fourth computing object) a user with activated role R1 can see all objects and read data from all tables, views, and sequences and can execute function F2 within account A1.). Regarding claim 5, Dageville in view of Rapp teaches the method of claim 1, further comprising: receiving, by the data management system, an indication of a second assignment of a third computing object of the data management cluster to the tenant of the data management system (Dageville Fig. 1. Fig. 5. Para [0019]. Para [0026]- [0030]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/third computing object, which in turn contains table object T1 and view object V1 (fourth computing objects).); identifying, by the data management system in response to the indication of the second assignment of the third computing object to the tenant, a second hierarchical relationship between the third computing object and one or more fourth computing objects, wherein the second hierarchical relationship comprises the one or more fourth computing objects being lower within a second object hierarchy than the third computing object (Dageville Fig. 1. Fig. 4. Fig. 5. Para [0019]. Para [0026]- [0030]. Para [0043]. Para [0051]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/third computing object, which in turn contains table object T1 and view object V1/fourth computing objects. The request component may identify a resource with which the alias object is linked, such as a database or table in a sharer account.); assigning, by the data management system in response to the indication of the assignment of the third computing object to the tenant, the third computing object to the tenant (Dageville Para [0032]: a customer account A1 contains role R1, which has grants to all objects in the object hierarchy. Assuming these grants are usage grants between R1 and D1, D2, S1, S2 (third computing object).); and assigning, by the data management system in response to the indication of the assignment of the third computing object to the tenant, the one or more fourth computing objects to the tenant based at least in part on the one or more fourth computing objects being lower within the object hierarchy than the third computing object (Dageville Para [0032]: a customer account A1 contains role R1, which has grants to all objects in the object hierarchy. Assuming these grants are usage grants between R1 and D1, D2, S1, S2 (third computing object) and select grants between R1 and T1, V1, F2, Q2, T2 (fourth computing object) a user with activated role R1 can see all objects and read data from all tables, views, and sequences and can execute function F2 within account A1. Rapp Fig. 12. Para [0082]: adding children objects to a sub-hierarchy of which the source object is the root node results in an automatic inheritance of the respective object assignments in the persistent data entry mode.). Regarding claim 7, Dageville in view of Rapp teaches the method of claim 1, further comprising: receiving, by the data management system, an indication of an assignment to the tenant of a first set of permissions for the first computing object and a second set of permissions for at least one computing object of the one or more second computing objects (Dageville Para [0031]. Para [0036]: grants between roles and database objects define what privileges a role has on these objects. For example, a role that has a usage grant/first set of permissions on a database can “see” this database when executing the command “show databases” (first computing object); a role that has a select grant/second set of permissions on a table (second computing object) can read from this table but not write to the table. The role would need to have a modify grant on the table to be able to write to it.). Regarding claim 8, Dageville in view of Rapp teaches the method of claim 7, wherein the assignment of the first set of permissions and the second set of permissions is based at least in part on the first computing object being a first type of computing object and the at least one computing object of the one or more second computing objects being a second type of computing object (Dageville Para [0031]. Para [0036]: grants between roles and database objects define what privileges a role has on these objects. For example, a role that has a usage grant/first set of permissions on a database can “see” this database when executing the command “show databases” (first computing object); a role that has a select grant/second set of permissions on a table (second computing object) can read from this table but not write to the table. The role would need to have a modify grant on the table to be able to write to it.). Regarding claim 9, Dageville in view of Rapp teaches the method of claim 7, further comprising: receiving, from a user associated with the tenant, a request to modify the at least one computing object of the one or more second computing objects (Dageville Para [0031]. Para [0036]: a role that has a usage grant on a database can “see” this database when executing the command “show databases”; a role that has a select grant on a table (second computing objects) can read from this table but not write to the table. The role would need to have a modify grant on the table to be able to write to it.); and denying the request to modify the at least one computing object of the one or more second computing objects based at least in part on the second set of permissions (Dageville Para [0031]. Para [0036]-[0037]: a role that has a usage grant on a database can “see” this database when executing the command “show databases”; a role that has a select grant on a table (second computing objects) can read from this table but not write to the table. By modifying the list of references of other customer accounts, the share object can be made accessible to more accounts or be restricted to fewer accounts.). Regarding claim 10, Dageville in view of Rapp teaches the method of claim 7, further comprising: receiving, from a user associated with the tenant, a request to modify the at least one computing object of the one or more second computing objects (Dageville Para [0031]. Para [0036]: a role that has a usage grant on a database can “see” this database when executing the command “show databases”; a role that has a select grant on a table (second computing objects) can read from this table but not write to the table. The role would need to have a modify grant on the table to be able to write to it.); and modifying the at least one computing object of the one or more second computing objects in accordance with the request based at least in part on the modifying being allowed by the second set of permissions (Dageville Para [0031]. Para [0036]- [0037]: a role that has a usage grant on a database can “see” this database when executing the command “show databases”; a role that has a select grant on a table (second computing objects) can read from this table but not write to the table. By modifying the list of references of other customer accounts, the share object can be made accessible to more accounts or be restricted to fewer accounts.). Regarding claim 12, Dageville in view of Rapp teaches the method of claim 1, further comprising: receiving, from a user interface view associated with a second tenant of the data management system, a request to access one of the first computing object or the one or more second computing objects (Dageville Fig. 1. Fig. 5. Para [0019]. Para [0026]- [0030]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/second computing object, which in turn contains table object T1 and view object V1.); and denying the request to access the one of the first computing object or the one or more second computing objects based at least in part on the one of the first computing object or the one or more second computing objects being assigned to the tenant (Dageville Para [0031]. Para [0036]- [0037]: a role that has a usage grant on a database can “see” this database when executing the command “show databases”; a role that has a select grant on a table (second computing objects) can read from this table but not write to the table. By modifying the list of references of other customer accounts, the share object can be made accessible to more accounts or be restricted to fewer accounts.). As per claims 13, 15, 17 the claims claim an apparatus essentially corresponding to themethod claims 1, 3, 5, above, and they are rejected, at least for the same reasons. As per claim 20, the claim claiming a non-transitory computer-readable medium storing code essentially corresponding to the method claim 1 above, and they are rejected, at least for the same reasons. Claims 2, 4, 6, 11, 14, 16, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Dageville (US20220207169A1) in view of Rapp (US 20060230363 A1) in view of Noe (US 10380369 B1). Regarding claim 2, Dageville in view of Rapp teaches the method of claim 1, further comprising: information associated with the first computing object and the one or more second computing objects (Dageville Para [0026]- [0030]: Each Database object D1 contains schema object S1, which in turn contains table object T1 and view object V1.). Dageville in view of Rapp does not explicitly disclose presenting, within a user interface view associated with the tenant. Noe teaches presenting, within a user interface view associated with the tenant (Claim 6. Claim 14. Col 6 lines 3-16: The user interface allows users to interact with the DMS cluster 112. Preferably, each of the DMS nodes includes a user interface 201, and any of the user interfaces can be used to access the DMS cluster 112. The user interface 201 can be used to define what services should be performed.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dageville in view of Rapp of indication of the assignment of the first computing object to the tenant with the teachings of Noe to include the well-known technique of presenting, within a user interface view associated with the tenant because the results would have been predictable and resulted in use the user interface to define what services should be performed (Noe Claim 6). Regarding claim 4, Dageville in view of Rapp teaches the method of claim 3, further comprising: information associated with the third computing object and the one or more fourth computing objects (Dageville Para [0026]- [0030]: Each Database object D1 contains schema object S1, which in turn contains table object T1 and view object V1.). Dageville in view of Rapp does not explicitly disclose presenting, within a user interface view associated with the second tenant. Noe teaches presenting, within a user interface view associated with the second tenant (Claim 6. Claim 14. Col 6 lines 3-16: The user interface allows users to interact with the DMS cluster 112. Preferably, each of the DMS nodes includes a user interface 201, and any of the user interfaces can be used to access the DMS cluster 112. The user interface 201 can be used to define what services should be performed.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dageville in view of Rapp of indication of the assignment of the third computing object to the tenant with the teachings of Noe to include the well-known technique of presenting, within a user interface view associated with the second tenant because the results would have been predictable and resulted in use the user interface to define what services should be performed (Noe Claim 6). Regarding claim 6, Dageville in view of Rapp teaches the method of claim 1, wherein receiving the indication of the assignment of the first computing object of the data management cluster to the tenant comprises: receiving the indication of assignment of the first computing object of the data management cluster to the tenant (Dageville Fig. 1. Fig. 5. Para [0019]. Para [0026]- [0030]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/third computing object, which in turn contains table object T1 and view object V1.). Dageville in view of Rapp does not explicitly disclose via a user interface view associated with an administrator account for the data management cluster. Noe teaches via a user interface view associated with an administrator account for the data management cluster (Claim 6. Claim 14. Col 6 lines 3-16: The user interface allows users to interact with the DMS cluster 112. Preferably, each of the DMS nodes includes a user interface 201, and any of the user interfaces can be used to access the DMS cluster 112. The user interface 201 can be used to define what services should be performed.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dageville in view of Rapp of indication of the assignment of the first computing object to the tenant with the teachings of Noe to include the well-known technique of presenting, via a user interface view associated with an administrator account for the data management cluster because the results would have been predictable and resulted in use the user interface to define what services should be performed (Noe Claim 6). Regarding claim 11, Dageville in view of Rapp teaches the method of claim 7, wherein receiving the indication of the assignment to the tenant of the first set of permissions for the first computing object and the second set of permissions for the at least one computing object of the one or more second computing objects comprises: receiving the indication of the assignment to the tenant of the first set of permissions for the first computing object and the second set of permissions for the at least one computing object of the one or more second computing objects (Dageville Fig. 1. Fig. 5. Para [0019]. Para [0026]- [0030]: receiving by the first account/first tenant, a request from the second account/second tenant of Multi-Tenant Database 100 to access data or services of the first account/first tenant. The first account A1/first tenant contains databases objects. Each Database object D1 contains schema object S1/third computing object, which in turn contains table object T1 and view object V1.). Dageville in view of Rapp does not explicitly disclose (perform an action) via a user interface view associated with an administrator account for the data management cluster. Noe (perform an action) via a user interface view associated with an administrator account for the data management cluster. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dageville in view of Rapp of indication of the assignment of the first computing object to the tenant with the teachings of Noe to include the well-known technique of presenting, via a user interface view associated with an administrator account for the data management cluster because the results would have been predictable and resulted in use the user interface to define what services should be performed (Noe Claim 6). As per claims 14, 16, 18 the claims claim an apparatus essentially corresponding to themethod claims 2, 4, 6 above, and they are rejected, at least for the same reasons. Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Dageville in view of Rapp (US20220207169A1) in view of Rapp (US 20060230363 A1) in view of Bahm (US 20230239344 A1). Regarding claim 21, Dageville in view of Rapp teaches the method of claim 1. Dageville in view of Rapp does not explicitly disclose wherein respective sets of users of the data management system associated with a remainder of the plurality of tenants are barred from accessing the first computing object and the one or more second computing objects based at least in part on assignment of first computing object and the one or more second computing objects to the tenant. Bahm does disclose wherein respective sets of users of the data management system associated with a remainder of the plurality of tenants are barred from accessing the first computing object and the one or more second computing objects based at least in part on assignment of first computing object and the one or more second computing objects to the tenant (Fig. 1. Para [0034]: the cluster 102 can support multiple tenants, also that the cluster 102 can be divided (e.g., logically divided) from a security standpoint into separate access zones such that first data, files, or other data objects associated (first and second object) with a first tenant can be securely separated or isolated from second tenant.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dageville in view of Rapp with the teachings of Bahm to include wherein respective sets of users of the data management system associated with a remainder of the plurality of tenants are barred from accessing the first computing object and the one or more second computing objects based at least in part on assignment of first computing object and the one or more second computing objects to the tenant in order to prevent unauthorized access to the tenant’s object in the multi-tenant cluster (Bahm Para [0034]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUDY BAZNA whose telephone number is (703)756-1258. The examiner can normally be reached Monday - Friday 08:30 AM-05:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JUDY BAZNA/Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495