ENHANCED AUTHORIZATION LAYERS FOR NATIVE ACCESS TO SECURE NETWORK RESOURCES

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Currently pending claims are 1 – 9, & 11 – 20. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 01/07/2026 has been entered. Response to Arguments Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive. As per claim 1, Applicant asserts prior-art(s) fails to teach (i) natively supported by the network resource, (ii) an additional set of rules providing an authorization layer that allows for additional authorization requirements not natively supported by the network resource, and (iii) based on the additional set of rules providing the authorization layer that allows for additional authorization requirements not natively supported by the network resource (Remarks: Page 10 / 1st Para / Line 6 – 7). Examiner respectfully disagrees with the following rationale. (a) Examiner notes according to MPEP 2111 of the broadest and reasonable claim interpretations, applicant’s argument has no merit since the alleged limitation such as “exactly and specifically what is the access control rule natively supported by the network resource” has not been specifically recited into the claim. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). (b) In light of that, Kjelstrup (NEW reference) teaches (b-1) first of all, using an initial (or default) access control policy that enables broad access to the services and resources as needed (Kjelstrup: Col. 4 Line 52 – 67 & Col. 12 Line 16 – 23) – this constitutes one type of natively supported rules, as recited and accordingly, (b-2) an additional policy / rule is generated based on the analysis such that applications can be granted (allowed) to access the requested data only to those services and resources that they actually and subsequently use (Kjelstrup: Col. 2 Line 45 – 49) and thus (b-3) allowing for additional authorization requirements, which are necessitated for other users or user groups which are not natively (initially) supported by the network resource, as recited in the claim (Kjelstrup: Col. 5 Line 7 – 10). As such, Applicant's arguments are respectfully traversed. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 5 – 7, 12 – 17 & 20 are rejected under 35 U.S.C.103 as being unpatentable over Sade et al. (U.S. Patent 10,116,658), in view of Kjelstrup et al. (U.S. Patent 11,968,241). As per claim 1 & 17, Sade teaches a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing native agentless authorization for network resources, the operations comprising: receiving a request from a network identity to access a network resource (Sade: Figure 2B / E-2000 & Col. 2 Line 9 – 12 and Col. 7 Line 24 – 27: a client (networking identity) sends a request to access a target service); authenticating the network identity using a native client and communication protocol (Sade: see above & Col. 3 Line 60 – 67 and Col. 5 Line 20 – 23: (a) a proxy entity of CMS (Credential Management System) authenticates the client (network identity) based on an authentication credential sent in the request via (e.g.) a Kerberos protocol, wherein (b) the CMS entity can be an endpoint device on which the client resides, which constitutes a native client), wherein the native client is configured for communicating transparently with the network resource (Sade: Figure 2B / E-2000: the CMS entity (native client) communicates with an authentication service and operates transparently with the target service (i.e. network resource)); authorizing the network identity based on one or more access policy, the one or more access policy comprising rules for accessibility of the network resource (Sade: see above & Col. 3 Line, Col. 4 Line 45 – 57 and Col. 11 Line 21 – 25: the CMS management entity authorizes the client using the client’s authentication credential to access the target service based on various requirements of the security policy). However, Sade does not disclose expressly the one or more access policy includes an additional set of rules providing an authorization layer not natively supported by the network resource. Kjelstrup (& Sade) teaches wherein the one or more access policy includes an additional set of rules providing an authorization layer that allows for additional authorization requirements not natively supported by the network resource (Sade: see above & Col. 11 Line 23 – 25: CMS system enables different (additional) sets of access control parameters (e.g. credentials) associated with different (additional) types of access to be used by the access control policies) || (Kjelstrup: Col. 4 Line 52 – 67, Col. 2 Line 45 – 49 & Col. 5 Line 7 – 10: (a) first of all, using an initial (or default) access control policy that enables broad access to the services and resources as needed (Kjelstrup: Col. 4 Line 52 – 67 & Col. 12 Line 16 – 23) – this constitutes one type of natively supported rules, as recited and accordingly, (b) an additional policy / rule is generated based on the analysis such that applications can be granted (allowed) to access the requested data only to those services and resources that they actually and subsequently use (Kjelstrup: Col. 2 Line 45 – 49) and thus (c) allowing for additional authorization requirements, which are necessitated for other users or user groups which are not natively (initially) supported by the network resource to meet the authentication requirement to access data, as recited in the claim (Kjelstrup: see above & Col. 5 Line 7 – 10)). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of allowing for additional authorization requirements not natively supported by the network resource because Kjelstrup teaches to alternatively, effectively and securely an additional policy / rule is generated based on the analysis such that applications can be granted (allowed) to access the requested data only to those services and resources that they actually and subsequently use and thus allowing for additional authorization requirements, which are necessitated for other users or user groups which are not natively (initially) supported by the network resource (see above) within the Sade’s CMS management system enables different (additional) sets of access control parameters (e.g. credentials) associated with different (additional) types of access to be used by the access control policies to access the target services based on various requirements of the security policy (see above). identifying an account having a secret, based on the one or more access policy (Sade: see above & Col. 4 Line 51 – 57, Col. 3 Line 18 – 19, Col. 11 Line 18 – 25 and Col. 7 Line 45 – 58 / Line 28 – 35: as per an existing privileged account, obtaining a credential of an access token (i.e. PAT: privileged access ticket) from an authentication service based on a privileged credential (e.g. personal credential) associated with the existing privileged account, wherein the credential of the access token (i.e. PAT) can be a one-time (short-lived) ephemeral credential(s)) || (Kjelstrup: see above); accessing the network resource using the secret (Sade: see above & Col. 4 Line 55 – 57, Col. 3 Line 18 – 19, Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35: accessing the target service using the created (e.g.) one-time access token (i.e. PAT) based on the privileged credential (e.g. personal credential) associated with the existing privileged account to establish a communication session with the target service) || (Kjelstrup: see above); enabling the network identity to access the network resource using the account using the native client and communication protocol (Sade: see above & Col. 3 Line 60 – 67 and Col. 5 Line 20 – 23: (a) a proxy entity of CMS (Credential Management System) authenticates the client (network identity) based on an authentication credential sent in the request via (e.g.) a Kerberos protocol, wherein (b) the CMS entity can be an endpoint device on which the client resides – this constitutes a native client and communication protocol) || (Kjelstrup: see above); analyzing data, wherein the data is data transferred according to the native communication protocol identifying one or more action or command requested by the network identity within the native client and communication protocol (Sade: see above: analyzing to determine the validity of the requested command based on its associated credential(s)) (Sade: see above) || (Kjelstrup: see above); and analyzing the one or more action or command requested by the network identity based on the additional set of rules providing the authorization layer that allows for additional authorization requirements not natively supported by the network resource (Sade: see above) || (Kjelstrup: see above); and authorizing the one or more requested action or command in real-time based on analysis and the one or more access policy (Sade: see above & Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35: (a) the authentication mechanism can be activated based on the credential used by the client along with the parameters of requesting time (Col. 2 Line 29 – 32), wherein (b) the credential can be a one-time use (for a just-in-time service session) (Col. 7 Line 28 – 35) to access target services for authentication and would be timely invalidated of access service for reducing the risk to be compromised from malicious attacks – i.e. authentication in a real-time mode) || (Kjelstrup: see above). As per claim 2, Sade as modified teaches wherein authorizing the one or more requested action or command is performed transparently to the network resource (Sade: Figure 2B / E-2000: the CMS entity (native client) communicates with an authentication service and operates transparently with the target service (i.e. network resource)) || (Kjelstrup: see above). As per claim 5 &20, Sade as modified teaches wherein the additional set of rules includes at least one of: a size of the data (Kjelstrup: see above & Col. 5 Line 2 – 4: a size of data such as only to access certain versions of the resources). As per claim 6 – 7 & 12 – 13, the instant claim is directed to a claimed content having functionality corresponding to the Claims 1 – 5, and are rejected by a similar rationale. As per claim 14, Sade as modified teaches based on a determination that the requested action or command violates at least one of the additional set of rules, performing at least one security action (Sade: see above) || (Kjelstrup: see above & Col. 12 Line 57 – 64: when one action violates at (or conflicts with) another rule, performing a security action for conflict resolution accordingly). As per claim 15 – 16, Sade as modified teaches wherein the at least one security action includes revoking the authentication of the network identity (Sade: see above & Col. 4 Line 64 – 67: denying (preventing) the client access request by revoking (invalidating) the authentication of the client (network identity)) || (Kjelstrup: see above & Col. 12 Line 21 – 23: to deny the client access request to resource). Claims 3 – 4, 8, 9, 11 & 18 – 19 are rejected under 35 U.S.C.103 as being unpatentable over Sade et al. (U.S. Patent 10,116,658), in view of Kjelstrup et al. (U.S. Patent 11,968,241), and in view of Wong et al. (U.S. Patent 7,346,617). As per claim 3 – 4 & 18 – 19, Wong (& Sade as modified) teaches wherein the additional set of rules includes at least one rule associated with a data structure (Sade: see above) || (Wong: FIG. 1 / E-162 & Col. 6 Line 20 – 48: an additional policy can be included that comprises one parameter to determine under what situation the policy can be invoked such as identifying which column in which combination of tables of a data structure (i.e. additional data security) that triggers the policy function – this is consistent with the disclosure of the instant specification (SPEC: Para [0010]: a row level security). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification that the additional set of rules includes at least one rule associated with a data structure because Wong teaches to alternatively, effectively and securely first teaches fine-grained access control supported by the network resource of DB provider are used to grant / deny access to one or more rows of a database table and then continues to teach providing additional set of DB (database) column-oriented access control rules as additional authorization requirements for the database access policy (see above) within the Sade’s CMS management system enables different (additional) sets of access control parameters (e.g. credentials) associated with different (additional) types of access to be used by the access control policies to access the target services based on various requirements of the security policy (see above). As per claim 8, Sade as modified teaches allowing limited advanced access to the network resource based on the additional set of rules (Sade: see above) || (Wong: FIG. 1 / E-162 & Col. 5 Line 60 – 62 and Col. 6 Line 20 – 48: (at least) a <list of table names> represents a list of names of tables to which access is limited). As per claim 9, Sade as modified teaches wherein allowing limited advanced access does not adjust the network resource (Sade: see above) || (Wong: FIG. 1 / E-162 & Col. 5 Line 60 – 62 and Col. 6 Line 20 – 48: (at least) (a) <list of table names> represents a list of names of tables to which access is limited and (b) the limitations are based on the client’s credential and the tables (data structures) are not adjusted for the requested access). As per claim 11, Sade as modified teaches wherein analyzing the data transferred according to the native communication protocol includes: receiving, from the network resource, a result of the one or more action or command; and analyzing the result of the action based on the additional set of rules (Sade: see above) || (Wong: see above & Col. 1 Line 62 – 64: the analyzed result of access control includes the grant or denial of client access request to one or more rows of a table). Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. --------------------------------------------------- /Longbit Chai/ Longbit Chai E.E. Ph.D. Primary Examiner, Art Unit 2431 No. #2497 – 2026 ---------------------------------------------------