Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-9, 11-14, 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rajendran (US 2024/0037212) in view of Griffin (US 11,520,909)
Regarding Claim 1,
Rajendran (US 2024/0037212) teaches a method, comprising:
receiving an indication of a configuration for a quorum-based authorization policy that controls interactions between two or more users and a security cloud service of a data management system (DMS) (Fig. 1A and associated text, see Policy, including MPA (i.e. multi-party authorization))(Fig. 5A and associated text, teaches cloud service)
the configuration including a policy scope for the quorum- based authorization policy, one or more protected actions that trigger the quorum-based authorization policy, and one or more compute objects to which the quorum-based authorization policy is assigned (Fig. 1A, 132 teaches authorization requirement for particular operation, also see compute objects, 121, 122, 123)
receiving, from a global administrator of the security cloud service with manage user access permissions, an instruction to assign a first user of the two or more users as a quorum-based authorization approver (Fig. 2A-2B, teaches Admin 204 assigning user as approver)
receiving an instruction to assign a set of role-based access control (RBAC) permissions associated with the quorum-based authorization policy to a first user of the two or more users (Fig. 1A, RBAC Access control records)
receiving a request to perform a protected action on at least one compute object of the one or more compute objects to which the quorum-based authorization policy is assigned, the request originating from a second user of the two or more users (Fig. 1A, 132, teaches receiving a request for a particular operation and the corresponding authorization requirements)
triggering a two-person rule (TPR) enforcement mechanism of the quorum- based authorization policy based at least in part on the request from the second user, wherein triggering the TPR enforcement mechanism comprises requesting approval from the first user with the set of RBAC permissions; and executing the protected action on the at least one compute object after receiving the approval from the first user with the set of RBAC permissions (Paragraph [0032] teaches MPA workflow obtains two or more authorizations before executing a protected action)(Fig. 1A, teaches looking up RBAC permission record)
Rajendran does not explicitly teach wherein the global administrator does not have the set of RBAC permissions based at least in part on the global administrator having the manage user access permissions, and wherein the quorum-based authorization approver does not have the manage user access permissions based at least in part on the quorum-based authorization approver having the set of RBAC permissions
Griffin (US 11,520,909) teaches wherein the administrator does not have the set of approver permissions, and wherein the quorum-based authorization approver does not have the administrator permissions (Col. 1, 11-20, teaches wherein separate the approver role and the administrator role)
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Rajendran with the method of separating approver permissions and administrator permissions and the results would be predictable (i.e. the administrator would not have approver permissions and the approver would not have administrator privileges)
Regarding Claim 2,
Rajendran and Griffin teaches the method of claim 1, Rajendran teaches wherein the policy scope for the quorum-based authorization policy comprises: assigning the quorum-based authorization policy to a set of compute objects within the DMS, a set of node clusters within the DMS, a set of service level agreement (SLA) domains within the DMS, or any combination thereof (Paragraph [0042] teaches cluster record, node record, VM record)
Regarding Claim 3,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches wherein the one or more protected actions that trigger the quorum-based authorization policy comprise deleting a snapshot of a compute object within the DMS, modifying a legal hold status of a compute object within the DMS, assigning a service level agreement (SLA) domain to at least one compute object within the DMS, or adjusting a retention lock on a compute object within the DMS (Paragraph [0049] teaches requirement to invoke multi-party consensus based on “Delete VM snapshot”)
Regarding Claim 4,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches wherein the one or more compute objects to which the quorum-based authorization policy is assigned include at least one of a virtual machine (VM), a system host, a database, or a managed data volume (Paragraph [0042] teaches cluster record, node record, VM record)
Regarding Claim 5,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches wherein the request to perform the protected action on the at least one compute object further indicates an execution type for the protected action, an identifier of the quorum-based authorization policy, an identifier of the protected action, a timestamp associated with the request, data associated with the at least one compute object, a set of service identifiers that are exempt from the quorum-based authorization policy, or any combination thereof (Paragraph [0049] teaches requirement to invoke multi-party consensus based on “Delete VM snapshot”)
Regarding Claim 6,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches further comprising: receiving a request to assign a second set of RBAC permissions to the first user in addition to the set of RBAC permissions associated with the quorum-based authorization policy (Paragraph [0069] teaches a user with multiple roles)
Regarding Claim 7,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches further comprising: determining that the request to perform the protected action triggers two or more quorum-based authorization policies of the security cloud service; and refraining from executing the protected action until approval is received for each of the two or more quorum-based authorization policies triggered by the request (Fig. 3, in particular 302, 310, 142)
Regarding Claim 8,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches wherein the quorum-based authorization policy is configured by a global administrator of the security cloud service (Fig. 2A, teaches Admin 204 configuring quorum based authorization policy)
Regarding Claim 9,
Rajendran and Griffin teaches the method of claim 8. Rajendran teaches further comprising: receiving, from the global administrator, a request to view or cancel one or more quorum-based authorization requests from other users of the security cloud service (Paragraph [0067] teaches denying operation requests from users of the service)
Regarding Claim 11,
Rajendran and Griffin teaches the method of claim 8. Rajendran teaches wherein the global administrator is authorized to view, approve, and deny quorum-based authorization requests within the policy scope of the quorum-based authorization policy, disable the quorum-based authorization policy, assign RBAC permissions to other users of the security cloud service, or any combination thereof (Paragraph [0067] teaches denying operation requests from users of the service).
Regarding Claim 12,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches wherein the set of RBAC permissions assigned to the first user comprise viewing, approving, and denying quorum-based authorization requests within the policy scope of the quorum-based authorization policy (Fig. 2B, teaches permissions assigned to the user comprises viewing, approving and denying requests)
Regarding Claim 13,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches wherein the set of RBAC permissions assigned to the first user exclude managing user access permissions for the quorum-based authorization policy (Paragraph [0058] teaches excluding user access permissions from certain users).
Regarding Claim 14,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches further comprising: comparing the protected action and the at least one compute object to a list of protected action-object pairs for the quorum-based authorization policy, wherein triggering the TPR enforcement mechanism of the quorum-based authorization policy is based at least in part on determining that the protected action and the at least one compute object are present on the list of protected action-object pairs (Paragraph [0126] teaches comparing the action object pair to a protected action (i.e. deleting a snapshot) and triggering MPA enforcement)
Regarding Claim 16,
Rajendran and Griffin teaches the method of claim 1. Rajendran teaches wherein the security cloud service of the DMS supports multi-tenant quorum-based authorization (Paragraph [0003] teaches clusters are in public clouds)
Regarding Claims 17-19,
Claims 17-19 are similar in scope to Claims 1-3 and are rejected for a similar rationale.
Regarding Claim 20,
Claim 20 is similar in scope to Claim 1 and is rejected for a similar rationale.
Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rajendran and Griffin in view of Weintraub (US 11,005,889)
Regarding Claim 10,
Rajendran and Griffin teaches the method of claim 8, further comprising: but does not explicitly teach receiving, from the global administrator, a request to edit the configuration of the quorum-based authorization policy; and requesting approval from the first user with the set of RBAC permissions before changing the configuration of the quorum-based authorization policy in accordance with the request.
Weintraub (US 11,005,889) teaches receiving, from the administrator, a request to edit the configuration of the quorum-based authorization policy; and requesting approval from the first user before changing the configuration of the quorum-based authorization policy in accordance with the request (Col. 1, lines 38-54, also see Fig. 3 and supporting text, teaches administrators can edit a policy, and each user device must determine whether to approve before changing the policy)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Rajendran with the consensus based modified policy as taught by Weintraub
The motivation is to allow for consensus-based policy management (Abstract of Weinstraub)
Claim(s) 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rajendran and Griffin in view of Wright (US 2010/0325159)
Regarding Claim 15,
Rajendran and Griffin teaches the method of claim 1, but does not explicitly teach wherein triggering the TPR enforcement mechanism comprises: transmitting a quorum-based authorization request to the first user with the set of RBAC permissions based at least determining that the at least one compute object is a descendent of an ancestor object protected by the quorum-based authorization policy.
Wright (US 2010/0325159) teaches transmitting am authorization request to the first user based at least determining that the at least one compute object is a descendent of an ancestor object protected by the authorization policy (Claim 17 and supporting text teaches determining relationship between ancestor object and hierarchical relationships for an authorization request)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Rajendran with the method of determining an ancestor object protected by the authorization policy
The motivation is to inspect implicit authorization relationships (Abstract of Wright)
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462. The examiner can normally be reached M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached at 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HARRIS C WANG/Primary Examiner, Art Unit 2439
Prosecution Insights