AUTOMATIC DEPLOYMENT OF APPLICATION SECURITY POLICY USING APPLICATION MANIFEST AND DYNAMIC PROCESS ANALYSIS IN A CONTAINERIZATION ENVIRONMENT

§103 §DP

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This communication is responsive to Amendment filed 01/09/2026. Claims 1-20 have been examined. Response to Amendment In the instant amendment, claims 1-2, 4-5, 7-8, and 11-20 have been amended. The double patenting rejection over claims 1-20 is maintained in view of Applicant’s amendments. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). Initially, it should be noted that the present application and Application No. 12/427,090, have the same inventive entity. The assignee for both applications is IBM Corporation. Claims 1-6, 8-13 and 15-19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-6 of patent 11966463. Although the conflicting claims are not identical, they are not patentably distinct from each other. Claims 1-6, 8-13 and 15-19 are compared to claim 1-6 of patent 11966463in the following table: Instant Application Patent 11966463 1. (Currently Amended) A computer-implemented method in a virtualized system, the computer-implemented method comprising: automatically determining a security policy to be created for a virtual instance that was added to the virtualized system, wherein the security policy, is based on a specific text pattern; generating the security policy based on information regarding the virtual instance and running service information associated with the virtual instance, wherein the security policy defines a set of actions that the virtual instance can perform regarding the information labeled with the specific text pattern; blocking an action from being performed or already being performed by the virtual instance in response to it being determined that the action is not identified in the set of actions; and transmitting the security policy to a graphical user interface container for presentation to a user via a display device. 2.(Currently Amended) The computer-implemented method of claim 1, comprising: detecting that the virtual instance has been added to the virtualized system; and periodically querying a container system for initiated virtual instances. 3.(Original) The computer-implemented method of claim 1, comprising: opening a manifest for the virtual instance; and executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance. 4.(Currently Amended) The computer-implemented method of claim 1, wherein the running service information indicates a network connection between the virtual instance and an other virtual instance within a namespace containing the virtual instance and the other virtual instance. 5. (Currently Amended) The computer-implemented method of claim 1, wherein the generating of the security policy for the virtual instance further comprises: generating one or more network rules that allow the virtual instance to make one or more network connections indicated in at least one of a manifest or the running service information. 6. (Original) The computer-implemented method of claim 1, comprising: retrieving the running service information regarding the virtual instance; and executing a command line interface instruction to request a list of service descriptors for a namespace comprising the virtual instance. 8. (Currently Amended) A non-transitory computer-readable medium comprising instructions that, when executed by one or more processors, configure the one or more processors to perform: automatically determining a security policy to be created for a virtual instance added to the virtualized system, wherein the security policy, is based on a specific text pattern; generating the security policy based on information regarding the virtual instance and running service information associated with the virtual instance, wherein the security policy defines a set of actions that the virtual instance can perform regarding the information labeled with the specific text pattern; blocking an action from being performed or already being performed by the virtual instance in response to it being determined determining that the action is not identified in the set of actions; and transmitting the security policy to a graphical user interface container for presentation to a user via a display device. 9. (Currently Amended) The non-transitory computer-readable medium of claim 8, comprising: detecting that the virtual instance has been added to the virtualized system; and periodically querying a container system for initiated virtual instances. 10. (Original) The non-transitory computer-readable medium of claim 8, comprising: opening a manifest for the virtual instance; and executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance. 11. (Currently Amended) The non-transitory computer-readable medium of claim 8, wherein the running service information indicates a network connection between the virtual instance and an other virtual instance within a namespace containing the virtual instance and the other virtual instance. 12. (Currently Amended) The non-transitory computer-readable medium of claim 8, wherein the generating of the security policy for the virtual instance further comprises: generating one or more network rules that allow the virtual instance to make one or more network connections indicated in at least one of a manifest or the running service information. 13. (Original) The non-transitory computer-readable medium of claim 8, comprising: retrieving the running service information regarding the virtual instance; and executing a command line interface instruction to request a list of service descriptors for a namespace comprising the virtual instance. 15. (Currently Amended) A system comprising: a processor that, when executing instructions stored in a memory, is configured to: automatically determine a security policy to be created for a virtual instance added to the virtualized system, wherein the security policy, is based on a specific text pattern; generate the security policy based on information regarding the virtual instance and running service information associated with the virtual instance, wherein the security policy defines a set of actions that the virtual instance can perform regarding the information labeled with the specific text pattern; block an action from being performed or already being performed by the virtual instance in response to it being determined that the action performed by the virtual instance is not identified in the set of actions; and transmit the security policy to a graphical user interface container for presentation to a user via a display device. 16. (Currently Amended) The system of claim 15, wherein the processor is configured to: detect that the virtual instance has been added to the virtualized system; and periodically query a container system for initiated virtual instances. 17. (Currently Amended) The system of claim 15, wherein the processor is configured to: open a manifest for the virtual instance; and execute a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance. 18. (Currently Amended) The system of claim 15, wherein the running service information indicates a network connection between the virtual instance and an other virtual instance within a namespace containing the virtual instance and the other virtual instance. 19. (Currently Amended) The system of claim 15, wherein, when the processor is configured to generate the security policy for the virtual instance, the processor is further configured to: generate one or more network rules that allow the virtual instance to make one or more network connections indicated in at least one of a manifest or the running service information. 1. A computer-implemented method in a virtualized system, the method comprising: detecting that a virtual instance has been added to the virtualized system, the virtual instance having computer-readable instructions; in response to the detecting, opening a manifest of the virtual instance, the manifest comprising information regarding the virtual instance, wherein a portion of the information is labeled using a specific text pattern indicative of a type and purpose of the information; retrieving running services information about the virtual instance running on the virtualized system; automatically determining a security policy to be created for the virtual instance based on the specific text pattern; generating the security policy for the virtual instance based on the information regarding the virtual instance, and the running service information associated with the virtual instance, wherein the security policy defines a set of actions that the virtual instance can perform regarding the information labeled with the specific text pattern; blocking an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions; and transmitting the security policy to a graphical user interface container for presentation to a user via a display device. The computer-implemented method of claim 1, wherein the detecting that the virtual instance has been added comprises: periodically querying the container system for initiated virtual instances. 3.The computer-implemented method of claim 1, wherein the opening a stored manifest for the virtual instance further comprises: executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance. 4. The computer-implemented method of claim 1, wherein the running services information indicates a network connection between the virtual instance and another virtual instance within a namespace containing the virtual instance and the another virtual instance. 5. The computer-implemented method of claim 1, wherein the generating the security policy for the virtual instance further comprises: generating one or more network rules that allow the virtual instance to make one or more network connections indicated in at least one of the manifest and the running service information associated with the virtual instance. 6.The computer-implemented method of claim 1, wherein the retrieving the running services information regarding the virtual instance further comprises: executing a command line interface instruction to request a list of service descriptors for a namespace comprising the virtual instance. 1. A computer-implemented method in a virtualized system, the method comprising: detecting that a virtual instance has been added to the virtualized system, the virtual instance having computer-readable instructions; in response to the detecting, opening a manifest of the virtual instance, the manifest comprising information regarding the virtual instance, wherein a portion of the information is labeled using a specific text pattern indicative of a type and purpose of the information; retrieving running services information about the virtual instance running on the virtualized system; automatically determining a security policy to be created for the virtual instance based on the specific text pattern; generating the security policy for the virtual instance based on the information regarding the virtual instance, and the running service information associated with the virtual instance, wherein the security policy defines a set of actions that the virtual instance can perform regarding the information labeled with the specific text pattern; blocking an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions; and transmitting the security policy to a graphical user interface container for presentation to a user via a display device. 2. The computer-implemented method of claim 1, wherein the detecting that the virtual instance has been added comprises: periodically querying the container system for initiated virtual instances. 3. The computer-implemented method of claim 1, wherein the opening a stored manifest for the virtual instance further comprises: executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance. 4. The computer-implemented method of claim 1, wherein the running services information indicates a network connection between the virtual instance and another virtual instance within a namespace containing the virtual instance and the another virtual instance. 5. The computer-implemented method of claim 1, wherein the generating the security policy for the virtual instance further comprises: generating one or more network rules that allow the virtual instance to make one or more network connections indicated in at least one of the manifest and the running service information associated with the virtual instance. 5. The computer-implemented method of claim 1, wherein the retrieving the running services information regarding the virtual instance further comprises: executing a command line interface instruction to request a list of service descriptors for a namespace comprising the virtual instance. 1. A computer-implemented method in a virtualized system, the method comprising: detecting that a virtual instance has been added to the virtualized system, the virtual instance having computer-readable instructions; in response to the detecting, opening a manifest of the virtual instance, the manifest comprising information regarding the virtual instance, wherein a portion of the information is labeled using a specific text pattern indicative of a type and purpose of the information; retrieving running services information about the virtual instance running on the virtualized system; automatically determining a security policy to be created for the virtual instance based on the specific text pattern; generating the security policy for the virtual instance based on the information regarding the virtual instance, and the running service information associated with the virtual instance, wherein the security policy defines a set of actions that the virtual instance can perform regarding the information labeled with the specific text pattern; blocking an action performed by the virtual instance in response to determining that the action performed by the virtual instance does not match any action in the set of actions; and transmitting the security policy to a graphical user interface container for presentation to a user via a display device. 2. The computer-implemented method of claim 1, wherein the detecting that the virtual instance has been added comprises: periodically querying the container system for initiated virtual instances. 3. The computer-implemented method of claim 1, wherein the opening a stored manifest for the virtual instance further comprises: executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance. 4. The computer-implemented method of claim 1, wherein the running services information indicates a network connection between the virtual instance and another virtual instance within a namespace containing the virtual instance and the another virtual instance. 5. The computer-implemented method of claim 1, wherein the generating the security policy for the virtual instance further comprises: generating one or more network rules that allow the virtual instance to make one or more network connections indicated in at least one of the manifest and the running service information associated with the virtual instance. Allowable Subject Matter Claims 7, 14 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 3, 5-6, 8, 10, 12-13, 15, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0093921 to Duan in further view of US 2018/0352034 to Mutreja et al. (hereafter “Mutreja”) and in further view of US 2019/0081955 to Chugtu et al. (hereafter “Chugtu”). As per claim 1, Duan discloses a computer-implemented method in a virtualized system, the computer-implemented method comprising: automatically determining a security policy to be created for a virtual instance (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”) that was added to the virtualized system (In view of the specification, FIG. 4, paragraphs 0105 and 0108-0109 and claim 7, a virtual instance is an application container [Wingdings font/0xE0] the container is considered as a virtual instance, therefore, Duan FIG1, paragraphs 0015 and 0033: “Instead, the security container 150 monitors the VM 115 (or container server 110 if the container environment is the container server 110 itself); generating the security policy based on information regarding the virtual instance and running service information associated with the virtual instance (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”), wherein the security policy defines a set of actions that the virtual instance can perform (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”); and transmitting the security policy to a graphical user interface container for presentation to a user via a display device (FIG. 4A; paragraphs 0036-0037, 0069, 0071 and 0073: “As noted above, the UI container 165 communicates with the management container 155 and via the user interface the UI container 165 may indicate to the management container 155 the various configuration options requested by a user.”). Duan does not explicitly disclose wherein the security policy, is based on a specific text pattern; wherein the security policy defines a set of actions that the virtual instance can perform regarding the information labeled with the specific text pattern; and blocking an action from being performed or already being performed by the virtual instance in response to it being determined that the action is not identified in the set of actions. Mutreja further discloses wherein the security policy, is based on a specific text pattern (paragraphs 0061-0062 and 0066: “Rule generator 724 may be configured to automatically generate rules, or enable a user to configure rules either from scratch or to configure existing rules. For instance, UI 712 may enable a user to input text/patterns and/or logic (e.g., an expression, a string, etc.) desired for a rule to be generated to route file system objects based on tag values. For example, UI 712 may include a graphical user interface (GUI) that displays one or more forms and/or other UI controls that enable a user to configure a rule, including assigning a rule name and configuring logic of the rule. Rule generator 724 may be alternatively or additionally configured to automatically analyze tags applied to file system objects and to generate rules based thereon.”); wherein the security policy defines a set of actions that the virtual instance can perform (paragraphs 0023, 0059, 0063 and 0066: rules define logics/actions) regarding the information labeled with the specific text pattern (paragraphs 0061-0062 and 0066: “Rule generator 724 may be configured to automatically generate rules, or enable a user to configure rules either from scratch or to configure existing rules. For instance, UI 712 may enable a user to input text/patterns and/or logic (e.g., an expression, a string, etc.) desired for a rule to be generated to route file system objects based on tag values. For example, UI 712 may include a graphical user interface (GUI) that displays one or more forms and/or other UI controls that enable a user to configure a rule, including assigning a rule name and configuring logic of the rule. Rule generator 724 may be alternatively or additionally configured to automatically analyze tags applied to file system objects and to generate rules based thereon.” [Wingdings font/0xE0] logic/actions associated with the ruled named/coded/tagged with text/pattern/expression/string). It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Mutreja into Duan’s teaching because it would provide for the purpose of rule-based logic may be utilized to determine which file system objects may be routed to a cloud-based location, as well as the specific cloud-based location in which to store or to direct the file system objects (Mutreja, paragraph 0004). Chugtu further discloses blocking an action from being performed or already being performed by the virtual instance (FIG. 1A; paragraph 0024: a container (virtual instance as claimed) in a server device which is a virtual machine) in response to it being determined that the action is not identified in the set of actions (FIG. 4: block 440: to prevent the container form exchanging traffic; paragraphs 0009, and 0046: “In this way, the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host).” [Wingdings font/0xE0] the container cannot communicate with other containers if they are not a same service). It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Chugtu into Duan’s teaching and Mutreja’s teaching because it would provide for the purpose of the server device can isolate the container, such that the container cannot communicate with other containers associated with a different service, application, and/or tenant (e.g., even when the containers are on the same host) (Chugtu, paragraph 0009). As per claim 3, Duan discloses opening a manifest for the virtual instance (paragraphs 0037, 0069, 0071 and 0079: “Once the UI monitor 440 receives configuration settings from the UI container 165, the UI monitor 440 forwards the configuration settings to the configuration module 410 to process and distribute among the different containers.”), the manifest comprising configuration settings for the newly added application container (paragraphs 0047-0049 and 0061: “When the intercept module 210 receives a notification from the app state monitor 230 that a particular app container 120 is initiated, the intercept module 210 determines, according to configuration rules, whether the traffic for that app container 120 should be intercepted. These rules may be determined by the intercept module 210 dynamically, or may be preconfigured.”) and executing a command line interface instruction to cause a virtualized service of the virtualized system to output manifest data for the virtual instance (paragraph 0037: “The container system 105, in one embodiment, also includes a user interface (UI) container 165 to provide a user interface to a user. The UI container 165 may interface with a user using a graphical user interface (GUI) or a command line interface (CLI)”). As per claim 5, Duan discloses wherein the generating the security policy for the virtual instance (paragraphs 0036, 0048, 0069 and 0071: “The management container 155 may configure the settings and rules for the security containers 150 and the analytics container 160 in the container system 105. For example, these rules may indicate what type of network traffic to log or to filter out. The management container 155 monitors the activities of other management containers 155 and the security containers 150.”) further comprises: generating one or more network rules (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”) that allow the virtual instance to make one or more network connections indicated in at least one of a manifest or the running service information (paragraphs 0084-0085 and 0087: “The security container 150 may determine, based on a particular set of rules, whether to drop the data or forward it to the intended destination. In some cases, the security container 150 may create a copy of the data while forwarding the original data, and inspect the copy instead.”). As per claim 6, Duan discloses retrieving the running service information regarding the virtual instance (paragraphs 0040-0043 and 0046: “In one embodiment, the app state monitor 230 may also monitor other information regarding the application containers 120, such as their performance, resources used, number of processes opened, number of file handles opened, number and status of network connections, and so on. The app state monitor 230 may determine this information using the API of the container service 130 or using system commands (e.g., "ss" for network connections in Linux).”); and executing a command line interface instruction to request a list of service descriptors for a namespace comprising the virtual instance (paragraph 0037: “The container system 105, in one embodiment, also includes a user interface (UI) container 165 to provide a user interface to a user. The UI container 165 may interface with a user using a graphical user interface (GUI) or a command line interface (CLI)”) As per claim 8, it is a medium claim, which recite(s) the same limitations as those of claim 1. Accordingly, claim 8 is rejected for the same reasons as set forth in the rejection of claim 1. As per claim 10, it is a medium claim, which recite(s) the same limitations as those of claim 3. Accordingly, claim 10 is rejected for the same reasons as set forth in the rejection of claim 3. As per claim 12, it is a medium claim, which recite(s) the same limitations as those of claim 5. Accordingly, claim 12 is rejected for the same reasons as set forth in the rejection of claim 5. As per claim 13, it is a medium claim, which recite(s) the same limitations as those of claim 6. Accordingly, claim 13 is rejected for the same reasons as set forth in the rejection of claim 6. As per claim 15, it is a system claim, which recite(s) the same limitations as those of claim 1. Accordingly, claim 15 is rejected for the same reasons as set forth in the rejection of claim 1. As per claim 17, it is a system claim, which recite(s) the same limitations as those of claim 3. Accordingly, claim 17 is rejected for the same reasons as set forth in the rejection of claim 3. As per claim 19, it is a system claim, which recite(s) the same limitations as those of claim 5. Accordingly, claim 19 is rejected for the same reasons as set forth in the rejection of claim 5. Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Duan, Murtreja and Chugtu, as applied to claims 1, 8 and 15, and in further view of US 2016/0092251 to Wagner. As per claim 2, Duan discloses herein the detecting that the virtual instance has been added to the virtualized system (paragraphs 0015 and 0023). Wagner further discloses periodically querying the container system for initiated virtual instances (paragraph 0055). It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Wagner into Duan’s teaching, Mutreja’s teaching and Chugtu’s teaching because it would provide for the purpose of by maintaining a pool of pre-initialized virtual machine instances that are ready for use as soon as a user request is received, delay (sometimes referred to as latency) associated with executing the user code (e.g., instance and language runtime startup time) can be significantly reduced (Wagner, paragraph 0013). As per claim 9, it is a medium claim, which recite(s) the same limitations as those of claim 2. Accordingly, claim 9 is rejected for the same reasons as set forth in the rejection of claim 2. As per claim 16, it is a system claim, which recite(s) the same limitations as those of claim 2. Accordingly, claim 16 is rejected for the same reasons as set forth in the rejection of claim 2. Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Duan, Mutreja and Chugtu, as applied to claims 1, 8 and 15, and in further view of US 2015/0101042 to Yang. As per claim 4, Duan does not explicitly disclose wherein the running service information indicates a network connection between the virtual instance and an other virtual instance within a namespace containing the virtual instance and the an other virtual instance. Yang further discloses wherein the running services information indicates a network connection between the virtual instance and an other virtual instance within a namespace containing the virtual instance and the an other virtual instance (FIG. 1; paragraph 0017). It would have been obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention to combine a teaching of Yang into Duan’s teaching, Mutreja’s teaching and Chugtu’s teaching because it would provide for the purpose of managing permissions in a virtualized computing system, where the virtualized computing systems has a plurality of inventory objects and an access control subsystem that manages permissions to perform actions on the inventory objects using corresponding access control labels of the inventory objects (Yang, paragraph 0004). As per claim 11, it is a medium claim, which recite(s) the same limitations as those of claim 4. Accordingly, claim 11 is rejected for the same reasons as set forth in the rejection of claim 4. As per claim 18, it is a system claim, which recite(s) the same limitations as those of claim 4. Accordingly, claim 18 is rejected for the same reasons as set forth in the rejection of claim 4. Response to Arguments Applicants’ arguments have been considered but are moot in view of the new ground(s) of rejection. Applicants’ amendment necessitated the new ground(s) of rejection presented in this Office action. Response to Arguments Applicants’ arguments have been considered but are moot in view of the new ground(s) of rejection. Applicants’ amendment necessitated the new ground(s) of rejection presented in this Office action. Conclusion Applicants’ amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tuan Dao whose telephone number is (571) 270 3387. The examiner can normally be reached on Monday to Friday from 09am to 05pm. The examiner can also be reached on alternate Fridays. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do, can be reached at telephone number (571) 272 3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center or Private PAIR to authorized users only. Should you have questions about access to Patent Center or the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form. /TUAN C DAO/Primary Examiner, Art Unit 2198