AUDITED, CLIENTLESS, JUST IN TIME ACCESS TO PROTECTED RESOURCES TO ENHANCE SECURITY

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments The response of 12/15/25 was received and considered. Claims 1-23 are currently pending. Newly added claim 22 is objected to as being dependent upon a rejected base claim. As per claim 1, Applicant argues Hassard lacks or fails to disclose “receive from a user a request for access permission for the protected resource”, “prompt an administrator to process the request for access permission”, and “in response to determining that the instruction for processing the request is to grant access, grant the user access to the protected resource”. The examiner respectfully disagrees. Hassard teaches, pargarph 0003, “…configuring, within one or more user interfaces of an agent management service, a first software agent with a set of parameters, the set of parameters including at least an identifier of an application programming interface (API) endpoint…and one or more permissions…”. The examiner is mapping “user configuring parameters/permissions” as the “request for access permission” for the AI agent to access the resource. Hassard teaches, paragraph 0038, “The API service 165 may enable administrators to control user API access (e.g. whether the user 185 and/or one or more tother users have access to one or more particular APIs)…via authorization policies…”. Therefore the user interface “prompts” the admin system to evaluate the request against policies. Paragraph 0003 of Hassard teaches “…receiving, from the agent management service, an authentication token for the first software agent…usable by the first software agent for accessing resources of the first service…”. Therefore, the system grants access by issuing the authentication token (UCAN/JWT). The independent claims, as currently drafted, are broad, directed to an abstract idea of gathering and translating data, and lacks integration into a practical application. However, claim 22, recites a technical improvement to the functioning of the computer system itself by simulating database modifications before committing them to the live production environment. This is a specific technological solution to the functioning of the database/resource management system itself. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-3 and 5-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Hassard et al, US 2025/0245311. Regarding claim 1, Hassard teaches a system for granting just-in-time access to a protected resource (Paragraph 0025: first software agent is authorized to query, and one or more permissions associated with the queries to the API endpoint by the first software agent), comprising: one or more processors (0004: one or more processors couple with the one or more memories) configured to: receive from a user a request for access permission for the protected resource (0003: configuring, within one or more user interfaces of an agent management service, a first software agent with a set of parameters, the set of parameters including at least an identifier of an application programming interface (API) endpoint of a first service that the first software agent is authorized to query and one or more permissions. “user configuration parameters/permissions” is equivalent to the “request for access permission” for the AI agent to access the resource); prompt an administrator to process the request for access permission (0038: “The API service 165 may enable administrators to control user API access (e.g. whether the user 185 and/or one or more other users have access to one or more particular APIs)… via authorization policies…” The user interface “prompts” the admin system to evaluate the request against policies); receive from the administrator an instruction for processing the request for access permission (0026: Thus, the user may configure a software agent (e.g., the first software agent) with an authentication token authorizing the software agent to read data, write data, create data, delete data. The configuration inputs (the authorization policy or permission checkboxes in UI)); and in response to determining that the instruction for processing the request is to grant access (0003: receiving, from the agent management service, an authentication token for the first software agent, the authentication token being usable by the first software agent for accessing resources of the first service. The system grans access by issuing the authentication token (UCAN/JWT)) and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (0004: The apparatus may include one or more memories storing processor executable code, and one or more processors coupled with the one or more memories.). Regarding claim 2, Hassard teaches the system of claim 1, wherein the request for access permission for the protected resource is an HTTPS request (0034: browser may be redirected to the SSO service. 0035: the access gateway 130 may support integrations with legacy applications 110 using hypertext transfer protocol (HTTP)). Regarding claim 3, Hassard teaches the system of claim 1, wherein the request for access permission for the protected resource is received from a web browser running on a client system (0060: …hypertext transfer protocol (HTTP) request…Fig. 1 and 2, user 185. Paragraph 0034: he browser (e.g., the user's request communicated via the browser) may be redirected by an access gateway 130 (e.g., a reverse proxy-based virtual application configured to secure web applications 110). Regarding claim 5, Hassard teaches the system of claim 1, wherein the protected resource is a database (0031: the cloud system 125 (also referred to as a cloud-based infrastructure or environment) may be an example of a system of compute resources (such as servers, databases, virtual machines, containers)). Regarding claim 6, Hassard teaches the system of claim 1, wherein the protected resource is a cluster of virtual machines (0031: the cloud system 125 (also referred to as a cloud-based infrastructure or environment) may be an example of a system of compute resources (such as servers, databases, virtual machines, containers)). Regarding claim 7, Hassard teaches the system of claim 1, wherein granting the user access permission for the protected resource comprises generating a token with which the user accesses the protected resource (0025: …agent management service may then generate the authentication token for the first software agent.). Regarding claim 8, Hassard teaches the system of claim 7, wherein the token is a JSON Web Token (JWT) (0060: A UCAN token may be an extension of a JavaScript object notation (JSON) web token (JWT) format such that the user 185 (e.g., a developer user 185) is capable of transmitting or sending the UCAN token in a bearer header of a hypertext transfer protocol (HTTP) request similar to as if transmitting or sending a JWT token.). Regarding claim 9, Hassard teaches the system of claim 1, wherein the one or more processors are further configured to: receive from the user a request to access the protected resource; send the request to access the protected resource to an access agent for the protected resource (0034: …browser (e.g. the user’s request)…may be redirected by an access gateway 130 (e.g., a reverse proxy-based virtual application configured to secure web applications…); and in response to the access agent validating the user, providing the user with access to the protected resource (0036: ..the computing device 105 may forward the token to the SP. Accordingly, the SP may verify the authenticity of the token and determine whether the user 185 is authorized to access the requested applications 110). Regarding claim 10, Hassard teaches the system of claim 9, wherein: granting the user access to the protected resource comprises generating a token with which the user accesses the protected resource; and the token is sent in connection with the request to access the protected resource (0060: …sending the UCAN token in a bearer header of a hypertext transfer protocol (HTTP) request…Fig. 1-5: A user of an identity management system may configure a software agent with a set of parameters within one or more user interfaces of an agent management service.). Regarding claim 11, Hassard teaches the system of claim 10, wherein validating the user comprises validating the token (0064: the authentication application may validate the authentication token and the issuer of the authentication token by accessing an authentication server). Regarding claim 12, Hassard teaches the system of claim 9, wherein the one or more processors are further configured to: in response to receiving the request for access permission for the protected resource, log the request to access the protected resource (0040: the provisioning service 175 may maintain audit logs and records of user deprovisioning events, which may help the client organization demonstrate compliance and track user lifecycle changes.). Regarding claim 13, Hassard teaches the system of claim 1, wherein the one or more processors are further configured to: store in a log an indication of the user’s actions taken with respect to the protected resource (0040: provisioning service 175 may maintain audit logs and records of user deprovisioning events, which may help the client organization demonstrate compliance and track user lifecycle changes.). Regarding claim 14, Hassard teaches the system of claim 1, wherein the log is searchable based at least in part on a particular user or a particular resource (0066: by using the authentication tokens, users 185 may be capable of ensuring that software agents have access (e.g., only have access) to particular resources in accordance with permissions set by the users 185.). Regarding claim 15, Hassard teaches the system of claim 1, wherein user provisioning for granting the user access to the protected resource is performed contemporaneous with receipt of the request for access to the protected resource (0040 and 0036: such as examples in which the SP determines that the user 185 is authorized to access the requested application, the SP may grant the user 185 access to the requested applications 110, for example, without prompting the user 185 to enter credentials (e.g., without prompting the user to log-in). The SSO service 155 may promote improved user experience (e.g., by limiting the number of credentials the user 185 has to remember/enter), enhanced security (e.g., by leveraging secure authentication protocols and centralized security policies), and reduced credential fatigue, among other benefits.). Regarding claim 16, Hassard teaches the system of claim 1, wherein the one or more processors are further configured to: simulate an update to the protected resource before the update is committed (0026: the user may select a first software agent and reconfigure the first software agent such that the user receives an updated authentication token from the agent management service. In some cases, reconfiguring a software agent may include updating the identifier of the API endpoint of the service associated with the software agent, updating the permissions of the software agent, or a combination thereof.). Regarding claim 17, Hassard teaches the system of claim 1, wherein simulating the update comprises providing to the user data associated with the protected resource before and after the update (0027: the authentication token may enable software agents the ability to access resources of a service in accordance with a set of configured permissions without the software agent accessing the credentials of the user, which may enhance the security of the computing system, for example, by reducing the risk of unauthorized access to resources of service.). Regarding claim 18, Hassard teaches the system of claim 1, wherein simulating the update comprises providing to another user data associated with the protected resource before and after the update (FIG. 5, users 185 may be capable of modifying (e.g., refining, changing, reconfiguring) software agents within the agent management system to dynamically update the capabilities of one or more software agents.). As per claims 19-20, this is a method and product version of the claimed system discussed above in claim 1 wherein all claimed limitations have also been addressed and/or cited as set forth above. Regarding claim 21, Hassard teaches the system of claim 1, wherein the one or more processors are further configured to: serve as a proxy for the user's access to the protected resource based at least in part on receiving an access request from the user, forwarding the access request to a service providing the protected resource, receiving a response from the service, and forwarding the response to the user (0034: …browser (e.g. the user’s request communicated via the browser) may be redirected by an access gateway 130 (e.g. a reverse proxy-based virtual application configured to secure web applications… The steps of receiving, forwarding and responding are inherent to the standard definition of a reverse proxy in the art); and log information pertaining to the access request or actions performed by the user with respect to the protected resource, wherein the log is searchable based at least in part on the user or the protected resource (0040: the provisioning service 175 may maintain audit logs and records of user deprovisioning events… Maintaining an audit log inherently renders it searchable by user/resource as that is the fundamental purpose of an enterprise IT log). Regarding claim 23, Hassard teaches the system of claim 1, wherein the request for access permission is received from a web browser running on a client system associated with the user, and granting the user access enables the user to access the protected resource directly from the web browser without installing additional tools on the client system (0034…the user 185 may attempt to access an application 110 via browser…the idP may generate a security token…send the security token to the computing device 105 (e.g., the browser or application 110 running on the computing device 105). Accessing a cloud application via a standard web browser using an SSO token inherently means the user does not need to install additional local client tools (i.e. thick clients). It is a well-known feature of browser-based SaaS/SSO models). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Hassard as applied to claim 1 above, and further in view of Franke et al, US 2017/0257363. Regarding claim 4, Hassard lacks or fails to expressly disclose setting an expiration. However, Franke discloses wherein granting the user access permission for the protected resource includes setting an expiration the user’s permitted use of the protected resource (0101: A user may direct Application 106 on Computer 102 to access Protected Resource 130 at (1). Protected Resource 130 may check the credentials available to Application 106 on Computer 102 and verify them. Verification may involve, but is not limited to, validating a cryptographic signature contained within the credentials, or performing a local or remote database lookup. Protected Resource 130 may also evaluate the credentials to assess time/expiration, permissions and access rights for the user, and so forth.). It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Hassard with Franke to include setting an expiration to the protected resource in order to validate user permissions, as taught by Franke, paragraph 0101. Allowable Subject Matter Claim 22 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Reasons for allowance will be furnished at the time of allowance of the application. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AUBREY H WYSZYNSKI/Primary Examiner, Art Unit 2434