Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 18/640,885 is presented for examination by the examiner.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-6 and 10-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by USP Application Publication 2022/0353266 to Ramamurthi et al., hereinafter Ramamurthi.
As per claims 1, 19 and 20, Ramamurthi teaches one or more non-transitory computer-readable media storing instructions that, when executed by one or more hardware processors, cause performance of operations comprising:
receiving, at an access control service [cloud computing system] from a first access agent [operator], a first approval request associated with a first resource for the access control service to request a first approval for the first access agent to access the first resource (0029);
determining, based on a first dependency attribute [ACP] associated with the first resource, a first resource dependency between the first resource and a second resource [customer permissions perimeter 150 is governed by the CCA policy that lists which ACP requires approval to resources associated with a customer; 0020 and 0027-0029];
generating, based at least in part on the first resource dependency between the first resource and the second resource, a first approval requisition for requesting the first approval to access the first resource based on a first approval workflow corresponding to the second resource [access requested is mapped to the approving customer and the event is posted; 0033] ;
wherein the first approval workflow is traversed, based on the first approval requisition, to obtain the first approval to access the first resource [appropriate customer is notified and respond/approves the access request; 0033];
wherein the first access agent accesses the first resource based at least in part on the first approval (0037).
As per claim 2, Ramamurthi teaches generating the first approval requisition comprises:
determining a resource identifier (0029) corresponding to the first resource and an approval service identifier [CCA policy name; 0027] of an approval service [cloud customer access control mechanism 122] corresponding to the second resource (0020),
populating the first approval requisition with the resource identifier corresponding to the first resource and the approval service identifier corresponding to the second resource [request included resource identifier (0029) and the event is posted to the corresponding CCA policy that is enforce for corresponding resource; 0033].
As per claim 3, Ramamurthi teaches subsequent to determining the first resource dependency between the first resource and the second resource: validating that the first access agent associated with the first resource is authorized to submit the first approval request based on a set of one or more permissions associated with the second resource [system checks if the user attributes of the policy and requesting Ops user are compatible; 0033].
As per claim 4, Ramamurthi teaches receiving, from an approval service, an approval confirmation comprising the first approval to access the first resource (0033); determining, based on the approval confirmation, that the first approval is for the first access agent to access the first resource (0035); and
responsive to determining that the first approval is for the first access agent to access the first resource: transmitting an approval notification comprising the first approval to at least one of: the first access agent, or a resource service corresponding to the first resource (0035).
As per claim 5, Ramamurthi teaches determining that the first approval is for the first access agent to access the first resource comprises:
accessing a second dependency attribute associated with the approval confirmation [approval is bound to the event that was posted; 0033];
determining, based on the second dependency attribute, a resource identifier corresponding to the first resource [temp user account only has access to what was requested; 0029 and 0035];
determining, based on the resource identifier corresponding to the first resource, that the first approval is for the first access agent to access the first resource [user account for operator grants access only to the requested resource; 0034 and 0037].
As per claim 6, Ramamurthi teaches transmitting to the first access agent, a first approval notification comprising the first approval [post to operator; 0035]; wherein responsive at least to the first access agent receiving the first approval notification, prior to the first access agent accessing the first resource, the first access agent obtains a credential for accessing the first resource, and wherein the first access agent utilizes the credential to access the first resource [temp access is obtained by the operator via a temporary account that was created prior to accessing the first resource; 0034, 0035, and 0044].
As per claim 10, Ramamurthi teaches determining the first resource dependency between the first resource and the second resource comprises: accessing the first dependency attribute associated with the first resource (0028), and determining that the first dependency attribute comprises an approval service identifier corresponding to the second resource [0027 and 0033; policy name].
As per claim 11, Ramamurthi teaches the first dependency attribute is stored in metadata associated with the first resource (0028).
As per claim 12, Ramamurthi teaches receiving, at the access control service from a second access agent, a second approval request associated with a third resource for the access control service to request a second approval for the second access agent to access the third resource; determining, based on a second dependency attribute associated with the third resource, that the third resource is independent [non-sensitive system information; 0030]; generating, based at least in part on the third resource being independent, a second approval requisition for requesting the second approval to access the third resource based on a second approval workflow corresponding to the third resource; traversing the second approval workflow corresponding to the third resource to obtain, based on the second approval requisition, the second approval to access the third resource; wherein the second access agent accesses the third resource based at least in part on the second approval. Examiner notes that this process is essentially the same as claim 1 where the requested resource has no dependency. Ramamurthi discloses this process where the system automatically can approve request based on the resource and ACP requested. The process is the same accept approval from the customer is skipped. See claim for support for the same steps. Paragraph 0030 details the path of Fig. 2B that skips the customer’s approval because there is no dependency between requested resource and the service that orchestrates the enforcement and customer approval mechanisms. This is interpreted as the resource being independent.
As per claim 13, Ramamurthi teaches determining that the third resource is independent comprises: accessing the second dependency attribute associated with the second resource, and determining that the second dependency attribute comprises a second approval service identifier [CCA policy number; 0027], and (a) the second approval service identifier comprises a null value, or (b) a second approval service corresponding to the third resource is identified by the second approval service identifier [the particular CCA policy that is in-force on the corresponding resource; 0033].
As per claim 14, Ramamurthi teaches receiving, from a second approval service, an approval confirmation comprising the second approval to access the third resource [automatic approval; 0031 and 0037]; determining, based on the approval confirmation, that the third resource is independent [does not need customer approval]; and responsive to determining that the third resource is independent: transmitting an approval notification comprising the second approval to at least one of: the second access agent [posted to the operator; 0035], or a resource service corresponding to the third resource.
As per claim 15, Ramamurthi teaches accessing the second dependency attribute via the approval confirmation (0035);
determining, based on the second dependency attribute, a resource identifier corresponding to the third resource (0027 and 0033);
determining, based on the resource identifier corresponding to the third resource, that the third resource is independent [ (a) + (b) determines the if the customer must approve; 0027 and 0029].
As per claim 16, Ramamurthi teaches the first resource is located in a first compartment associated with a cloud operator [Fig. 1: 104] and the second resource is located in a second compartment associated with a customer (Fig. 1: 150)
As per claim 17, Ramamurthi teaches 17. The one or more non-transitory computer-readable media of claim 1, wherein the operations further comprise: receiving, at the access control service from a second access agent, a second approval request associated with a third resource for the access control service to request a second approval for the second access agent to access the third resource; determining, based on a second dependency attribute associated with the second resource, a second resource dependency between the third resource and the second resource, wherein the third resource is a dependent resource with respect to the second resource; generating, based at least in part on the second resource dependency between the third resource and the second resource, a second approval requisition for requesting the second approval to access the third resource based on the first approval workflow corresponding to the second resource; traversing the first approval workflow corresponding to the second resource to obtain, based on the second approval requisition, the second approval to access the third resource; wherein the second access agent accesses the third resource based at least in part on the second approval;
wherein the first resource comprises a first service component associated with a cloud service [resources are provided from the cloud],
wherein the second resource comprises a customer-facing component of the cloud service [the cloud customer access control 122 faces and interacts with the customers 120],
wherein the third resource comprises a second service component associated with the cloud service [another resource in 104],
wherein the customer-facing component of the cloud service utilizes the first service component and the second service component [takes permissions of the ACP in conjunction with the CCA system to inquire customer approvals for resources governed inside of the perimeter that are requested by operators of the cloud; Fig. 1].
Examiner note: This claim is rejected for the same reasons as claim 1. Claim 17 details another access agent making a request to another resource that is dependent to the second resource. The flow is the same. Ramamurthi already teaches that the requested resource is dependent to another resource as recited above. Ramamurthi explicitly says there are multiple resources, operators, and customers.
As per claim 18, Ramamurthi teaches identifying the first approval workflow corresponding to the second resource based on the first approval requisition (0033); traversing the first approval workflow corresponding to the second resource to obtain the first approval to access the first resource [ask appropriate customer for approval; 0033].
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Ramamurthi in view of USP Application Publication 2023/0297962 to Alabdrabalnabi et al, hereinafter SA (Applicant).
As per claim 8, Ramamurthi teaches traversing the first approval workflow corresponding to the second resource to obtain the first approval to access the first resource comprises:
determining
transmitting the first approval requisition
wherein the approval service corresponding to the second resource receives the first approval requisition, wherein responsive to receiving the first approval requisition, the approval service executes a set of one or more approval workflow operations to determine that the first access agent is approved to access the first resource [customer decides on approval; 0033],
wherein responsive to determining that the first access agent is approved to access the first resource, the approval service transmits to the access control service, a first approval confirmation comprising the first approval (0034).
Ramamurthi is silent in explicitly teaching determining the network address of the approval service and sending the first approval requisition to the network address. SA teaches determining the network address of the approval service and sending the first approval requisition to the network address (0070 and 0073). SA teaches that a work object request can contain an approval node portion that contains the IP address of the approval node to identity the reviewer of the work object request. Ramamurthi fields similar types of requests over a network but does not explicitly teach the approval service having a network address. It is obvious, in view of the fact that the communications operate over a network, that an IP address is one way in which nodes can be identified on a network. The nodes need some way of being addressed. Having an IP address associated with the CCA system is a predictable way of identifying it on the network. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which produce predictable results.
As per claim 9, Ramamurthi teaches requesting approval from a set of one or more approvers associated with the second resource for the first access agent to access the first resource (0026).
Allowable Subject Matter
Claim 7 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The prior art already creates the credentials once the customer approves the request. In the cited art, there is no need for the customer(requestor) to send an additional request for credential generation. Claim 7 requires the credential request to come from the first access agent. This modification to the prior art would not have been obvious because it adds complexity and would slow down the authorization process.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316. The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431