AUTHORIZATION AND ACCESS CONTROL SYSTEM FOR ACCESS RIGHTS USING RELATIONSHIP GRAPHS

§102 §103 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Currently pending claims are 1 – 20. Double Patenting The nonstatutory (or provisional) double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application. See 37 CFR 1.130(b). Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). Claim(s) 1 – 20 are rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claim 1 – 20 of U.S. Patent No. 12,069,056. Although the conflicting claims are not identical, they are not patentably distinct from each other – accordingly, because the listed claims of U.S. Patent virtually contain(s) every element of the listed claims of the instant application and thus anticipate the claim(s) of the instant application. Claim(s) of the instant application therefore is/are not patently distinct from the earlier patent claim(s) and as such is/are unpatentable over obvious-type double patenting. A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001)”. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1, 9 – 12, 14 & 15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kreutzer et al. (U.S. Patent 10,242,223). As per claim 1, 14 & 15, Kruther teaches a non-transitory medium with instructions stored thereon that, when executed by a processor, cause the processor to perform operations (Kreutzer: Figure 4 & 5) comprising: receiving input that is indicative of a request to determine access rights provided to a user for resources in a computing system (Kreutzer: see above & Figure 1 / E-140, Col. 2 Line 58 – 65 / Line 51 – 56: receiving a query from a user device at a graph server of an access control system (that hosts relational graph DB) w.r.t. the granting or denying access to a resource object (i.e. determining associated access rights) based on the user’s security context and the membership associated with a particular user / group); generating, based on the input, a query for a graph database to determine the access rights provided to the user, wherein the graph database includes a first plurality of nodes that are representative of the resources in the computing system (Kreutzer: see above & Figure 1 / E-130 & E-140, Col. 3 Line 19 – 29, Col. 2 Line 51 – 56 / Line 58 – 62: sending (generating) a request (query) to the access control system that hosts a graph database (DB)); querying the graph database using the query for a relationship graph that is associated with the user and that includes a second plurality of nodes, wherein each node of the second plurality of nodes is representative of one of the resources in the computing system for which the user has access rights (Kreutzer: see above & Figure 1 / E-130 & E-140, Col. 3 Line 19 – 29, Col. 2 Line 58 – 62 / Line 51 – 56 and Col. 3 Line 19 – 29: querying a graph database of a relational graph that hosts various nodes connected through edges between the user nodes and target resource nodes which collectively represent the user’s access rights (RD / WR) associated with the accessing resources including documents, meetings, communication, and etc. (Kreutzer: Col. 3 Line 24 – 29)); determining, based on an analysis of the relationship graph that is associated with the user, connections to the second plurality of nodes (Kreutzer: see above); and enabling access rights for the user based on the connections (Kreutzer: see above & Col. 3 Line 19 – 50: the connections (e.g. nodes & edges) from the relationship graph of the database graph to the related objects indicating whether to enable the access rights of the permissions assigned to a particular user). As per claim 9, Kreutzer teaches wherein the access rights include a data access permission, a spend permission, an administrative permission, a system authentication permission, a spend velocity permission, or a combination thereof (Kreutzer: see above & Col. 2 Line 58 – 62 / Line 51 – 56 and Col. 3 Line 19 – 29: the access rights associated with a graph database of a relational graph with various nodes collectively representing the user’s access rights (RD / WR) associated with a target resource node). As per claim 10 – 12, Kreutzer teaches wherein the operations further comprise: receiving second input that is indicative of an addition of a new connection between a first node included in the first plurality of nodes but not the second plurality of nodes and a second node included in the second plurality of nodes; updating the relationship graph based on the addition; and writing, based on the updated relationship graph, a new policy for the access rights of the user (Kreutzer: see above & Col. 8 Line 30 – 36 / Line 13 – 20 and Col. 7 Line 52 – 65 / Line 32 – 49: (a) a new anchor node can be added to span the graph node based on the user’s security context to determine whether a potential anchor node that a graph query may initiate from the subject (Kreutzer: Col. 8 Line 30 – 36 / Line 13 – 20) and (b) periodically updating (restructuring / reevaluating) the relationship graph associate with the access rights (policies) as needed by adding a new node or removing a node with terminated employee (with least priority)). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2 & 13 are rejected under 35 U.S.C.103 as being unpatentable over Kreutzer et al. (U.S. Patent 10,242,223), in view of Gladney et al. (U.S. Patent 7,331,058). As per claim 2 & 13, Gladney (& Kreutzer) teaches wherein each node includes a Uniform Resource Name (URN) for a corresponding one of the resources (Kreutzer: see above) || (Gladney: (a) providing a universally unique identifiers (UUIDs) that can uniquely identify a data object (a node) with global scope uniqueness / transparency / independence for naming-issuing authorities as well as legacy compatibility and etc. and (b) such a UUID constitutes one type of Uniform Resource Name (URN) – this consistent with the disclosure of the instant specification (SPEC: Para [0017] Line 6 – 8: a Uniform Resource Name (URN) can be used as a schema for corresponding to a UUID for things within a name space) || (Kreutzer: see above). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of including a Uniform Resource Name (URN) for a corresponding one of the resources because Gladney teaches to alternatively and effectively provide a universally unique identifiers (UUIDs) that can uniquely identify a data object (a node) with global scope uniqueness, transparency / independence for naming-issuing authorities as well as legacy compatibility and etc. (see above) within the Kreutzer’s system of providing, for an access control system, a graph database of a relational graph with various nodes connected with edges between a (e.g.) user node and a resource node that collectively represent the user’s access rights (RD / WR) associated with a target resource node (see above). Claims 3 & 5 – 7 are rejected under 35 U.S.C.103 as being unpatentable over Kreutzer et al. (U.S. Patent 10,242,223), in view of Lu et al. (CN 11,138,2279). As per claim 3, Lu (& Kreutzer) teaches executing the query in a graph query language used by the graph database for resources for which the user has access rights (Lu: Page 6 / 1st Para: providing an image (map) graph database such as a Arango database (DB) with AQL query language, which is a high-performance database and supports a flexible data model for various types of resources) || (Kreutzer: see above); determining actor vertices, group vertices, and resource vertices based on at least one response from the graph database to the query, linking the actor vertices, the group vertices, and the resource vertices via the connections, and generating the relationship graph using the actor vertices, the group vertices, the resource vertices, and the connections (Kreutzer: see above & Col. 3 Line 19 – 51: connecting (linking) user / personal subject nodes as the actor vertices, security context nodes of various user groups as the group vertices, and the resource object nodes as resource vertices). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of executing the query in a graph query language used by the graph database for resources for which the user has access rights because Lu teaches to alternatively and effectively provide an image (map) graph database such as a Arango database (DB) with AQL query language, which is a high performance database and supports a flexible data model for various types of resources (see above) within the Kreutzer’s system of providing, for an access control system, a graph database of a relational graph with various nodes connected with edges between a (e.g.) user node and a resource node that collectively represent the user’s access rights (RD / WR) associated with a target resource node (see above). As per claim 5, Lu (& Kreutzer) teaches wherein the actor vertices, the group vertices, the resource vertices, and the connections are determined based on policies for the user using at least one of a base node vertex for the user, the actor vertices, the group vertices, or the resource vertices (Kreutzer: see above & Col. 3 Line 19 – 51: based on the security policy, connecting (linking) user / personal subject nodes as the actor vertices, security context nodes of various user groups as the group vertices, and the resource object nodes as resource vertices). As per claim 6, Lu (& Kreutzer) teaches executing the query in a graph query language used by the graph database for resources for which the user has access rights (Lu: see above), determining, based on a response from the graph database to the query, vertices that correspond to actors, groups, resources, or a combination thereof, linking the vertices via the connections, and generating the relationship graph using the vertices and the connections (Kreutzer: see above & Col. 3 Line 19 – 51: according to a response to the query from the graph database, connecting (linking) user / personal subject nodes as the actor vertices, security context nodes of various user groups as the group vertices, and the resource object nodes as resource vertices). As per claim 7, Lu (& Kreutzer) teaches wherein each of the connections comprises at least one vector direction identifying at least one of (i) access relationships between actor vertices, group vertices, and resource vertices; (ii) membership relationships in group vertices; or (iii) manager relationships between actor vertices and group vertices (Kreutzer: see above & Figure 1 / E-140, Col. 2 Line 58 – 65 / Line 51 – 56: receiving a query from a user device at a graph server of an access control system (that hosts relational graph DB) w.r.t. the granting or denying access to a resource object (i.e. determining the access rights) based on identifying at least the membership and the user’s security context associated with a particular user group). Claim 4 is rejected under 35 U.S.C.103 as being unpatentable over Kreutzer et al. (U.S. Patent 10,242,223), in view of Lu et al. (CN 11,138,2279), and in view of Gladney et al. (U.S. Patent 7,331,058). As per claim 4, Gladney (& Kreutzer as modified) teaches wherein the actor vertices, the group vertices, and the resource vertices in the relationship graph are represented by Uniform Resource Names (URNs) including universally unique identifiers (UUIDs) that do not need to be resolved using at least one of a network address, a virtual address, or personally identifiable information (Examiner notes: pls. refer to a same rationale of rejections on the combination of claim 2 & 3). Claim 8 is rejected under 35 U.S.C.103 as being unpatentable over Kreutzer et al. (U.S. Patent 10,242,223), in view of Lu et al. (CN 11,138,2279), and in view of Isaacson et al. (U.S. Patent 2015/0220584). As per claim 8, Isaacson (& Kreutzer as modified) teaches wherein the relationship graph is restructured at each subsequent query of the graph database. (a) - (Kreutzer: see above & Col. 7 Line 41 – 65 / Line 32 – 49: (a) periodically updating (restructuring / reevaluating) the relationship graph as needed (Kreutzer: Col. 7 Line 41 – 49), and besides (b) prior to a subsequent query to the database lists, determining whether the requested graph query from a given subject should span a node of the relationship graph for restructuring the database (Kreutzer: Col. 7 Line 60 – 65 / Line 32 – 49)) || (b) - (Isaacson: Para [0037] / [0003]: a relational database can be restructured from partitioning data structures of the database to provide optimized performance and efficiency of the database system to increase or optimize actions from a received database query such that the application requirements can be matched more closely). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of restructuring the relationship graph at each subsequent query of the graph database because Isaacson teaches to alternatively and effectively restructure a relational database from partitioning data structures of the database to provide optimized performance and efficiency of the database system to increase or optimize actions from a received database query such that the application requirements can be matched more closely (see above) within the Kreutzer’s system of providing, for an access control system, a graph database of a relational graph with various nodes connected together that collectively represent the user’s access rights (RD / WR) associated with a target resource node and prior to a query to the database lists, determining whether the requested graph query from a given subject should span a node of the relationship graph for restructuring the database (see above). Claims 16 – 19 are rejected under 35 U.S.C.103 as being unpatentable over Kreutzer et al. (U.S. Patent 10,242,223), in view of Stein et al. (U.S. Patent 11,681,724). As per claim 16, Stein (& Kreutzer) teaches causing display of a visual representation of the relationship graph; and allowing a user to alter the access rights enabled for the given individual by modifying the visual representation of the relationship graph (Stein: Abstract & Col. 21 Line 45 – 67: provide an editing tool responsive to an interactive investigation (i.e. query / response) to display a relationship graph via an effective user interface to allow a user to change / update an selection of a particular target object (e.g. edges & nodes) of the relationship graph for visualization purpose) || (Kreutzer: see above & Col. 3 Line 19 – 50: wherein the selection of a particular target object (e.g. edges & nodes) from a relationship graph can be a connection (e.g. nodes & edges) of a related objects indicating whether to enable the access rights of the permissions assigned to a particular user that collectively represents the user’s access rights (RD / WR) associated with a target resource node / edge). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of displaying, responsive to the request in a user interface, the relationship graph identifying the connections to the related objects for the access rights because Stein teaches to alternatively and effectively provide an editing tool responsive to an interactive investigation (i.e. query / response) to display a relationship graph through a user interface to allow a user to change / update an selection of a particular target object (e.g. edges & nodes) of the relationship graph for visualization purpose (see above) within the Kreutzer’s system of providing, for an access control system, a graph database of a relational graph with various nodes connected with edges between a (e.g.) user node and a resource node / edge that collectively represent the user’s access rights (RD / WR) associated with a target resource node, wherein the selection of a particular target object (e.g. edges & nodes) from a relationship graph can be a connection (e.g. nodes & edges) of a related objects indicating whether to enable the access rights of the permissions assigned to a particular user (see above). As per claim 17, Kreutzer as modified teaches wherein the user is permitted to add new connections to nodes not included in the plurality of nodes, delete existing connections to the plurality of nodes, and delete the plurality of nodes, so as to automatically request an alternation of the access rights enabled for the given individual (Kreutzer: see above & Col. 8 Line 30 – 36 / Line 13 – 20 and Col. 3 Line 19 – 50: (a) a new anchor node can be added to span the graph node based on the user’s security context to determine whether a potential anchor node that a graph query may initiate from the subject (Kreutzer: Col. 8 Line 30 – 36 / Line 13 – 20), and (b) wherein the selection of any existing nodes from a relationship graph can be a connection (e.g. nodes & edges) of a related objects indicating whether to enable the access rights of the permissions assigned to a particular user with the user’s access rights (RD / WR) and thus by changing the access rights, it’s equivalent to delete any existing connections from the plurality of nodes as needed (Kreutzer: Col. 3 Line 19 – 50)). As per claim 18, Kreutzer as modified teaches writing a new policy for the access rights of the given individual in response to a determination that the user has modified the visual representation of the relationship graph (Kreutzer: see above & Col. 4 Line 23 – 27: a new policy is assigned to a user (i.e. a given individual) according to which group the user belongs as a member of multiple roles). As per claim 19, Kreutzer as modified teaches wherein each of the connections is representative of a membership relationship, an access relationship, or a manager relationship (Kreutzer: see above & Figure 1 / E-140, Col. 2 Line 58 – 65 / Line 51 – 56: receiving a query from a user device at a graph server of an access control system (that hosts relational graph DB) w.r.t. the granting or denying access to a resource object (i.e. determining associated access rights) based on the user’s security context and the membership associated with a particular user / group). Claim 20 is rejected under 35 U.S.C.103 as being unpatentable over Kreutzer et al. (U.S. Patent 10,242,223), in view of Stein et al. (U.S. Patent 11,681,724) and in view of Isaacson et al. (U.S. Patent 2015/0220584). As per claim 20, Isaacson (& Kreutzer as modified) teaches said querying comprises executing a plurality of queries against the graph database, and wherein the relationship graph is generated based on a first one of the plurality of queries and then restructured following each subsequent query (a) - (Kreutzer: see above & Col. 7 Line 41 – 65 / Line 32 – 49: (a) periodically updating (restructuring / reevaluating) the relationship graph as needed (Kreutzer: Col. 7 Line 41 – 49), and besides (b) prior to a subsequent query to the database lists, determining whether the requested graph query from a given subject should span a node of the relationship graph for restructuring the database (Kreutzer: Col. 7 Line 60 – 65 / Line 32 – 49)) || (Isaacson: Para [0037] / [0003]: a relational database can be restructured from partitioning data structures of the database to provide optimized performance and efficiency of the database system to increase or optimize actions from a received database query such that the application requirements can be matched more closely). (b) See a same rationale of combination applied herein as above in rejecting the claim 8. Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. --------------------------------------------------- /Longbit Chai/ Longbit Chai E.E. Ph.D. Primary Examiner, Art Unit 2431 No. #2542 – 2025 ---------------------------------------------------