SYSTEMS AND METHODS FOR ACCESS CHECKING

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 1/27/2026 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Specification The abstract of the disclosure is objected to because: It repeats information given in the title. Specifically, the first sentence of the abstract, “In some examples, systems and methods for checking data access are provided” repeats the title nearly verbatim. A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b). Claim Objections Claims 3-5 and 14-16 are objected to because of the following informalities: Regarding claims 3 and 14: Claim 3 recites, “a first explanation indicating … one or more components is accessible and a second explanation indicating … one or more components is not accessible.” Claim 14 recites similar language. Examiner notes that the language of these claims, on their face, requires that both possible results of “accessible” and “not accessible” be present in every access explanation. In other words, this claim explicitly excludes both situations where every component is accessible to the user, and where no components are accessible to the user. It is the examiner’s assumption that, despite the specification using the same wording (para. 0054, inter alia) this is not the interpretation intended. Applicant is encouraged to either amend the claims and specification such that they reflect the examiner’s assumption, or provide an assertion that the exclusive wording is intentional. Regarding claims 4, 5, 15, and 16: They are objected to for being dependent on one or more objected-to claims. These objections could be overcome by overcoming the objections to any claims upon which these claims depend, or by amending the claim such that they are no longer dependent on any objected-to claims. Appropriate correction is required. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 6, 8, 9, 12, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over XU et al (Doc ID US 10812482 B1), and further in view of SHARIFI (Doc ID US 10454975 B1). Regarding claim 1: XU teaches: A method for checking data access, the method comprising: receiving a checking request about a user, the checking request including a user identifier of the user and a resource indication of a resource ((42) Col 13 lines 14-17 "The request may include information identifying the requesting entity and may include a resource identifier ..."); determining one or more components referenced by the resource ((42) Col 13 lines 17-21 "The authorization service may then identify 704 a set of requested resources based on information included in the request, such as by identifying the resources to which the requesting entity should have permission in order to fulfill the request."); for each component of the one or more components referenced by the resource, generating a component inquiry for accessing a respective component by the user, the component inquiry including information related to the respective component and the user identifier ((42) Col 13 lines 21-27 "For instance, the authorization entity may initiate a database query to retrieve the permission vector, and that the database query may include the information identifying the requesting entity."); determining permission information indicating whether the user is permitted to access the resource, based on one or more permission responses received ((43) Col 13 lines 41-44 "… the authorization service evaluates 712 whether a permission element in the permission set determined in step 710 includes permissions sufficient to grant access to the resource element requested."); wherein the method is performed by one or more processors ((14) Col 3 lines 12-16 "The authorization service 102 may be a computing system comprising one or more processors and memory that stores executable instructions whose execution by the one or more processors causes the authorization service 102 to perform operations ..."). SHARIFI teaches the following limitation(s) not taught by XU: sending the component inquiry to a software service corresponding to the respective component ((11) Col 2 lines 41-47 "... the computing resource service may transmit a request to other applicable computing resource services ... to determine whether the user is authorized to access these other computing resources as specified in the conditional computing resource policy."); and receiving a permission response from the software service, the permission response indicating whether the user is permitted to access the respective component ((12) Col 2 lines 51-57 "The computing resource service may receive a response from each of the other applicable computing resource services ... indicating whether the user is authorized to access the other computing resources specified in the conditional computing resource policy."); and Receiving a resources access request from a user, determining what other resources are required to be accessed based on the request, determining whether the user has permission to access the other resources, and determining overall permission to the requested resource based on the set of user permissions are known techniques in the art, as demonstrated by XU. Further, sending an inquiry to the required resources to determine permission information about the user is a known techniques in the art, as demonstrated by SHARIFI. It would have been obvious to a person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU with the resource-sourced permission information of SHARIFI with the motivation to obtain user permission information where that information is held by the resources, and not by the access control system itself. Regarding claim 6: The combination of XU and SHARIFI teaches: The method of claim 1, wherein the checking request further includes a requester identifier of a requester, wherein the method further comprises (XU (42) Col 13 lines 14-17 "The request may include information identifying the requesting entity and may include a resource identifier ..."): Examiner notes that the specification of the instant application indicates that the "user" and "requester" may be the same entity. checking whether the requester is permitted to access the resource (XU (43) Col 13 lines 41-44 "… the authorization service evaluates 712 whether a permission element in the permission set determined in step 710 includes permissions sufficient to grant access to the resource element requested."); in response to the requester not being permitted to access the resource, denying the checking request (XU (43) Col 13 lines 44-56 "If the permission set does not include sufficient permissions to grant access, then the authorization service may determine 713 whether there are additional permission vectors to evaluate for the user. ... If no additional permission vectors are associated with the user, the authorization service may deny 714 permission to access the resources ..."). Regarding claim 8: The combination of XU and SHARIFI teaches: The method of claim 1, wherein the one or more components include a first component and a second component, wherein the second component is different from the first component (XU (42) Col 13 lines 11-14 "Performing the operation may include accessing a set of resources of the resource provider, such as an API resource, a data elements resource, ... or may include accessing other resources."). Regarding claim 9: The combination of XU and SHARIFI teaches: The method of claim 8, wherein the first component is associated with a first object and the second component is associated with a second object being different from the first object (XU (42) Col 13 lines 11-14 "Performing the operation may include accessing a set of resources of the resource provider, such as an API resource, a data elements resource, ... or may include accessing other resources."). Regarding claims 12, 17, and 20: These claims are rejected with the same justification, mutatis mutandis, as their counterpart claims 1 and 6 above. Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over XU et al (Doc ID US 10812482 B1) and SHARIFI (Doc ID US 10454975 B1) as applied to claims 1 and 12 above, and further in view of VEGULLA et al (Doc ID US 20210258321 A1). Regarding claim 2: The combination of XU and SHARIFI teaches: The method of claim 1, VEGULLA teaches the following limitation(s) not taught by the combination of XU and SHARIFI: further comprising: generating an access explanation of the permission information indicating whether the user is permitted to access the resource based on the one or more permission responses received ([0045] "… Upon reception of a command to grant or deny access to the data resource, the dynamic engine 320 may ... transmit a notification to the user computing device 302 containing information regarding the access determination."); and causing presenting a representation of the access explanation ([0032] "… The dynamic engine and notification engine may communicate information ... for display on a user device ..."). Displaying information about an access decision is a known technique in the art, as demonstrated by VEGULLA. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU and SHARIFI with the access decision display of VEGULLA with the motivation to provide information to a user that can be used to understand why a decision was made in order to merely inform or to troubleshoot potential problems. Regarding claim 13: This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 2 above. Claims 3-5 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over XU et al (Doc ID US 10812482 B1), SHARIFI (Doc ID US 10454975 B1), and VEGULLA et al (Doc ID US 20210258321 A1) as applied to claims 2 and 13 above, and further in view of RAMASWAMY et al (Doc ID US 20110265188 A1). Regarding claim 3: The combination of XU, SHARIFI, and VEGULLA teaches: The method of claim 2, RAMASWAMY teaches the following limitation(s) not taught by the combination of XU, SHARIFI, and VEGULLA: wherein the access explanation includes a first explanation indicating a first component of the one or more components is accessible ([0041] "… certain GUI elements corresponding to permitted application elements, such as data objects 205, may be displayed …") and a second explanation indicating a second component of the one or more components is not accessible ([0041] "… other GUI elements corresponding to restricted application elements may be hidden or restricted operation. Embodiments of the invention may allow for GUI element restriction by displaying a lock icon along with the restricted GUI element."). Providing information about specifically which resources a user does and does not have access to is a known technique in the art, as demonstrated by RAMASWAMY. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU, SHARIFI, and VEGULLA with the detailed user permission details of RAMASWAMY with the motivation to provide information to a user showing unpermitted resources as well as the standard permitted resources in order to allow the user to consider whether they should be granted access to resources which they currently are not allowed to access. Regarding claim 4: The combination of XU, SHARIFI, VEGULLA, and RAMASWAMY teaches: The method of claim 3, wherein the first explanation includes an indication of access being permitted by at least one selected from a group consisting of a role-based access control, an attribute-based access control, and a classification-based access control (RAMASWAMY [0018] "… an RBAC permissions model may be used to allow or restrict certain GUI elements from being displayed based on a user's assigned role."). Using an access control method such as consisting of a role-based access control (RBAC) to determine user permissions is a known technique in the art, as demonstrated by RAMASWAMY. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU, SHARIFI, VEGULLA, and RAMASWAMY with the access control protocol of RAMASWAMY with the motivation to provide information to a user showing how their particular role was considered in making an access decision. Regarding claim 5: The combination of XU, SHARIFI, VEGULLA, and RAMASWAMY teaches: The method of claim 3, wherein the second explanation includes an indication of access being denied by at least one selected from a group consisting of a role-based access control, an attribute-based access control, and a classification-based access control (RAMASWAMY [0018] "… an RBAC permissions model may be used to allow or restrict certain GUI elements from being displayed based on a user's assigned role."). Using an access control method such as consisting of a role-based access control (RBAC) to determine user permissions is a known technique in the art, as demonstrated by RAMASWAMY. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU, SHARIFI, VEGULLA, and RAMASWAMY with the access control protocol of RAMASWAMY with the motivation to provide information to a user showing how their particular role was considered in making an access decision. Regarding claims 14-16: These claims are rejected with the same justification, mutatis mutandis, as their counterpart claims 3-5 above. Claims 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over XU et al (Doc ID US 10812482 B1) and SHARIFI (Doc ID US 10454975 B1) as applied to claims 1 and 12 above, and further in view of RAMASWAMY et al (Doc ID US 20110265188 A1). Regarding claim 7: The combination of XU and SHARIFI teaches: The method of claim 1, wherein the checking request further includes a requester identifier of a requester (XU (42) Col 13 lines 14-17 "The request may include information identifying the requesting entity and may include a resource identifier ..."); Examiner notes that the specification of the instant application indicates that the "user" and "requester" may be the same entity. wherein the method further comprises checking whether the requester is permitted to access the resource (XU (43) Col 13 lines 41-44 "… the authorization service evaluates 712 whether a permission element in the permission set determined in step 710 includes permissions sufficient to grant access to the resource element requested."); RAMASWAMY teaches the following limitation(s) not taught by the combination of XU and SHARIFI: wherein the generating an access explanation of whether the user is permitted to access the resource includes: in response to the requester being permitted to access a part of the resource, generating the access explanation based on the one or more permission responses received and the part of the resource that the requester is permitted to access ([0041] "… certain GUI elements corresponding to permitted application elements, such as data objects 205, may be displayed …"). Providing information about specifically which resources a user does and does not have access to is a known technique in the art, as demonstrated by RAMASWAMY. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU and SHARIFI with the detailed user permission details of RAMASWAMY with the motivation to provide information to a user showing unpermitted resources as well as the standard permitted resources in order to allow the user to consider whether they should be granted access to resources which they currently are not allowed to access. Regarding claim 18: This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 7 above. Claims 10, 11, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over XU et al (Doc ID US 10812482 B1) and SHARIFI (Doc ID US 10454975 B1) as applied to claims 8 and 12 above, and further in view of BUTCHER et al (Doc ID US 20220159003 A1). Regarding claim 10: The combination of XU and SHARIFI teaches: The method of claim 8, BUTCHER teaches the following limitation(s) not taught by the combination of XU and SHARIFI: wherein the first component is governed by a first access control type and the second component is governed by a second access control type, wherein the second access control type is different from the first access control type ([0069] "… the multiple, different types of policy classes can include ... a role-based access control (RBAC) policy class, ... and/or any other type of policy class utilized in the context of an access control policy." and [0073] "… the policy decision module 718 can compute the access control decision 810 as a single access control decision across the different types of the multiple policy classes 730 of the NGAC graph."). Assessing permission details from resources using different access control protocols is a known technique in the art, as demonstrated by BUTCHER. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU and SHARIFI with the hybridized access-control method of BUTCHER with the motivation to gather permission information from a variety of sources which may use different access protocols from each other. This is more versatile than basing access decisions only on resources sharing a single protocol. Regarding claim 11: The combination of XU, SHARIFI, and BUTCHER teaches: The method of claim 10, wherein the first component is associated with a first action type and the second component is associated with a second action type, wherein the second action type is different from the first action type (BUTCHER [0022] "... The NGAC graph 100 ... can include any number and different types of resources that are modeled as object elements 108 [multiple differing objects] objects in the object section 104 of the graph." and [0029] "... Generally, the association 126 ... defines the authorization of access rights between policy elements, such as for operations [action types] to read, write, create, and/or delete policy elements and relations. In this example, the policy permissions indicated by the association 126 allow the user elements 106 to perform operations on contents of the object elements [different objects may be associated with different action types] 108 that represent the various resources ..."). Assessing permission details from resources which perform different action operations is a known technique in the art, as demonstrated by BUTCHER. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the permission granting based on associated resources of XU and SHARIFI with the versatile resource action types of BUTCHER with the motivation to gather permission information from a variety of sources which may perform different from each other. This is more versatile than basing access decisions only on resources which all perform the same action. Regarding claim 19: This claim is rejected with the same justification, mutatis mutandis, as its counterpart claims 10 and 11 above. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON BINCZAK whose telephone number is (703)756-4528. The examiner can normally be reached M-F 0800-1700. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BB/Examiner, Art Unit 2437 /BENJAMIN E LANIER/Primary Examiner, Art Unit 2437