Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This action is in response to the communication filed on 09/30/2024.
Claims 1-20 are under examination.
The Information Disclosure Statements filed on 12/19/2024 has been entered and considered.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,520,909 B1 in view of Ackerly (US 2017/0063816 A1). The subject matter claimed in the instant application is disclosed in the patent and is covered by the patent except limitations regarding “the first application comprises an application for a Hardware Security Module (HSM) of the first server, the third application comprises an application for an HSM of the second server”. However, Ackerly in the field related to Role-based access control teaches this feature. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ackerly with the motivation for safeguarding and managing encryption keys as taught by Ackerly (Ackerly: par. 0132).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Jadhav et al. (US 20200007555 A1), Ackerly (US 2017/0063816 A1) and Tewari et al. (US 2018/0337915 A1).
Regarding claim 1, Jadhav et al. discloses A first server [Fig. 1A, par. 0060, server], comprising: one or more processing circuits configured to execute: a first application permitted to be accessed or modified by a first application-specific role of a first user [abs, “The IAM tool can manage user identity and user access rights for multiple applications in the platform environment. The IAM tool can also employ a unified IAM database, which stores user profiles that each describes user access rights for a user in one or more applications”, par. 0016, “map the user roles, identity, and/or access privileges across different applications”], wherein the first application-specific role is equivalent to a first role-based object identifier (RBOID); and a second application permitted to be accessed or modified by a second application-specific role of a second user [par. 0016, “ the IAM tool can enable the setting of an overall user role for the user, which can then be propagated to a corresponding and/or analogous user role for the user in the various applications in the platform. For example, specifying administrative privileges for the user in the IAM tool can cause the tool to propagate the administrative privileges to the various applications, such that the user is designated as an admin on the various applications… map the user roles, identity, and/or access privileges across different applications”], wherein the second application comprises one of hardware, software, or Operating System (OS) of the first server, the fourth application comprises at least one of hardware, software, or OS of the second server [par. 0024, “Implementations provide for access control of managed services of any platform from a single service that is the IAM tool. In some examples, a particular platform can support connectors to the platform's software application stack, which enables operators using the IAM tool to control user access rights within the various software applications”].
Jadhav et al. does not explicitly disclose wherein the first application comprises an application for a Hardware Security Module (HSM) of the first server, the third application comprises an application for an HSM of the second server.
However Ackerly teaches the first application comprises an application for a Hardware Security Module (HSM) of the first server [par. 0055, Role-Based Access Control (RBAC), par. 0098, “the customer key service 201 may implement a hardware security module that provides the functionality described above in connection with the customer key service”, par. 0075, execute a second component for verifying that a role associated with the user is a role identified in the information 208. By way of example, the information 208 may specify that cardiologists at a particular hospital may receive a subset of the information 208 (e.g., the cryptographic key) and the user of the second client device 102b may indicate he is a doctor at the particular hospital”], the third application comprises an application for an HSM of the second server [par. 0075, “the functionality provided by the access control management system 202 is distributed across a plurality of machines 106” (second server with HSM application) , par. 0132, “a system for distributing encrypted cryptographic information including a hardware security module (HSM) 220 for safeguarding and managing encryption keys. The HSM 220 may include the key issue mechanism”, par. 0115, “execute a second component for verifying that a role associated with the user is a role identified in the information 208”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ackerly into the teaching of Jadhav et al. with the motivation for safeguarding and managing encryption keys as taught by Ackerly [Ackerly: par. 0132].
They do not explicitly disclose wherein the second application-specific role is equivalent to a second RBOID different from the first RBOID, wherein the first RBOID is equivalent to a third application-specific role of a third user permitted to access or modify a third application of a second server, and the second RBOID is equivalent to a fourth application-specific role of a fourth user permitted to access or modify a fourth application of the second server.
However, Tewari et al. teaches wherein the second application-specific role is equivalent to a second RBOID different from the first RBOID, wherein the first RBOID is equivalent to a third application-specific role of a third user permitted to access or modify a third application of a second server, and the second RBOID is equivalent to a fourth application-specific role of a fourth user permitted to access or modify a fourth application of the second server [abs, “Systems and methods for role-based access control to computing resources are presented”, par. 0018, “The resources 116 provided on the infrastructure 106 may be any application or other executable system that may communicate with one or more of the client devices 120 to perform one or more operations at the request of the client devices 120”, par. 0030, “a higher-level role identifier 308 (e.g., role identifier 308B) includes all of the resource 116 access granted to roles associated with the lower-level role identifiers 308 (e.g., role identifiers 308C and 308D) of the higher-level role identifier 308 (e.g., role identifier 308B), plus at least one additional access type 404 associated with a resource identifier 402 that may or may not be associated with the lower-level role identifiers 308. In example embodiments, the role hierarchy 600 of FIG. 6 may be represented by way of pointers or other referential data in the role data store 202 of FIG. 5”, second RBOID is second client device (second entity) with role assigned similar to Role 308B, par. 0017, servers].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Tewari et al. into the teaching of Jadhav et al. and Ackerly with the motivation for role-based control of access to computing resources as taught by Tewari et al. [Tewari et al.: par. 0048].
Regarding claim 2, the rejection of claim 1 is incorporated.
Ackerly further teaches the first RBOID and the first application-specific role corresponds to one of: hardware, firmware, or software for the HSM of the first server; or at least one cryptographic key of the HSM of the first server [par. 0055, Role-Based Access Control (RBAC), par. 0098, “the customer key service 201 may implement a hardware security module that provides the functionality described above in connection with the customer key service”, par. 0075, execute a second component for verifying that a role associated with the user is a role identified in the information 208. By way of example, the information 208 may specify that cardiologists at a particular hospital may receive a subset of the information 208 (e.g., the cryptographic key) and the user of the second client device 102b may indicate he is a doctor at the particular hospital”],
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ackerly into the teaching of Jadhav et al. with the motivation for safeguarding and managing encryption keys as taught by Ackerly [Ackerly: par. 0132].
Regarding claim 3, the rejection of claim 1 is incorporated.
Ackerly further teaches the first RBOID and the third application-specific role corresponds to one of: hardware, firmware, or software for the HSM of the second server; or at least one cryptographic key of the HSM of the second server [par. 0075, “the functionality provided by the access control management system 202 is distributed across a plurality of machines 106” (second server with HSM application) , par. 0132, “a system for distributing encrypted cryptographic information including a hardware security module (HSM) 220 for safeguarding and managing encryption keys. The HSM 220 may include the key issue mechanism”, par. 0115, “execute a second component for verifying that a role associated with the user is a role identified in the information 208”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ackerly into the teaching of Jadhav et al. with the motivation for safeguarding and managing encryption keys as taught by Ackerly [Ackerly: par. 0132].
Regarding claim 4, the rejection of claim 1 is incorporated.
Ackerly further teaches the second RBOID and the second application-specific role corresponds to the hardware or the OS of the first server; and the second RBOID and the fourth application-specific role corresponds to the hardware or the OS of the second server [par. 0055, Role-Based Access Control (RBAC), par. 0098, “the customer key service 201 may implement a hardware security module that provides the functionality described above in connection with the customer key service”, par. 0075, execute a second component for verifying that a role associated with the user is a role identified in the information 208. By way of example, the information 208 may specify that cardiologists at a particular hospital may receive a subset of the information 208 (e.g., the cryptographic key) and the user of the second client device 102b may indicate he is a doctor at the particular hospital”],
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ackerly into the teaching of Jadhav et al. with the motivation for safeguarding and managing encryption keys as taught by Ackerly [Ackerly: par. 0132].
Regarding claim 5, the rejection of claim 1 is incorporated.
Jadhav et al. further disclose the first application-specific role, the second application-specific role, the third application-specific role, and the fourth application-specific role are different; and the first user, the second user, the third user, and the fourth user are different [par. 0021, “the IAM tool employs a unified IAM database.. that stores a user profile for one or more users. The user profile can specify the access rights for the user in one or more of the various applications on the platform... The IAM database can provide for the centralized management of users and/or user groups across multiple applications. In some implementations, an organizational unit (OU) can be specified in the database for each application. The OU can include any appropriate number of users groups, which each define a particular set of access rights for the particular application. If a user is a member of a user group, that can indicate that the user has the corresponding access rights to the corresponding application as specified by the user group” (different user may have different user role for different application)].
Regarding claim 6, the rejection of claim 1 is incorporated.
Jadhav et al. further disclose the first RBOID instead of the first application-specific role grants access and permission to the first application; the second RBOID instead of the second application-specific role grants access and permission to the second application; the first RBOID instead of the third application-specific role grants access and permission to the third application; and the second RBOID instead of the fourth application-specific role grants access and permission to the fourth application [par. 0021, “the IAM tool employs a unified IAM database.. that stores a user profile for one or more users. The user profile can specify the access rights for the user in one or more of the various applications on the platform... The IAM database can provide for the centralized management of users and/or user groups across multiple applications. In some implementations, an organizational unit (OU) can be specified in the database for each application. The OU can include any appropriate number of users groups, which each define a particular set of access rights for the particular application. If a user is a member of a user group, that can indicate that the user has the corresponding access rights to the corresponding application as specified by the user group”, par. 0026, “provide a mapping between user roles for different applications, where each user role corresponds to a set of access rights on an application. For example, a role of admin on Application A may be mapped to a role of superuser on Application B, indicating that the roles correspond to the same, or similar, sets of access rights on Application A and Application B”].
Regarding claim 7, the rejection of claim 1 is incorporated.
Jadhav et al. further disclose a same user identifier is associated with the first RBOID and the second RBOID [par. 0041, “a user profile 114 can include a user ID 202, such as a unique ID for a particular user 120... The user profile 114 for a user 120 can also include user group information 206 that describes one or more user groups 208 in which the user 120 has been designated as a member. As described above, each user group 208 can be associated with a particular application 104 and a particular set of access rights on that application 104”].
Regarding claim 8, it recites limitations like claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 9, it recites limitations like claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 10, it recites limitations like claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 11, it recites limitations like claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 12, it recites limitations like claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 13, it recites limitations like claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 14, it recites limitations like claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 15, it recites limitations like claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 16, it recites limitations like claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 17, it recites limitations like claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 18, it recites limitations like claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 19, it recites limitations like claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 20, it recites limitations like claim 6. The reason for the rejection of claim 6 is incorporated herein.
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 8291490 B1 Tenant life cycle management for a software as a service platform
US 6574736 B1 Composable roles
US 20020095571 A1 Computer security system
US 20120131646 A1 ROLE-BASED ACCESS CONTROL LIMITED BY APPLICATION AND HOSTNAME
US 20040083367 A1 Role-based authorization management framework
US 20090025063 A1 Role-based access control for redacted content
US 20090282240 A1 Secure Decentralized Storage System
US 7702693 B1 Role-based access control enforced by filesystem of an operating system
US 20210224409 A1 CONTAINER-CENTRIC ACCESS CONTROL ON DATABASE OBJECTS
US 20100011438 A1 Role-Based Privilege Management
US 20160098572 A1 Providing Integrated Role-based Access Control
US 20070230706 A1 Method And Apparatus For Facilitating Role-based Cryptographic key Management For A Database
US 20100095118 A1 CRYPTOGRAPHIC KEY MANAGEMENT SYSTEM FACILITATING SECURE ACCESS OF DATA PORTIONS TO CORRESPONDING GROUPS OF USERS
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393. The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JASON CHIANG/Primary Examiner, Art Unit 2431