DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application is being examined under the pre-AIA first to invent provisions.
The following is a Final Office action in response to communications received 05/18/2026.
Terminal Disclaimer
The terminal disclaimer filed on 05/18/2026 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent No. 9571577 has been reviewed and is accepted. The terminal disclaimer has been recorded.
Response to Amendment
Claims 1, 8, 11, and 18 have been amended.
Claims 7 and 17 have been cancelled.
Claims 1-6, 8-16, and 18-20 have been examined.
The double patenting rejection is withdrawn in light of the terminal disclaimer.
Applicant’s arguments with respect to claims 1 and 11 regarding the new limitations: “furthermore the access policy designates for a second group of user devices, a second read time window for reading data from the storage unit and a second write time window for writing data to the storage unit, wherein the first read time window differs from the first write time window and the first read time window and the first write time window also differ from the second read time window and the second write time window”, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negated by the manner in which the invention was made.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-6, 8, 11-16, and 18 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over prior art of record US 20040015724 to Pham et al (hereinafter Pham) and US 20090007229 to Stokes et al (hereinafter Stokes).
As per claims 1 and 11, Pham teaches:
A method for use in a storage network, the method comprising:
receiving, by a storage unit of the storage network, an access request from a user device of a first group of user devices, the storage unit having an access policy that designates, for the first group of user devices, (Pham: [0035]: the secure network file access appliance 12 processes file data read and write requests in aggregate at wire-speed and with minimal latency in qualifying the access privileges of each read, write, and related file access request. [0037]: a user 28 may represent an individual or a remotely connected computer system. [0059]: A preferred basic policy set essentially defines the combinations of source IPs, user identifiers, and group identifiers permitted access through the mount point. Multiple policy sets can be applicable to the same mount point, differing in the specification of source IPs, user identifiers, and group identifiers. [0066]: The principle NFS/CIFS transactions tracked include Read, Write, and Create. The Read transaction, following from an inbound read request for file data defined by an offset and range. [0067]: A write transaction includes receiving a write request);
when the access request is the read request (Pham: [0102] Where the read request complies with the defined policy requirements, the file related access control information is optionally read 288 from the network storage resources 16 to confirm existence of the file and evaluate applicable read data permissions. [0103] As the requested logical access blocks 224.sub.A-X are received 294, error correction is applied 296, depending on whether the LAB ECC field 246 is present. Finally, as file data is received and processed in response to the outbound read request, the file data identified in the inbound read request is assembled 304 into one or more reply network file dot packets and returned); and
when the access request is the write request (Pham: [0108] The preferred process 360 of performing an NFS/CIFS write request transaction is shown in FIG. 12B. The received write file data request is received and processed 362 to expose the network control information 114. This information is then parsed 364 against the established policies 180, 182, with any compliance failures being reported 386. A file lock is asserted against the range logical access blocks 224.sub.A-X. Data from the terminal logical access blocks 224A, 224X are merged 384 with the write data 342 and the combined data is resegmented 386, compressed 388 as appropriate, and encrypted 390. As applicable, LAB ECC values are computed and added 392 to the assembled 394 series of logical access blocks 224 A-X. As the logical access blocks 224 A-X are assembled, one or more write network file data packets are constructed and sent to the network storage resources 16).
Pham does not teach: an access policy that designates a first read time window for reading data from the storage unit and a first write time window for writing data to the storage unit and furthermore the access policy designates for a second group of user devices, a second read time window for reading data from the storage unit and a second write time window for writing data to the storage unit, wherein the first read time window differs from the first write time window and the first read time window and the first write time window also differ from the second read time window and the second write time window; determining, by the storage unit, whether the access request is received within the first read time window when the access request is a read request or whether the access request is received within the first write time window when the access request is a write request; when the access request is the read request and is received within the first read time window; and when the access request is the write request and is received within the first write time window. However, Stokes teaches:
an access policy that designates a first read time window for reading data from the storage unit and a first write time window for writing data to the storage unit and furthermore the access policy designates for a second group of user devices, a second read time window for reading data from the storage unit and a second write time window for writing data to the storage unit, wherein the first read time window differs from the first write time window and the first read time window and the first write time window also differ from the second read time window and the second write time window (Stokes: [0022]: For example, one access control structure can permit a particular user access to both read to and write from a file during business hours (8:00 AM to 5:00 PM), with a different access control structure permitting that same user access to read from the file, but not write to the file outside business hours. Access control structure selector 155 can use the current value of clock 145 to select the appropriate access controls, i.e., the write time window is business hours of 8:00 AM to 5:00 PM while the read time is business hours and non-business hours which is different from the write time window. [0028]: . Consider, for example, an accounting folder that holds confidential accounting data. Corporate policy might dictate that read/write access to the accounting folder is available only during normal business hours. But there might be an employee in the accounting department (first group of users) who needs extended access to the folder, to be able to conduct reviews of the accounting data outside normal business hours. Further, the company might be having an auditor (second group of users) perform an audit of the accounting data: the auditor needs read/write access to the accounting folder, but only during normal business hours, and only for a two-week interval (while the audit is occurring), i.e., the auditor’s read/write time window is limited to business hours of only a two-week interval which is different from the accounting department employee’s read/write time window. Each of these policies can be implemented using a different access control structure 135, as shown in FIGS. 2A-2C. [0029]-[0032]);
determining, by the storage unit, whether the access request is received within the first read time window when the access request is a read request or whether the access request is received within the first write time window when the access request is a write request (Stokes: [0022] Access control logic 150 is responsible for using the available information (such as access control structure 135, user identifier 140, and clock 145) to determine whether or not to grant a user's request for access to resource 130. For example, one access control structure can permit a particular user access to both read to and write from a file during business hours (8:00 AM to 5:00 PM), with a different access control structure permitting that same user access to read from the file, but not write to the file outside business hours. Access control structure selector 155 can use the current value of clock 145 to select the appropriate access controls. [0040]: Read and/or write access to various data files associated with the resource);
when the access request is the read request and is received within the first read time window; and when the access request is the write request and is received within the first write time window (Stokes: [0040]: Request 505 can also include the level of access to the resource desired by the user. As discussed above, this can include read-only access, read/write access, or any other level of access appropriate to the type of resource. Read and/or write access to various data files associated with the resource. [0045] At block 835 (FIG. 8B), the system receives a request for the resource. At block 840, the system determines the access type (that is, the access level requested). At block 845, the system determines a current clock value. As shown and discussed above with reference to FIGS. 1-3, the current clock value can indicate the current time of the day, the current day of the week, or the current calendar date, as specified by the applicable access controls. At block 850, the system identifies access controls that are applicable to the requested resource. [0046] At block 855 (FIG. 8C), the system determines whether to grant or deny the access request. If the decision is to grant the access request, then at block 860 the system grants the request to access the resource. Otherwise, at block 865 the system denies the request to access the resource).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to employ the teachings of Stokes in the invention of Pham to include the above limitations. The motivation to do so would be to use current date and/or time in conjunction with the access control structure to determine what level of access, if any, the user is granted (Stokes: [0006]).
As per claims 2 and 12, Pham in view of Stokes teaches:
The method of claim 1, further comprising: providing the access policy to the first group of user devices (Pham: [0057]: In particular, IP layer data provides source and destination IPs, permitting specific access constrains to be defined against defined clients, individually or by subnets. [0059]: A preferred basic policy set essentially defines the combinations of source IPs, user identifiers, and group identifiers permitted access through the mount point).
As per claims 3 and 13, Pham in view of Stokes teaches:
The method of claim 1, further comprising: providing the access policy to the storage unit of the storage network (Pham: [0033]: protected network storage resources 16, such as a SAN 18 and network attached storage devices 20. [0057]: The standard NFS/CIFS layer data provides the requesting user UID and GID, as well as the fully qualified file or directory reference, including generally a mount point, file system path, and applicable file name. Successful discrimination of the policy sets against the provided information 114, 122 enables and qualifies the processing of network file packets transported relative to the network storage resources 16. [0064]: The policy set associated with the mount point /dev/hd_c preferably enables read-write access to the network storage resources 156 (storage unit)).
As per claims 4 and 14, Pham in view of Stokes teaches:
The method of claim 1, further comprising: providing the access policy to other storage units of the storage network (Pham: [0033]: protected network storage resources 16, such as a SAN 18 and network attached storage devices 20. [0057]: The standard NFS/CIFS layer data provides the requesting user UID and GID, as well as the fully qualified file or directory reference, including generally a mount point, file system path, and applicable file name. Successful discrimination of the policy sets against the provided information 114, 122 enables and qualifies the processing of network file packets transported relative to the network storage resources 16. [0064]: The policy set for the virtual mount point /dev/td_d preferably provides for the encryption and compression of previously unencrypted files upon writing to the archival network storage resources 158 (other storage units)).
As per claims 5 and 15, Pham in view of Stokes teaches:
The method of claim 4, further comprising: establishing the access policy (Pham: [0015]: Multiple access policies are established to differentially qualify received file access requests).
As per claims 6 and 16, Pham in view of Stokes teaches:
The method of claim 5, wherein establishing the access policy comprises: designating a read-write time window for a user device of the first group of user devices, wherein the read-write time window allows for reading of data from the storage unit and writing of data to the storage unit, wherein the read-write time window at least partially overlaps, in time, one or more of the first read time window and the first write time window (Pham: [0064]: The policy set associated with the mount point /dev/hd_c preferably enables read-write access to the network storage resources 156. [0067]: An NFS/CIFS Write transaction requires a read/modify/write operation where existing stored file data is encrypted or compressed. A write transaction includes receiving a write request, building a lock request with a write lock offset adjusted back to an encryption and compression block boundary and the range adjusted to allow for the encryption and compression of the file data through to the end of a block boundary. The next transaction states include issuing a read request for any initial and final partial file data page including the adjusted write offset and range terminus, decrypting, decompressing and modifying the read data page to include the corresponding parts of the file write data as received from the client, encrypting and, as appropriate, compressing the file write data, and building and issuing corresponding write requests to the network storage resources 156. Stokes: [0022] Access control logic 150 is responsible for using the available information (such as access control structure 135, user identifier 140, and clock 145) to determine whether or not to grant a user's request for access to resource 130. For example, one access control structure can permit a particular user access to both read to and write from a file during business hours (8:00 AM to 5:00 PM), with a different access control structure permitting that same user access to read from the file, but not write to the file outside business hours, i.e., the read-write time window partially overlaps with the read time window).
The examiner provides the same rationale to combine prior arts Pham and Stokes as in claims 1 and 11 above.
As per claims 8 and 18, Pham in view of Stokes teaches:
The method of claim 1, wherein the first group of user devices is affiliated with a first vault that is supported by the storage unit and wherein the second group of user devices is affiliated with a second vault that is supported by at least one of the other storage units (Pham: [0063]: The further constraints represented by the selected policy set are concurrently used to determine how the network file data packet is to be processed. For example, otherwise authorized clients 152, 154 (first group of user devices) accessing the network resource 156 through the /dev/hd_a virtual mount point (first vault) may be constrained to read-only NFS/CIFS transactions. The separate policy set associated with the /dev/hd_b virtual mount point (second vault) may support read-write access by only a well defined set of UIDs, further constrained to NFS/CIFS requests originating from a defined subnetwork (second group of user devices)).
Claims 9 and 19 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Pham in view of Stokes as applied to claims 1 and 11 above, and further in view of prior art of record US 7120933 to Mattsson (hereinafter Mattsson).
As per claims 9 and 19, Pham in view of Stokes does not teach the limitations of claim 9. However, Mattson teaches:
further comprising: updating the access policy based on a current level of utilization of the storage unit (Mattsson: column 2, lines 14-25: receiving a query
from a user, comparing a result of the query with the item access rates defined in the profile associated with the user, determining whether the query result
exceeds the item access rates, and in that case notifying the access control system to alter the user authorization).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to employ the teachings of Mattsson in the invention of Pham in view of Stokes to include the above limitations. The motivation to do so would be to provide a method and a system for intrusion detection (Mattsson: column 2, lines 12-13).
Claims 10 and 20 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Pham in view of Stokes as applied to claims 1 and 11 above, and further in view of prior art of record US 20050008163 to Leser et al (hereinafter Leser).
As per claims 10 and 20, Pham in view of Stokes does not teach the limitations of claim 10. However, Leser teaches:
further comprising: updating the access policy to render a particular data object unavailable to the first group of user devices (Leser: [0097]: The invention and its preferred embodiments guarantee that changes to the control policy will be propagated to end users and ultimately experienced by those users when they next access the data objects protected by that changed policy. Claim 19: revoking a user's access to the data object upon detection of the changes to the control policy that prevent that user from further access to the data object).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to employ the teachings of Leser in the invention of Pham in view of Stokes to include the above limitations. The motivation to do so would be to provide a unique approach that addresses all of the necessary features for a rights management system targeting dynamic, distributed, collaborative contexts (Leser: [0018]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-4:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
MADHURI R. HERZOG
Primary Examiner
Art Unit 2438
/MADHURI R HERZOG/Primary Examiner, Art Unit 2438