DATA MANAGEMENT METHOD, SYSTEM, AND DEVICE

DETAILED ACTION Claims 1-18 are pending in this action. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 3, 4, 10, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over YAN et al. (US 2020/0057865A1) [hereinafter “YAN”] in view of Benedetti et al. (US12143395B2) [hereinafter “Benedetti”]. As per claim 1, YAN discloses a data management method, wherein the method comprises: receiving, by a data storage entity, a data access request sent from a client;( [YAN, [0029]]” In 310, an accessing request to the database system 200 is received from one member (referred to as “a first member”) among multiple members”). Yan further discloses sending, by the data storage entity, corresponding data to the client. ( [YAN, [0039]]” According to the implementation of the present disclosure, in 330 it may be judged based on the rule set 222 whether the first member has the right to execute the requested operation to a corresponding object. If it is confirmed the accessing request conforms to related regulations in the rule set 222, then the first member is allowed to execute the accessing request; otherwise, the first member may be rejected to execute the accessing request.” The Examiner interprets “allowed to execute the accessing request” in the context of a database access request as necessarily including retrieving and proving the requested corresponding data to the requesting member). Yan does not explicitly disclose generating, by the data storage entity, an access permission verification request based on the data access request, and sending the access permission verification request to a distributed ledger node, wherein the access permission verification request is for verifying whether the client has data access permission, and the access permission verification request carries an identifier of the client and/or an identifier of a user; receiving, by the data storage entity, a first access permission verification response sent from the distributed ledger node, wherein the first access permission verification response indicates that the client has the data access permission. However, Benedetti in the same field of endeavor discloses generating, by the data storage entity, an access permission verification request based on the data access request, .([ Benedetti, (4)” One embodiment may comprise receiving a request for accessing a managed resource of an information system, querying an authorization for accessing the resource from an access manager, and in response to the querying of the authorization, requesting an access control policy update to grant the access to the managed resource. ”) and sending the access permission verification request to a distributed ledger node, ([ Benedetti, [Abstract]]” the blockchain network comprising a plurality of nodes associated with at least one of an asset owner function, an administrator function, and an auditor function. The peer node may be adapted to record a request access record from a user of an information system in a distributed ledger, record an owner approval record from the asset owner function, the owner approval record responsive to the request access record in the distributed ledger, execute a smart contract responsive to the request access record and the owner approval record granting access on the information system, wherein the smart contract changes an authorization policy to allow access of the user to the information system, and record an execution record of the smart contract in the distributed ledger.”) wherein the access permission verification request is for verifying whether the client has data access permission, ([ Benedetti, (4)”… requesting an access control policy update to grant the access to the managed resource. Receiving the request, querying the authorization, and requesting the access control policy”) and the access permission verification request carries an identifier of the client and/or an identifier of a user;([ Benedetti, (22)” A user seeking authorization to a managed asset in an IT system submits a request for access, typically providing a justification to the access management process orchestrator…The process orchestrator determines who is the owner of the managed asset and/or the IT system, and routes the request to it;”)receiving, by the data storage entity, a first access permission verification response sent from the distributed ledger node, ([ Benedetti, (28)” transactions may be guaranteed to be accepted in the distributed ledger if and only if the network reached consensus that they are valid” ) wherein the first access permission verification response indicates that the client has the data access permission;([ Benedetti, (5)” execute a smart contract responsive to the request access record and the owner approval record granting access on the information system, wherein the smart contract changes an authorization policy to allow access of the user to the information system, and record an execution record of the smart contract in the distributed ledger.”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to include generating, by the data storage entity, an access permission verification request based on the data access request, and sending the access permission verification request to a distributed ledger node, wherein the access permission verification request is for verifying whether the client has data access permission, and the access permission verification request carries an identifier of the client and/or an identifier of a user; receiving, by the data storage entity, a first access permission verification response sent from the distributed ledger node, wherein the first access permission verification response indicates that the client has the data access permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating distributed ledger-based consensus verification to improve security, transparency, and resistance to unauthorized modification of access permissions would enhance the reliability oy Yan’s access control system. As per claim 3, YAN discloses the method according to claim 1. YAN further discloses wherein the generating, by the data storage entity, an access permission verification request based on the data access request comprises: generating, by the data storage entity, ( [YAN, [0029]]” In 310, an accessing request to the database system 200 is received from one member (referred to as “a first member”) among multiple members”… According to the implementation of the present disclosure, in 330 it may be judged based on the rule set 222 whether the first member has the right to execute the requested operation to a corresponding object. If it is confirmed the accessing request conforms to related regulations in the rule set 222, then the first member is allowed to execute the accessing request; otherwise, the first member may be rejected to execute the accessing request.” The Examiner interprets “allowed to execute the accessing request” in the context of a database access request as necessarily including retrieving and proving the requested corresponding data to the requesting member). Yan does not disclose the access permission verification request based on a smart contract and the data access request. However, Benedetti in the same field of endeavor discloses the access permission verification request based on a smart contract and the data access request ([ Benedetti, [69]” The executing of the smart contract may trigger a trusted modification(s) to a state of a digital blockchain ledger. The modification(s) to the blockchain ledger caused by the smart contract execution may be automatically replicated throughout the distributed network of blockchain peers through one or more consensus protocols in some embodiments.”) Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to the access permission verification request based on a smart contract and the data access request as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating smart contract-based authorization logic deployed on a distributed ledger automates access approval, enforces authorization policies, and improves auditability and trustworthiness of access control decisions. As per claim 4, YAN discloses the method according to claim 1. YAN further discloses wherein the method further comprises: receiving, by the data storage entity, a data update request sent from the client;( [YAN, [0029]]” In 310, an accessing request to the database system 200 is received from one member (referred to as “a first member”) among multiple members”). Yan further discloses updating, by the data storage entity, the data corresponding to the client. ( [YAN, [0039]]” According to the implementation of the present disclosure, in 330 it may be judged based on the rule set 222 whether the first member has the right to execute the requested operation to a corresponding object. If it is confirmed the accessing request conforms to related regulations in the rule set 222, then the first member is allowed to execute the accessing request; otherwise, the first member may be rejected to execute the accessing request.” The Examiner interprets “allowed to execute the accessing request” in the context of a database access request as necessarily including retrieving and proving the requested corresponding data to the requesting member) YAN does not disclose generating, by the data storage entity, an update permission verification request based on the data update request, and sending the update permission verification request to the distributed ledger node, wherein the update permission verification request is for verifying whether the client has data update permission, and the update permission verification request carries the identifier of the client and/or the identifier of the user; receiving, by the data storage entity, a first update permission verification response sent from the distributed ledger node, wherein the first update permission verification response indicates that the client has the data update permission. However, Benedetti in the same field of endeavor discloses generating, by the data storage entity, an update permission verification request based on the data update request, ([ Benedetti, (Abstract)” querying an authorization for accessing the resource from an access manager, and in response to the querying of the authorization, requesting an access control policy update to grant the access to the managed resource ”) and sending the update permission verification request to the distributed ledger node, ([ Benedetti, [claim1” generating a transaction record; and adding the transaction record to a distributed ledger, wherein the distributed ledger simultaneously maintains the transaction record at multiple nodes throughout the blockchain network, wherein requesting the access control policy update comprises executing a smart contract that processes transactions in the distributed ledger.” The Examiner interprets “adding the transaction record to a distributed ledger” as necessarily including transmitting the transaction record to at least one distributed ledger node for validation and smart contract execution, which constitutes sending the update permission verification request to the distributed ledger node.) wherein the update permission verification request is for verifying whether the client has data update permission, ([ Benedetti, (4)”… requesting an access control policy update to grant the access to the managed resource. Receiving the request, querying the authorization, and requesting the access control policy”) and the update permission verification request carries the identifier of the client and/or the identifier of the user;([ Benedetti, (22)” A user seeking authorization to a managed asset in an IT system submits a request for access, typically providing a justification to the access management process orchestrator…The process orchestrator determines who is the owner of the managed asset and/or the IT system, and routes the request to it;”) receiving, by the data storage entity, a first update permission verification response sent from the distributed ledger node, ([ Benedetti, (28)]” transactions may be guaranteed to be accepted in the distributed ledger if and only if the network reached consensus that they are valid” ) wherein the first update permission verification response indicates that the client has the data update permission;([ Benedetti, (28 ), (72)]” receiving an approval of the request for the access control policy update from the owner of the information system; and in response to the approval of the request for the access control policy update…(28) ” and “The proposal response 592 may then be sent back to the client 560, along with an endorsement signature, if approved.” (72)). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to include generating, by the data storage entity, an update permission verification request based on the data update request, and sending the update permission verification request to the distributed ledger node, wherein the update permission verification request is for verifying whether the client has data update permission, and the update permission verification request carries the identifier of the client and/or the identifier of the user; receiving, by the data storage entity, a first update permission verification response sent from the distributed ledger node, wherein the first update permission verification response indicates that the client has the data update permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because Benedetti teaches using a distributed ledger based access management governance orchestrator to validate and enforce authorization decisions in a tamper-resistant and auditable manner, thereby improving security, transparency, and resistance to unauthorized privilege escalation when managing access and update permissions. As per claim 10, Yan discloses a communication apparatus, comprising a processor coupled to a memory storing instructions, which when executed by the processor, cause the communication apparatus to: receive a data access request sent from a client;( [YAN, [0029]]” In 310, an accessing request to the database system 200 is received from one member (referred to as “a first member”) among multiple members”). Yan further discloses send corresponding data to the client ( [YAN, [0039]]” According to the implementation of the present disclosure, in 330 it may be judged based on the rule set 222 whether the first member has the right to execute the requested operation to a corresponding object. If it is confirmed the accessing request conforms to related regulations in the rule set 222, then the first member is allowed to execute the accessing request; otherwise, the first member may be rejected to execute the accessing request.” The Examiner interprets “allowed to execute the accessing request” in the context of a database access request as necessarily including retrieving and proving the requested corresponding data to the requesting member). Yan does not explicitly disclose generate an access permission verification request based on the data access request, and sending the access permission verification request to a distributed ledger node, wherein the access permission verification request is for verifying whether the client has data access permission, and the access permission verification request carries an identifier of the client and/or an identifier of a user; receive a first access permission verification response sent from the distributed ledger node, wherein the first access permission verification response indicates that the client has the data access permission. However, Benedetti in the same field of endeavor discloses generate an access permission verification request based on the data access request, ([ Benedetti, (4)” One embodiment may comprise receiving a request for accessing a managed resource of an information system, querying an authorization for accessing the resource from an access manager, and in response to the querying of the authorization, requesting an access control policy update to grant the access to the managed resource. ”) and sending the access permission verification request to a distributed ledger node, ([ Benedetti, [Abstract]” the blockchain network comprising a plurality of nodes associated with at least one of an asset owner function, an administrator function, and an auditor function. The peer node may be adapted to record a request access record from a user of an information system in a distributed ledger, record an owner approval record from the asset owner function, the owner approval record responsive to the request access record in the distributed ledger, execute a smart contract responsive to the request access record and the owner approval record granting access on the information system, wherein the smart contract changes an authorization policy to allow access of the user to the information system, and record an execution record of the smart contract in the distributed ledger.”) wherein the access permission verification request is for verifying whether the client has data access permission, ([ Benedetti, (4)”… requesting an access control policy update to grant the access to the managed resource. Receiving the request, querying the authorization, and requesting the access control policy”) and the access permission verification request carries an identifier of the client and/or an identifier of a user;([ Benedetti, (22)” A user seeking authorization to a managed asset in an IT system submits a request for access, typically providing a justification to the access management process orchestrator…The process orchestrator determines who is the owner of the managed asset and/or the IT system, and routes the request to it;”) receive a first access permission verification response sent from the distributed ledger node, , ([ Benedetti, (28)” transactions may be guaranteed to be accepted in the distributed ledger if and only if the network reached consensus that they are valid” )wherein the first access permission verification response indicates that the client has the data access permission. ([ Benedetti, (5)” execute a smart contract responsive to the request access record and the owner approval record granting access on the information system, wherein the smart contract changes an authorization policy to allow access of the user to the information system, and record an execution record of the smart contract in the distributed ledger.”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to include generate an access permission verification request based on the data access request, and sending the access permission verification request to a distributed ledger node, wherein the access permission verification request is for verifying whether the client has data access permission, and the access permission verification request carries an identifier of the client and/or an identifier of a user; receive a first access permission verification response sent from the distributed ledger node, wherein the first access permission verification response indicates that the client has the data access permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating distributed ledger-based consensus verification to improve security, transparency, and resistance to unauthorized modification of access permissions would enhance the reliability oy Yan’s access control system. As per claim 12, the combination of YAN and Benedetti discloses the communication apparatus according to claim 10, wherein the generating an access permission verification request based on the data access request comprises: generating the access permission verification request based on the data access request. ([ Benedetti, [69]” The executing of the smart contract may trigger a trusted modification(s) to a state of a digital blockchain ledger. The modification(s) to the blockchain ledger caused by the smart contract execution may be automatically replicated throughout the distributed network of blockchain peers through one or more consensus protocols in some embodiments.”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to the access permission verification request based on a smart contract and the data access request as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating smart contract-based authorization logic deployed on a distributed ledger automates access approval, enforces authorization policies, and improves auditability and trustworthiness of access control decisions. As per claim 13, the combination of YAN and Benedetti discloses the communication apparatus according to claim 10. YAN further discloses wherein when the instructions are executed by the processor, the communication apparatus is further caused to: receive a data update request sent from the client; ( [YAN, [0029]]” In 310, an accessing request to the database system 200 is received from one member (referred to as “a first member”) among multiple members”). Yan further discloses update the data corresponding to the client ( [YAN, [0039]]” According to the implementation of the present disclosure, in 330 it may be judged based on the rule set 222 whether the first member has the right to execute the requested operation to a corresponding object. If it is confirmed the accessing request conforms to related regulations in the rule set 222, then the first member is allowed to execute the accessing request; otherwise, the first member may be rejected to execute the accessing request.” The Examiner interprets “allowed to execute the accessing request” in the context of a database access request as necessarily including retrieving and proving the requested corresponding data to the requesting member). YAN does not disclose generate an update permission verification request based on the data update request, and sending the update permission verification request to the distributed ledger node, wherein the update permission verification request is for verifying whether the client has data update permission, and the update permission verification request carries the identifier of the client and/or the identifier of the user; receive a first update permission verification response sent from the distributed ledger node, wherein the first update permission verification response indicates that the client has the data update permission. However, Benedetti in the same field of endeavor discloses generate an update permission verification request based on the data update request, ([ Benedetti, (Abstract)” querying an authorization for accessing the resource from an access manager, and in response to the querying of the authorization, requesting an access control policy update to grant the access to the managed resource ”) and sending the update permission verification request to the distributed ledger node, ([ Benedetti, [claim1” generating a transaction record; and adding the transaction record to a distributed ledger, wherein the distributed ledger simultaneously maintains the transaction record at multiple nodes throughout the blockchain network, wherein requesting the access control policy update comprises executing a smart contract that processes transactions in the distributed ledger.” The Examiner interprets “adding the transaction record to a distributed ledger” as necessarily including transmitting the transaction record to at least one distributed ledger node for validation and smart contract execution, which constitutes sending the update permission verification request to the distributed ledger node.)wherein the update permission verification request is for verifying whether the client has data update permission,([ Benedetti, (4)”… requesting an access control policy update to grant the access to the managed resource. Receiving the request, querying the authorization, and requesting the access control policy”) and the update permission verification request carries the identifier of the client and/or the identifier of the user;([ Benedetti, (22)” A user seeking authorization to a managed asset in an IT system submits a request for access, typically providing a justification to the access management process orchestrator…The process orchestrator determines who is the owner of the managed asset and/or the IT system, and routes the request to it;”)receive a first update permission verification response sent from the distributed ledger node([ Benedetti, (28)]” transactions may be guaranteed to be accepted in the distributed ledger if and only if the network reached consensus that they are valid” ),wherein the first update permission verification response indicates that the client has the data update permission([ Benedetti, (28 ), (72)]” receiving an approval of the request for the access control policy update from the owner of the information system; and in response to the approval of the request for the access control policy update…(28) ” and “The proposal response 592 may then be sent back to the client 560, along with an endorsement signature, if approved.” (72)). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to include generating, by the data storage entity, an update permission verification request based on the data update request, and sending the update permission verification request to the distributed ledger node, wherein the update permission verification request is for verifying whether the client has data update permission, and the update permission verification request carries the identifier of the client and/or the identifier of the user; receiving, by the data storage entity, a first update permission verification response sent from the distributed ledger node, wherein the first update permission verification response indicates that the client has the data update permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because Benedetti teaches using a distributed ledger based access management governance orchestrator to validate and enforce authorization decisions in a tamper-resistant and auditable manner, thereby improving security, transparency, and resistance to unauthorized privilege escalation when managing access and update permissions. Claims 2, 11 are rejected under 35 U.S.C. 103 as being unpatentable over YAN et al. (US 2020/0057865A1) [hereinafter “YAN”] in view of Benedetti et al. (US12143395B2) [hereinafter “Benedetti”] as applied to claim 1, and in view of Hegde et al. (US 20210056082 A1) [hereinafter “Hegde”]. As per claim 2, the combination of YAN and Benedetti discloses the method according to claim 1. The combination does not disclose wherein the method further comprises: sending, by the data storage entity, a data return success message to the distributed ledger node, wherein the data return success message carries data access transaction information of the client. However, Hegde in the same field of endeavor discloses wherein the method further comprises: sending, by the data storage entity, a data return success message node ([ Hegde, [0053], [0059], [abstract]” In response to the PUT RESOURCE ID message a SUCCESS OR FAILURE message will be returned to storage system access point 320. If the UUID of the resource to be written is located by IAM module 330, either because it already existed or because it was newly created, the message will indicate SUCCESS” [0053], “Notification service 315 is, in at least one embodiment, a push notification service that receives notification messages from storage system access point 320, and provides those notifications to client 310. Notification service 315 can forward notifications received without substantive modification, so that the content of received notifications is maintained, even if the message is repackaged for transmission.”[0059], “In response to that the first data has been successfully accessed, and that the information corresponding to the first access request has been successfully recorded by the external audit system, notifying the client device that the first access request has been successfully completed.”) to the distributed ledger([ Hedge, [0048]-0049]” In some embodiments, a device functioning as a storage system storage point 340 is included in Blockchain network 350, for example as a peer…. Blockchain network 350, like other Blockchain networks is a decentralized, distributed network used to implement digital records of transactions across many computers, so that any involved record cannot be altered retroactively, without the alteration of all subsequent blocks. Blockchain network 350 includes peers and orderers, which can be implemented using devices and modules internal to a data storage system served by storage system access point 320, or some combination thereof. For example, in at least one embodiment, Blockchain network 350 includes external audit system 38 (FIG. 1), which in addition to its other functions operates as a peer or an orderer in Blockchain network 350, and storage system access point 320, which in addition to its other functions operates as a peer in Blockchain network 350”. wherein the data return success message carries data access transaction information of the client ([ Hedge, [0039]” In one or more embodiments, the record stored by the external audit system is a block having the following format: TABLE-US-00001 { Resource name:<Name of the compute or storage resource: e.g. A bucket or object in object storage> Resource UUID: <Unique ID for the resource for the life of the resource> Type of Access: <Granted access to the resource: E.g. Read or Write to a bucket or object in object storage> Timestamp: <UTC time of request> Username: <The user who was granted access> Client Identifier: <UUID> Client IP address: <Identifier for the address from where the request was received> XYZ-Metadata: <Any user provided metadata in the request> Hash of previous block: <Hash of the previous block in the Blockchain> }”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to include generating, by the data storage entity, an access permission verification request based on the data access request, and sending the access permission verification request to a distributed ledger node, wherein the access permission verification request is for verifying whether the client has data access permission, and the access permission verification request carries an identifier of the client and/or an identifier of a user; receiving, by the data storage entity, a first access permission verification response sent from the distributed ledger node, wherein the first access permission verification response indicates that the client has the data access permission as taught by Benedetti to further include sending, by the data storage entity, a data return success message to the distributed ledger node, wherein the data return success message carries data access transaction information of the client as suggested by Hegde. One of ordinary skill in the art would have been motivated to do so because incorporating immutable audit logging of client data access transactions within the distributed ledger improves integrity and traceability of access events. As per claim 11, the combination of YAN and Benedetti discloses the communication apparatus according to claim 10. The combination does not disclose wherein when the instructions are executed by the processor, the communication apparatus is further caused to: send a data return success message to the distributed ledger node, wherein the data return success message carries data access transaction information of the client. However, Hegde in the same field of endeavor discloses wherein when the instructions are executed by the processor, the communication apparatus is further caused to: send a data return success message.([ Hegde, [0053], [0059], [abstract]” In response to the PUT RESOURCE ID message a SUCCESS OR FAILURE message will be returned to storage system access point 320. If the UUID of the resource to be written is located by IAM module 330, either because it already existed or because it was newly created, the message will indicate SUCCESS” [0053], “Notification service 315 is, in at least one embodiment, a push notification service that receives notification messages from storage system access point 320, and provides those notifications to client 310. Notification service 315 can forward notifications received without substantive modification, so that the content of received notifications is maintained, even if the message is repackaged for transmission.”[0059], “In response to that the first data has been successfully accessed, and that the information corresponding to the first access request has been successfully recorded by the external audit system, notifying the client device that the first access request has been successfully completed.”) to the distributed ledger node, ([ Hedge, [0048]-0049]” In some embodiments, a device functioning as a storage system storage point 340 is included in Blockchain network 350, for example as a peer…. Blockchain network 350, like other Blockchain networks is a decentralized, distributed network used to implement digital records of transactions across many computers, so that any involved record cannot be altered retroactively, without the alteration of all subsequent blocks. Blockchain network 350 includes peers and orderers, which can be implemented using devices and modules internal to a data storage system served by storage system access point 320, or some combination thereof. For example, in at least one embodiment, Blockchain network 350 includes external audit system 38 (FIG. 1), which in addition to its other functions operates as a peer or an orderer in Blockchain network 350, and storage system access point 320, which in addition to its other functions operates as a peer in Blockchain network 350”) wherein the data return success message carries data access transaction information of the client([ Hedge, [0039]” In one or more embodiments, the record stored by the external audit system is a block having the following format: TABLE-US-00001 { Resource name:<Name of the compute or storage resource: e.g. A bucket or object in object storage> Resource UUID: <Unique ID for the resource for the life of the resource> Type of Access: <Granted access to the resource: E.g. Read or Write to a bucket or object in object storage> Timestamp: <UTC time of request> Username: <The user who was granted access> Client Identifier: <UUID> Client IP address: <Identifier for the address from where the request was received> XYZ-Metadata: <Any user provided metadata in the request> Hash of previous block: <Hash of the previous block in the Blockchain> }”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify YAN to include generating, by the data storage entity, an access permission verification request based on the data access request, and sending the access permission verification request to a distributed ledger node, wherein the access permission verification request is for verifying whether the client has data access permission, and the access permission verification request carries an identifier of the client and/or an identifier of a user; receiving, by the data storage entity, a first access permission verification response sent from the distributed ledger node, wherein the first access permission verification response indicates that the client has the data access permission as taught by Benedetti to further include sending, by the data storage entity, a data return success message to the distributed ledger node, wherein the data return success message carries data access transaction information of the client as suggested by Hegde. One of ordinary skill in the art would have been motivated to do so because incorporating immutable audit logging of client data access transactions within the distributed ledger improves integrity and traceability of access events. Claims 5, 7, 9, 14, 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Collinson et al. (US 12107856B2) [hereinafter “Collinson”] in view of Benedetti et al. (US12143395B2) [hereinafter “Benedetti”]. As per claim 5, Collinson discloses a data management method, wherein the method comprises: receiving, by a distributed ledger node, an access permission verification request sent from a data storage entity, ([Collinson, (17)” By way of example, one or more of the computing systems associated with the centralized authority may receive, via a programmatic interface associated with the distributed smart contract, a request from a participant system to record additional interaction data onto the permissioned distributed ledger and additionally, or alternatively, to access elements of recorded interaction data associated with a customer or an asset.”) wherein the access permission verification request is for verifying whether a client has data access permission, ([Collinson,(18)]” the distributed smart contract may access and decrypt the centralized access permissions using the master cryptographic key, determine that a level or type of access requested by the participant system is consistent with a level or type of access specified within the decrypted centralized access permissions, and when the requested level or type of is consistent with that specified within the decrypted centralized access permissions, perform operations consistent with the received request”)and the access permission verification request carries an identifier of the client and/or an identifier of a user; verifying, by the distributed ledger node based on the identifier of the client and/or the identifier of the user and a distributed ledger, ([Collinson, (16)]” As described herein, these centralized access permissions may establish an ability of a participant within the insurance marketplace, or a particular type or class of participant within the insurance marketplace, to immutably record elements of interaction data onto the permissioned distributed ledger, or to query the permissioned distributed ledger to access and obtain selected elements of recorded interaction data consistent with a granted access permission”). Collinson does not explicitly discloses whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; and sending, by the distributed ledger node, a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission. However, Benedetti in the same field of endeavor discloses whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; ([Benedetti, (5)” The peer node may be adapted to record a request access record from a user of an information system in a distributed ledger, record an owner approval record from the asset owner function, the owner approval record responsive to the request access record in the distributed ledger, execute a smart contract responsive to the request access record and the owner approval record granting access on the information system, wherein the smart contract changes an authorization policy to allow access of the user to the information system, and record an execution record of the smart contract in the distributed ledger.”) and sending, by the distributed ledger node, a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission ([Benedetti, (72)-(74)” The proposal response 592 may then be sent back to the client 560, along with an endorsement signature, if approved …The transaction proposal, in turn, may be a request to invoke a chaincode function so that data can be read and/or written to the distributed ledger (i.e., write new key value pairs for the assets). The SDK may serve as a shim to package the transaction proposal into a properly architected format (e.g., protocol buffer over a remote procedure call (RPC)) and take the client's cryptographic credentials to produce a unique signature for the transaction proposal.”). The Examiner interprets the transaction proposal sent to the endorsing peer node as an access permission verification request because the chaincode executed by peer evaluates authorization conditions associated with ledger-stored access rules. Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Collinson to include whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; and sending, by the distributed ledger node, a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating Benedetti’s distributed ledger authorization verification and response mechanism would have predictably improve the integrity, transparency, and auditability of access permission determinations in Collinson by leveraging peer-validated smart contract execution and cryptographically verifiable transaction responses. As per claim 7, the combination of Collinson and Benedetti discloses the method according to claim 5. Collinson further discloses wherein the sending, by the distributed ledger node, a first access permission verification response to the data storage entity in response to the client has the data access permission comprises: sending, by the distributed ledger node, the first access permission verification response to the data storage entity ([Collinson, (79)]” Based on these determinations, comparison module 240 may generate confirmation data 242 indicative of the permission granted participant system 110 to record the payload 214 (e.g., that includes elements of interaction data 202 and 208) within an additional ledger block of permissioned distributed ledger 180. In other instances, not illustrated in FIG. 2B, if comparison module 240 were to establish that the default permissions specified within decrypted permissioning data 238 do not permit participant system 110 to record any elements of interaction data onto permissioned distributed ledger 280, or that one or more participant-specific permissions restrict a default recordation permission granted participant system 110, comparison module 240 may generate one or more additional elements of confirmation data indicate of the denial of permission for participant system 110 to record the payload 214 within the additional ledger block. In some instances, comparison module 240 may route confirmation data 242 back to executed initiation module 232.”). Collinson does not disclose generating, by the distributed ledger node, the first access permission verification response based on a smart contract in response to the client has the data access permission. However, Benedetti in the same field of endeavor discloses generating, by the distributed ledger node, the first access permission verification response based on a smart contract in response to the client has the data access permission ([ Benedetti, [24]” the access management governance orchestrator may advantageously include a distributed ledger (e.g., blockchain) that will disperse the authority and ensure full transparency on the operations by all the involved parties by simultaneously maintaining transaction records at multiple points throughout a network. In particular, some embodiments may provide an access management governance process for orchestrating how to request, approve, grant, revoke, validate, etc., changes to the authorization policies, including access management governance orchestrator interfaces each of the local IT system access control systems to request changes to the authorization policies.”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Collinson to include generating, by the distributed ledger node, the first access permission verification response based on a smart contract in response to the client has the data access permission. However, Benedetti in the same field of endeavor discloses generating, by the distributed ledger node, the first access permission verification response based on a smart contract in response to the client has the data access permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating smart contract based authorization logic deployed on a distributed ledger automates access approval, enforces authorization policies , and improves auditability and trustworthiness of access control decisions. As per claim 9, the combination of Collinson and Benedetti discloses the method according to claim 5, wherein the method further comprises: receiving, by the distributed ledger node, an update permission verification request sent from the data storage entity ([Collinson, (68)]” CA system 152 (and each additional or alternate one of CA systems 150) may receive recordation request 216 through a corresponding programmatic interface, such as application programming interface (API) 228, and may route recordation request 216 to a verification module 230.”) wherein the update permission verification request is for verifying whether the client has data update permission, ([Collinson, (44)-(45)]”..permissioning data 164 that characterize an ability of the participant associated with each of the participant systems …recordation permissions granted to that corresponding participant class by the centralized authority and the update permission verification request carries the identifier of the client and/or the identifier of the user; ([Collinson, (7)]” In addition, executed distributed interaction module 206 may also perform operations that package, into corresponding portions of recordation request 216, participant data 224 that uniquely identifies participant system 110 ” ) verifying, by the distributed ledger node based on the identifier of the client and/or the identifier of the user and the distributed ledger, whether the client has the data update permission, wherein the distributed ledger stores a data update policy of the client and/or a data update policy of the user; ([Collinson, (44)]” In some examples, each of CA systems 150, including CA system 152, may represent a node (or “peer” system) within a permissioned distributed-ledger network that establishes, maintains, and updates permissioned distributed ledger 180 using any of the consensus-based processes described herein.” )and sending a first update permission verification response to the data storage entity in response to the client has the data update permission, ([Collinson, (87)]” CA system 152 may perform additional operations that generate an updated permissioned distributed ledger 256 (e.g., a latest, longest version of the permissioned distributed ledger) by appending ledger block 252 to the ledger blocks of permissioned distributed ledger” ) wherein the first update permission verification response indicates that the client has the data update permission. ([Collinson, (87)]” In certain aspects, CA system 152 may broadcast evidence of the calculated proof-of-work or proof-of-stake to other ones of CA systems 150 across network 120 (e.g., as consensus data 260”). Claim 9 is rejected under the same rationale as claim 5 above. As per claim 14, Collinson discloses communication apparatus, comprising a processor coupled to a memory storing instructions, which when executed by the processor, cause the communication apparatus to: receive an access permission verification request sent from a data storage entity, ([Collinson, (17)” By way of example, one or more of the computing systems associated with the centralized authority may receive, via a programmatic interface associated with the distributed smart contract, a request from a participant system to record additional interaction data onto the permissioned distributed ledger and additionally, or alternatively, to access elements of recorded interaction data associated with a customer or an asset.”) wherein the access permission verification request is for verifying whether a client has data access permission,([Collinson,(18)]” the distributed smart contract may access and decrypt the centralized access permissions using the master cryptographic key, determine that a level or type of access requested by the participant system is consistent with a level or type of access specified within the decrypted centralized access permissions, and when the requested level or type of is consistent with that specified within the decrypted centralized access permissions, perform operations consistent with the received request”) and the access permission verification request carries an identifier of the client and/or an identifier of a user; verify based on the identifier of the client and/or the identifier of the user and a distributed ledger, ([Collinson, (16)]” As described herein, these centralized access permissions may establish an ability of a participant within the insurance marketplace, or a particular type or class of participant within the insurance marketplace, to immutably record elements of interaction data onto the permissioned distributed ledger, or to query the permissioned distributed ledger to access and obtain selected elements of recorded interaction data consistent with a granted access permission”). Collinson does not explicitly disclose whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; and send a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission. However, Benedetti in the same field of endeavor discloses whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; ([Benedetti, (5)” The peer node may be adapted to record a request access record from a user of an information system in a distributed ledger, record an owner approval record from the asset owner function, the owner approval record responsive to the request access record in the distributed ledger, execute a smart contract responsive to the request access record and the owner approval record granting access on the information system, wherein the smart contract changes an authorization policy to allow access of the user to the information system, and record an execution record of the smart contract in the distributed ledger.”) and send a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission([Benedetti, (72)-(74)” The proposal response 592 may then be sent back to the client 560, along with an endorsement signature, if approved …The transaction proposal, in turn, may be a request to invoke a chaincode function so that data can be read and/or written to the distributed ledger (i.e., write new key value pairs for the assets). The SDK may serve as a shim to package the transaction proposal into a properly architected format (e.g., protocol buffer over a remote procedure call (RPC)) and take the client's cryptographic credentials to produce a unique signature for the transaction proposal.”). The Examiner interprets the transaction proposal sent to the endorsing peer node as an access permission verification request because the chaincode executed by peer evaluates authorization conditions associated with ledger-stored access rules. Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Collinson to further include whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; and send a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating Benedetti’s distributed ledger authorization verification and response mechanism would have predictably improve the integrity, transparency, and auditability of access permission determinations in Collinson by leveraging peer-validated smart contract execution and cryptographically verifiable transaction responses. As per claim 16, the combination of Collinson and Benedetti discloses the communication apparatus according to claim 14. Collinson further discloses sending the first access permission verification response to the data storage entity([Collinson, (79)]” Based on these determinations, comparison module 240 may generate confirmation data 242 indicative of the permission granted participant system 110 to record the payload 214 (e.g., that includes elements of interaction data 202 and 208) within an additional ledger block of permissioned distributed ledger 180. In other instances, not illustrated in FIG. 2B, if comparison module 240 were to establish that the default permissions specified within decrypted permissioning data 238 do not permit participant system 110 to record any elements of interaction data onto permissioned distributed ledger 280, or that one or more participant-specific permissions restrict a default recordation permission granted participant system 110, comparison module 240 may generate one or more additional elements of confirmation data indicate of the denial of permission for participant system 110 to record the payload 214 within the additional ledger block. In some instances, comparison module 240 may route confirmation data 242 back to executed initiation module 232.”). Collinson does not disclose generating the first access permission verification response based on a smart contract in response to the client has the data access permission; ([ Benedetti, [24]” the access management governance orchestrator may advantageously include a distributed ledger (e.g., blockchain) that will disperse the authority and ensure full transparency on the operations by all the involved parties by simultaneously maintaining transaction records at multiple points throughout a network. In particular, some embodiments may provide an access management governance process for orchestrating how to request, approve, grant, revoke, validate, etc., changes to the authorization policies, including access management governance orchestrator interfaces each of the local IT system access control systems to request changes to the authorization policies.”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Collinson to include generating, by the distributed ledger node, the first access permission verification response based on a smart contract in response to the client has the data access permission. However, Benedetti in the same field of endeavor discloses generating, by the distributed ledger node, the first access permission verification response based on a smart contract in response to the client has the data access permission as suggested by Benedetti. One of ordinary skill in the art would have been motivated to do so because incorporating smart contract based authorization logic deployed on a distributed ledger automates access approval, enforces authorization policies , and improves auditability and trustworthiness of access control decisions. As per claim 17, the combination of Collinson and Benedetti discloses the communication apparatus according to claim 14, wherein when the instructions are executed by the processor, the communication apparatus is further caused to: send a second access permission verification response to the data storage entity in response to the client does not have the data access permission, wherein the second access permission verification response indicates that the client does not have the data access permission. ([Collinson, [0050], [0011]” The atomic object storage write flow 300 begins with client 310 transmitting a PUT OBJECT message 312 to storage system access point 320. PUT OBJECT message 312 can include a user identifier, a client Internet Protocol address, a Bucket name (the name of a directory location containing data to be accessed), an Object name (the name of an Object to be accessed), or the like. If client 310 is blocked from communicating with storage system access point 320, a 403 FORBIDDEN error can be returned in response to the PUT OBJECT message 312” and ”the storage access point system attempts to execute the second access request, and in response to successfully accessing the second data, the storage access point transmits to an external audit system a second message indicating that information corresponding to the second access request is to be recorded by the external audit system. In response to determining that the second data has been successfully accessed, but that that the information corresponding to the second access request has not been recorded by the external audit system, notify the client device that the second access request failed. Note that even though the resource could be accessed, the operation fails because it could not be successfully recorded.”). Claim 17 is rejected under the same rationale as claim 14. As per claim 18, the combination of Collinson and Benedetti discloses the communication apparatus according to claim 14, wherein when the instructions are executed by the processor, the communication apparatus is further caused to: receive an update permission verification request sent from the data storage entity, ([Collinson, (68)]” CA system 152 (and each additional or alternate one of CA systems 150) may receive recordation request 216 through a corresponding programmatic interface, such as application programming interface (API) 228, and may route recordation request 216 to a verification module 230.”) wherein the update permission verification request is for verifying whether the client has data update permission, ([Collinson, (44)-(45)]”..permissioning data 164 that characterize an ability of the participant associated with each of the participant systems …recordation permissions granted to that corresponding participant class by the centralized authority “and the update permission verification request carries the identifier of the client and/or the identifier of the user; ([Collinson, (7)]” In addition, executed distributed interaction module 206 may also perform operations that package, into corresponding portions of recordation request 216, participant data 224 that uniquely identifies participant system 110 ” )verify based on the identifier of the client and/or the identifier of the user and the distributed ledger, whether the client has the data update permission, wherein the distributed ledger stores a data update policy of the client and/or a data update policy of the user; ([Collinson, (44)]” In some examples, each of CA systems 150, including CA system 152, may represent a node (or “peer” system) within a permissioned distributed-ledger network that establishes, maintains, and updates permissioned distributed ledger 180 using any of the consensus-based processes described herein.” ) and send a first update permission verification response to the data storage entity in response to the client has the data update permission, ([Collinson, (87)]” CA system 152 may perform additional operations that generate an updated permissioned distributed ledger 256 (e.g., a latest, longest version of the permissioned distributed ledger) by appending ledger block 252 to the ledger blocks of permissioned distributed ledger” ) wherein the first update permission verification response indicates that the client has the data update permission. ([Collinson, (87)]” In certain aspects, CA system 152 may broadcast evidence of the calculated proof-of-work or proof-of-stake to other ones of CA systems 150 across network 120 (e.g., as consensus data 260”). Claim 18 is rejected under the same rationale as claim 14. Claims 6, 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Collinson et al. (US 12107856B2) [hereinafter “Collinson”] in view of Benedetti et al. (US12143395B2) [hereinafter “Benedetti”] as applied to claims 5, 14 and in view of Hegde et al. (US 20210056082 A1) [hereinafter “Hegde”]. As per claim 6, the combination of Collinson and Benedetti discloses the method according to claim 5. The combination fails to disclose wherein the method further comprises: receiving, by the distributed ledger node, a data return success message sent by the data storage entity, wherein the data return success message carries data access transaction information of the client; and recording, by the distributed ledger node, the data access transaction information of the client in the distributed ledger. However, Hegde in the same field of endeavor discloses wherein the method further comprises: receiving, by the distributed ledger node, a data return success message sent by the data storage entity, ([ Hegde, [0053], [0059], [abstract]” In response to the PUT RESOURCE ID message a SUCCESS OR FAILURE message will be returned to storage system access point 320. If the UUID of the resource to be written is located by IAM module 330, either because it already existed or because it was newly created, the message will indicate SUCCESS” [0053], “Notification service 315 is, in at least one embodiment, a push notification service that receives notification messages from storage system access point 320, and provides those notifications to client 310. Notification service 315 can forward notifications received without substantive modification, so that the content of received notifications is maintained, even if the message is repackaged for transmission.”[0059], “In response to that the first data has been successfully accessed, and that the information corresponding to the first access request has been successfully recorded by the external audit system, notifying the client device that the first access request has been successfully completed.”) wherein the data return success message carries data access transaction information of the client; ([ Hedge, [0039]” In one or more embodiments, the record stored by the external audit system is a block having the following format: TABLE-US-00001 { Resource name:<Name of the compute or storage resource: e.g. A bucket or object in object storage> Resource UUID: <Unique ID for the resource for the life of the resource> Type of Access: <Granted access to the resource: E.g. Read or Write to a bucket or object in object storage> Timestamp: <UTC time of request> Username: <The user who was granted access> Client Identifier: <UUID> Client IP address: <Identifier for the address from where the request was received> XYZ-Metadata: <Any user provided metadata in the request> Hash of previous block: <Hash of the previous block in the Blockchain> }”). and recording, by the distributed ledger node, the data access transaction information of the client in the distributed ledger ([ Hedge, [0048]-0049]” In some embodiments, a device functioning as a storage system storage point 340 is included in Blockchain network 350, for example as a peer…. Blockchain network 350, like other Blockchain networks is a decentralized, distributed network used to implement digital records of transactions across many computers, so that any involved record cannot be altered retroactively, without the alteration of all subsequent blocks. Blockchain network 350 includes peers and orderers, which can be implemented using devices and modules internal to a data storage system served by storage system access point 320, or some combination thereof. For example, in at least one embodiment, Blockchain network 350 includes external audit system 38 (FIG. 1), which in addition to its other functions operates as a peer or an orderer in Blockchain network 350, and storage system access point 320, which in addition to its other functions operates as a peer in Blockchain network 350”.) Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Collinson to include whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; and sending, by the distributed ledger node, a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission as suggested by Benedetti to further include receiving, by the distributed ledger node, a data return success message sent by the data storage entity, wherein the data return success message carries data access transaction information of the client; and recording, by the distributed ledger node, the data access transaction information of the client in the distributed ledger as taught by Hegde. One of ordinary skill in the art would have been motivated to do so because incorporating immutable audit logging of client data access transactions within the distributed ledger improves integrity and traceability of access events. As per claim 8, the combination of Collinson and Benedetti discloses the method according to claim 5, wherein the method further comprises: sending, by the distributed ledger node, a second access permission verification response to the data storage entity in response to the client does not have the data access permission, wherein the second access permission verification response indicates that the client does not have the data access permission. ([Collinson, [0050], [0011]” The atomic object storage write flow 300 begins with client 310 transmitting a PUT OBJECT message 312 to storage system access point 320. PUT OBJECT message 312 can include a user identifier, a client Internet Protocol address, a Bucket name (the name of a directory location containing data to be accessed), an Object name (the name of an Object to be accessed), or the like. If client 310 is blocked from communicating with storage system access point 320, a 403 FORBIDDEN error can be returned in response to the PUT OBJECT message 312” and ”the storage access point system attempts to execute the second access request, and in response to successfully accessing the second data, the storage access point transmits to an external audit system a second message indicating that information corresponding to the second access request is to be recorded by the external audit system. In response to determining that the second data has been successfully accessed, but that that the information corresponding to the second access request has not been recorded by the external audit system, notify the client device that the second access request failed. Note that even though the resource could be accessed, the operation fails because it could not be successfully recorded.”). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Collinson to include whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; and sending, by the distributed ledger node, a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission as suggested by Benedetti to further include sending, by the distributed ledger node, a second access permission verification response to the data storage entity in response to the client does not have the data access permission, wherein the second access permission verification response indicates that the client does not have the data access permission as taught by Hegde. One of ordinary skill in the art would have been motivated to do so because incorporating known authorization failure response mechanisms to ensure reliable and explicit enforcement of access control policies and to provide clear verification feedback when a client lacks required permission, which is a predictable improvement in distributed access control systems. As per claim 15, the combination of Collinson and Benedetti discloses the communication apparatus according to claim 14. The combination fails disclose wherein when the instructions are executed by the processor, the communication apparatus is further caused to: receive a data return success message sent by the data storage entity, wherein the data return success message carries data access transaction information of the client; and record the data access transaction information of the client in the distributed ledger. However, Hegde in the same field of endeavor discloses receive a data return success message sent by the data storage entity, ([ Hegde, [0053], [0059], [abstract]” In response to the PUT RESOURCE ID message a SUCCESS OR FAILURE message will be returned to storage system access point 320. If the UUID of the resource to be written is located by IAM module 330, either because it already existed or because it was newly created, the message will indicate SUCCESS” [0053], “Notification service 315 is, in at least one embodiment, a push notification service that receives notification messages from storage system access point 320, and provides those notifications to client 310. Notification service 315 can forward notifications received without substantive modification, so that the content of received notifications is maintained, even if the message is repackaged for transmission.”[0059], “In response to that the first data has been successfully accessed, and that the information corresponding to the first access request has been successfully recorded by the external audit system, notifying the client device that the first access request has been successfully completed.”) wherein the data return success message carries data access transaction information of the client; ([ Hedge, [0039]” In one or more embodiments, the record stored by the external audit system is a block having the following format: TABLE-US-00001 { Resource name:<Name of the compute or storage resource: e.g. A bucket or object in object storage> Resource UUID: <Unique ID for the resource for the life of the resource> Type of Access: <Granted access to the resource: E.g. Read or Write to a bucket or object in object storage> Timestamp: <UTC time of request> Username: <The user who was granted access> Client Identifier: <UUID> Client IP address: <Identifier for the address from where the request was received> XYZ-Metadata: <Any user provided metadata in the request> Hash of previous block: <Hash of the previous block in the Blockchain> }”) and record the data access transaction information of the client in the distributed ledger([ Hedge, [0048]-0049]” In some embodiments, a device functioning as a storage system storage point 340 is included in Blockchain network 350, for example as a peer…. Blockchain network 350, like other Blockchain networks is a decentralized, distributed network used to implement digital records of transactions across many computers, so that any involved record cannot be altered retroactively, without the alteration of all subsequent blocks. Blockchain network 350 includes peers and orderers, which can be implemented using devices and modules internal to a data storage system served by storage system access point 320, or some combination thereof. For example, in at least one embodiment, Blockchain network 350 includes external audit system 38 (FIG. 1), which in addition to its other functions operates as a peer or an orderer in Blockchain network 350, and storage system access point 320, which in addition to its other functions operates as a peer in Blockchain network 350”.). Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Collinson to include whether the client has the data access permission, wherein the distributed ledger stores a data access policy of the client and/or a data access policy of the user; and sending, by the distributed ledger node, a first access permission verification response to the data storage entity in response to the client has the data access permission, wherein the first access permission verification response indicates that the client has the data access permission as suggested by Benedetti to further include receiving, by the distributed ledger node, a data return success message sent by the data storage entity, wherein the data return success message carries data access transaction information of the client; and recording, by the distributed ledger node, the data access transaction information of the client in the distributed ledger as taught by Hegde. One of ordinary skill in the art would have been motivated to do so because incorporating immutable audit logging of client data access transactions within the distributed ledger improves integrity and traceability of access events. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: ZHIYUAN et al., (US 10917230) discloses managing sensitive data elements in a blockchain network. PAN et al., (CN111522809A) discloses data processing method, system and equipment. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Komi N. AMEVIGBE whose telephone number is (571)272-3381. The examiner can normally be reached Monday-Friday 2pm-10pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /K.N.A./Examiner, Art Unit 2493 /CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493