Prosecution Insights
Last updated: July 17, 2026
Application No. 18/926,286

Systems and Methods for Managing Access Credential Requests

Final Rejection §103
Filed
Oct 24, 2024
Priority
Aug 25, 2021 — NE PCT/NZ2021/050150 +1 more
Examiner
JOO, JOSHUA
Art Unit
2445
Tech Center
2400 — Computer Networks
Assignee
Xero Limited
OA Round
2 (Final)
78%
Grant Probability
Favorable
3-4
OA Rounds
1y 4m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
774 granted / 988 resolved
+20.3% vs TC avg
Strong +23% interview lift
Without
With
+23.4%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
32 currently pending
Career history
1013
Total Applications
across all art units

Statute-Specific Performance

§101
3.4%
-36.6% vs TC avg
§103
70.3%
+30.3% vs TC avg
§102
3.0%
-37.0% vs TC avg
§112
20.6%
-19.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 988 resolved cases

Office Action

§103
Detailed Action The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This Office action is in response to Applicant’s amendment filed on April 6, 2026. Claims 1-20 are pending in the application. Response to Arguments/Remarks Claim Rejections - 35 USC § 103 Claim 1, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yang et al. US Patent Publication No. 2013/0174234 (“Yang”) in view of Magen et al. US Patent Publication No. 2023/0089407 (“Magen”). Applicant submitted that the described request does not comprise “one or more modified access credentials as claimed,” and that at paragraph [0070], Yang describes that a record is obtained that includes the credentials to change. Applicant submitted that the modified access credential values are not part of the request, but are retrieved later from a stored record. In response, the examiner respectfully disagrees that Yang does not teach the limitation. Paragraph [0070] of Yang describes obtaining the record comprising the prior credentials, i.e., first credentials, to change the prior credentials to the updated credentials. It does not refer to obtaining the updated credentials from the record. Paragraph [0071] further states, “the record is updated such that the first credentials in the record are updated to the second credentials.” (emphasis noted) Yang discloses a system for synchronizing credentials between first and second systems. Yang, on paragraph [0041], discloses the second system receiving changed credentials for sending second credentials to the second system. Applicant submitted that Yang does not describe modified access credential values being added to a log of previous access credential values. The “record” described in Yang is not any sort of an event log, but merely stores the current credentials. In response, the claims do not define the event log. The claims do not specify that the event log is a log of previous access credential values and that the new credentials are added to the log of previous credentials such that the log comprises both new and previous credentials. Yang discloses a record comprising credentials, wherein the previous credentials, i.e., “first credentials” in the record is updated to the changed credentials. While Yang uses the term “updated,” the changed credentials, “second credentials,” are still added to the record such that the record comprises the changed credentials. Therefore, Yang teaches “appending” the credentials to the record. Applicant submitted that without the benefit of hindsight, a skilled person reading Yang would think that such a modification would be a waste of storage and computing resources, and would instead continue to implement a system where the old credentials are simply replaced with the new credentials value as described in Yang. In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning. But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper. See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). Firstly, Yang, on paragraph [0037], discloses using records that includes more than just credentials. Secondly, Magen’s disclosure of maintaining and adding to a log of events would have provided advantages such as verification and guarantee of updates performed on a system, visibility for attestation, auditing, and analysis of events, etc. (see at least paragraphs [0034]-[0037]). As such, Magen’s disclosure of maintaining logs of events would have provided advantages over the storage of additional data. Claim Rejections - 35 USC § 103 The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claim 1, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yang et al. US Patent Publication No. 2013/0174234 (“Yang”) in view of Magen et al. US Patent Publication No. 2023/0089407 (“Magen”). Regarding claim 1, Yang teaches a computer-implemented method comprising: receiving, from an authorisation server, an access credentials modification request to modify one or more access credentials associated with a user, the access credentials modification request comprising one or more modified access credentials values (para. [0032] first system 210 may be responsible for authenticating and authorizing users. para. [0069] second system 211 may receive a request to update credentials for an entity that is mapped to the second system); appending the one or more modified access credentials values as one or more access credentials values to a first event log (para. [0070] credentials manager 223 may find a record that matches an identifier sent by the proxy 224. para. [0071] record is updated such that the first credentials in the record are updated to the second credentials. after the credentials manager 223 finds the record, it may update the credentials as requested). While Yang discloses appending the access credentials to the first event log, Yang does not teach creating a first event object comprising the one or more modified access credentials values as one or more access credentials values and appending the first event object to a first event log. Magen discloses creating a first event object and appending the first event object to a first event log (para. [0064] generate an entry including an event identifier…, a recorded time, a received time, and event data included in the received message. control adds the entry to an event logging database). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Magen’s disclosure of creating and appending an object, i.e., entry, to a log such that that the credentials of Yang are comprised in an object that is added to the log. One of ordinary skill in the art would have been motivated to do so in order to have similarly logged events including maintained a history of entries of events with additional data such as time. Regarding claim 19, Yang teaches a system comprising: one or more processors; and memory comprising computer executable instructions, which when executed by the one or more processors, cause the system to perform operations including: receiving, from an authorisation server, an access credentials modification request to modify one or more access credentials associated with a user, the access credentials modification request comprising one or more modified access credentials values (para. [0032] first system 210 may be responsible for authenticating and authorizing users. para. [0069] second system 211 may receive a request to update credentials for an entity that is mapped to the second system); appending the one or more modified access credentials values as one or more access credentials values to a first event log (para. [0070] credentials manager 223 may find a record that matches an identifier sent by the proxy 224. para. [0071] record is updated such that the first credentials in the record are updated to the second credentials. after the credentials manager 223 finds the record, it may update the credentials as requested). While Yang discloses appending the access credentials to the first event log, Yang does not teach creating a first event object comprising the one or more modified access credentials values as one or more access credentials values and appending the first event object to a first event log. Magen discloses creating a first event object and appending the first event object to a first event log (para. [0064] generate an entry including an event identifier…, a recorded time, a received time, and event data included in the received message. control adds the entry to an event logging database). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Magen’s disclosure creating and appending an object to a log such that that the credentials of Yang are comprised in an object that is added to the log. One of ordinary skill in the art would have been motivated to do so in order to have similarly logged events including maintained entries of events with additional data such as time. Regarding claim 20, Yang teaches a non-transient computer-readable storage medium storing instructions that, when executed by a computer, cause the computer to perform operations including: receiving, from an authorisation server, an access credentials modification request to modify one or more access credentials associated with a user, the access credentials modification request comprising one or more modified access credentials values (para. [0032] first system 210 may be responsible for authenticating and authorizing users. para. [0069] second system 211 may receive a request to update credentials for an entity that is mapped to the second system); appending the one or more modified access credentials values as one or more access credentials values to a first event log (para. [0070] credentials manager 223 may find a record that matches an identifier sent by the proxy 224. para. [0071] record is updated such that the first credentials in the record are updated to the second credentials. after the credentials manager 223 finds the record, it may update the credentials as requested). While Yang discloses appending the access credentials to the first event log, Yang does not teach creating a first event object comprising the one or more modified access credentials values as one or more access credentials values and appending the first event object to a first event log. Magen discloses creating a first event object and appending the first event object to a first event log (para. [0064] generate an entry including an event identifier…, a recorded time, a received time, and event data included in the received message. control adds the entry to an event logging database). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Magen’s disclosure creating and appending an object to a log such that that the credentials of Yang are comprised in an object that is added to the log. One of ordinary skill in the art would have been motivated to do so in order to have similarly logged events including maintained entries of events with additional data such as time. Claim 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Yang in view of Magen and Rouland et al. US Patent Publication No. 2025/0244997 (“Rouland”). Regarding claim 5, Yang does not teach the method of claim 1, further comprising: responsive to receiving a failure notification indicative of a failed attempt to modify the one or more access credential values: creating a third event object indicative of the failed attempt; and appending the third event object to a second event log associated with the user. Rouland discloses responsive to receiving a failure notification indicative of a failed attempt to modify one or more access credential values: creating a third event object indicative of the failed attempt (para. [0104] management system 103 stores the record of failure to change credentials). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang and Magen with Rouland’s disclosure. One of ordinary skill in the art would have been motivated to do so in order to have maintained records of different types of events. Magen discloses creating a first event object and appending the first event object to a first event log (para. [0064] generate an entry including an event identifier…, a recorded time, a received time, and event data included in the received message. control adds the entry to an event logging database). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Magen’s disclosure creating and appending an object to a log such that the object as disclosed by Rouland is added to the log. One of ordinary skill in the art would have been motivated to do so in order to have similarly maintained a history of entries of events with additional data Regarding claim 6, Yang does not teach the method of claim 5, wherein the second event log is the first event log. Magen discloses creating a first event object and appending the first event object to a first event log (para. [0064] generate an entry including an event identifier…, a recorded time, a received time, and event data included in the received message. control adds the entry to an event logging database). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Magen’s disclosure creating and appending an object to a log such the failed attempt to modify the one or more access credential values as disclosed by Rouland is logged as an object that is added to the log. One of ordinary skill in the art would have been motivated to do so in order to have similarly logged events including maintained entries of events. Claim 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Yang in view of Magen and Fan et al. US Patent Publication No. 2017/0155641 (“Fan”). Regarding claim 13, Yang does not teach the method of claim 1, further comprising: receiving, from the authorisation server, an access credentials read request associated with a user, the access credentials read request comprising one or more access credential identifiers; traversing the first event log associated with the user to determine one or more access credential values for the respective access credential identifiers in the first event log; transmitting, to the authorisation server, the one or more access credential values; creating a second event object for recording an occurrence of the access credentials read request; and appending the second event object to a second event log. Fan discloses receiving, from a server, an access credentials read request associated with a user, the access credentials read request comprising one or more access credential identifiers; traversing the first event log associated with the user to determine one or more access credential values for the respective access credential identifiers in the first event log; transmitting, to the server, the one or more access credential values (para. [0074] device service management system 306 includes a credential return engine 314, a credential datastore credential return engine 314 functions to return user credentials to the credential retrieval engine 308. credential return engine 314 can return user credentials stored in the credential datastore 316 to the credential retrieval engine 308 based on a user credential query message received from the credential retrieval engine 308). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Fan’s disclosure. One of ordinary skill in the art would have been motivated to do so in order to have provided capability to determine and retrieve stored access credentials. Magen discloses creating a second event object; and appending the second event object to a second event log (para. [0064] generate an entry including an event identifier…, a recorded time, a received time, and event data included in the received message. control adds the entry to an event logging database). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Magen’s disclosure of creating and appending an object to a log such that that the event disclosed by Fan, access credential read request, is comprised in an object that is added to the log. One of ordinary skill in the art would have been motivated to do so in order to have similarly logged events including maintained entries of events with additional data. Regarding claim 14, Yang does not teach the method of claim 13, wherein the second event log is the first event log. Magen discloses creating a first event object and appending the first event object to a first event log (para. [0064] generate an entry including an event identifier…, a recorded time, a received time, and event data included in the received message. control adds the entry to an event logging database). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang with Magen’s disclosure creating and appending an object to a log such the failed attempt to modify the one or more access credential values as disclosed by Rouland is logged as an object that is added to the log. One of ordinary skill in the art would have been motivated to do so in order to have similarly logged events including maintained entries of events with additional data such as time. Allowable Subject Matter Claims 2-4, 7-12, 15-18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Joshua Joo whose telephone number is (571)272-3966. The examiner can normally be reached Monday-Friday 7am-3pm. Examiner interviews are available via telephone, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached at 571-270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JOSHUA JOO/Primary Examiner, Art Unit 2445
Read full office action

Prosecution Timeline

Oct 24, 2024
Application Filed
Dec 17, 2024
Response after Non-Final Action
Jan 16, 2026
Non-Final Rejection mailed — §103
Apr 06, 2026
Response Filed
Jun 02, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683944
CONNECTOR DEPLOYMENT WITHIN A CONNECTIVITY FRAMEWORK
1y 12m to grant Granted Jul 14, 2026
Patent 12683902
HARDWARE DEVICE FOR AUTOMATIC DETECTION AND DEPLOYMENT OF QOS POLICIES
1y 10m to grant Granted Jul 14, 2026
Patent 12675593
UNIVERSAL DATA TRANSMISSION TO MULTIPLE CLOUD STORAGE PLATFORMS
2y 7m to grant Granted Jul 07, 2026
Patent 12676859
ESTABLISHMENT OF TRUST FOR DISCONNECTED EDGE-BASED DEPLOYMENTS
1y 11m to grant Granted Jul 07, 2026
Patent 12675572
Behavioral Threat Detection Definition And Compilation
1y 10m to grant Granted Jul 07, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+23.4%)
3y 1m (~1y 4m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 988 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month