Ex Parte KOHL et alDownload PDFPatent Trial and Appeal BoardMar 19, 201813681533 (P.T.A.B. Mar. 19, 2018) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 13/681,533 11120/2012 JOHNT.KOHL 73109 7590 03/21/2018 Cuenot, Forsythe & Kim, LLC 20283 State Road 7 Ste. 300 Boca Raton, FL 33498 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. CAM920120060US2_8150-0300 9156 EXAMINER LEVITIAN, KARINA ART UNIT PAPER NUMBER NOTIFICATION DATE DELIVERY MODE 03/21/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): ibmptomail@iplawpro.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte JOHN T. KOHL, MASABUMI KOINUMA, MARGARET MARYNOWSKI, HUICHUNG WU, and MARK S. ZUKOWSKY Appeal2016-001997 Application 13/681,533 Technology Center 2100 Before JAMESON LEE, THU A. DANG, and SCOTT E. BAIN, Administrative Patent Judges. LEE, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellant appeals under 35 U.S.C. § 134(a) from the Examiner's Final Rejection of claims 1-3, 7-10, and 15-17. Claims 4--6, and 18-20 have been objected to as depending from an unpatentable claim. Claims 1- 10, and 15-20 are all claims pending in the application. Claims 11-14, and 21-24 were previously withdrawn. We have jurisdiction over the appeal Appeal 2016-001997 Application 13/681,533 pursuant to 35 U.S.C. § 6(b ). 1 Appellants identify the real party in interest as IBM Corporation. App. Br. 1. We reverse. The Invention The invention relates to sharing data among the users of different computing environments, such as by use of replicated data repositories. Spec. i-f 1. An example of multiple computing environments in which data is shared corresponds to the various different geographical locations of a company or to one or more third party entities which work in cooperation with the company. Id. The Specification states: "In many cases, however, the users of each computing environment among which the replicated repositories are shared are different. The computing environments can be said to have different user identity spaces." Id. i-f 2. The Specification defines "user identity space" as follows: "A 'user identity space' refers to a computing environment having a defined set of users and/or user groups." Id. i-f 26. The definition is followed immediately by this sentence which provides additional clarification: "Two computing environments that have [the] same user identity space or that share [the] same user identity space have same users and same user groups." Id. Specifically, the invention is directed to a method of managing access control lists (ACLs) across replicated data repositories. Id. i-f 3. Regarding ACLs, the Specification describes: "A data repository typically utilizes structures referred to as Access Control Lists (ACLs) to restrict access to the 1 This Decision refers to Appellants' Appeal Brief ("App. Br.," filed April 28, 2015), the Examiner's Answer ("Ans.," mailed Sept. 25, 2015), Appellants' Reply Brief ("Reply Br.," filed November 24, 2015), and the Final Office Action ("Final Act.," mailed November 28, 2014). 2 Appeal 2016-001997 Application 13/681,533 various artifacts included therein. Each ACL determines which users or group of users are permitted to access the artifact to which the ACL is associated or bound within the data repository." Id. i-f 2. The Specification describes: "Within ACLs, one or more user identities of the first user identity space of the data repository can be substituted with one or more user identities from the second user identity space when the data repository is replicated to the different computing environment." Id. i-f 21. Of all claims on appeal, claims 1 and 15 are the only independent claims. Claim 1 is representative and reproduced below: 1. A system for managing access control lists (ACLs) across replicated data repositories, the system comprising: a processor programmed to initiate executable operations compnsmg: selecting, from a first data processing system, a controlled object and an ACL object bound to the controlled object, wherein the first data processing system is associated with a first user identity space; creating a replicated version of the controlled object within a second data processing system, associated with a second user identity space, wherein the second user identity space is different from the first user identity space; creating a replicated version of the ACL object within the second data processing system; and substituting, within the replicated version of the ACL object, an identity from the first user identity space with a selected identity from the second user identity space. App. Br. 17 (emphasis added). The Applied Prior Art The prior art relied on in rejecting the claims on appeal is Ducott US Pub. App. 2013/0191338 Al July 25, 2013 3 Appeal 2016-001997 Application 13/681,533 "Oracle" Oracle® Database PL/SQL Packages and Types Reference Ilg Release 1 (11.1), WaybackMachine, accessed August 17, 2012, accessible at (http://docs.oracle.com/cd/B28359_01/appdev.111/b28419/d_network acl_adm.htm) "Oracle2" Oracle®XML DB Developer's Guide 1 Og Release 2 (10.2) Bl4259-02, August 2005 ("Oracle2") The Rejections on Appeal Claims 1-3 and 15-17 were finally rejected under 35 U.S.C. § 103(a) as unpatentable over Ducott and Oracle. Final Act. 3. Claims 7-10 were finally rejected under 35 U.S.C. § 103(a) as unpatentable over Ducott, Oracle, and Oracle2. Id. at 5. ANALYSIS A. Rejection of Claims 1-3 and 15-17 as Obvious over Ducott and Oracle In proceedings before the USPTO, claim terms are properly construed according to their broadest reasonable interpretation in light of the specification. In re Zietz, 893 F.2d 319, 321 (Fed. Cir. 1989); see also In re Bigio, 381F.3d1320, 1324 (Fed. Cir. 2004). The standard does not permit a claim to be construed so broadly that the position is no longer reasonable in light of the specification. That, however, is the circumstance here. For reasons discussed below, the Examiner has not established a prima facie case that any one of claims 1-3 and 15-17 would have been obvious over Ducott and Oracle. The rejection of claims 1-3 and 15-17 under 35 U.S.C. § 103(a) as obvious over Ducott and Oracle, therefore cannot be sustained. 4 Appeal 2016-001997 Application 13/681,533 1. Claims 1 and 15 Different User Identity Spaces Claims 1 and 15 each recite: "the first data processing system is associated with a first user identity space," "a second data processing system associated with a second user identity space," and "wherein the second user identity space is different from the first user identity space." App. Br. 17, 20. As noted above, the Specification defines "user identity space" as follows: "A 'user identity space' refers to a computing environment having a defined set of users and/or user groups." Spec. i-f 26. The Specification further clarifies: "Two computing environments that have [the] same user identity space or that share [the] same user identity space have same users and same user groups." Id. According to the Examiner, so long as a data processing system has "a set of users," even if not defined, it has a user identity space. Final Act. 2. We disagree. Such a reading of "user identity space" is excessively broad and not supported by the Specification. Appellants persuasively argue that a "defined" set of users is not met by "any" set of users, due to the related limitations in the claim as discussed below. App. Br. 10. The Examiner, in the Answer, explains that Ducott in Paragraph 30 describes that for certain data objects in a computing environment the associated access control list may specify that "everyone" can read it but only "supervisors" can write. Ans. 7-8. That, according to the Examiner, means each computing environment has its own defined set of users. Id. We disagree. The only defined user-group noted by the Examiner is "supervisors." To the extent the Examiner is relying on "supervisors" as the first user identity space and "everyone" as a second user identity space, that 5 Appeal 2016-001997 Application 13/681,533 does not teach the claimed requirement that the "second user identity space" be associated with a "second data processing system." To the extent the Examiner is alleging that both data processing systems would have a "supervisors" user-group constituting a user identity space, that does not meet the claim requirement that the first and second user identity spaces associated with the first and second data processing systems, respectively, are different from each other. The Examiner's understanding of "different" user identity space also is excessively broad and not supported by the Specification. First, the Examiner contends that Ducott in Paragraph 32 discloses that access control files themselves are data objects. Final Act. 2. There is no such disclosure in the cited paragraph of Ducott. Nevertheless, even assuming that there is such disclosure, the rest of the Examiner's reasoning lacks merit. The Examiner explains that given that the access control files are themselves data objects, and given that Ducott also teaches that the data objects between the two systems or sites may be different, Ducott teaches "multiple environments with individual access control objects." Id. We agree with that assertion only to the extent that the same data object in the two systems may be associated with different access control lists specifying who may access the object. The Examiner then reasons: "The user groups of different sites taught by Ducatt [sic] have different users access permissions which make[] the different sites different identity spaces." Id. That reasoning is unpersuasive. As is correctly asserted by Appellants: "While the data objects between the sites of Ducatt [sic] may be different, this is not dispositive as to the limitations at issue since the user identity 6 Appeal 2016-001997 Application 13/681,533 space is based upon a defined set of users and/or group [of users]- not data objects." App. Br. 10. The Examiner's position characterizing the existence of different access control lists in the two data processing systems as indicating different user identity spaces for the two sites is unreasonable. Based on the definition for "user identity space" provided in the Specification, having different access control lists between the two sites, whether it is for one, two, or all data objects, does not answer the question of whether the two sites have the same user identity space. Under the Examiner's expansive view, two computing environments would have different user identity spaces unless the objects in them are the same and the access control lists associated with each and every object are the same. We agree with Appellants that the definition provided in the Specification is based on a defined set of users or user groups, and not on objects. App. Br. 11. We further agree with Appellants that without a discussion of the users associated with each site, Ducott cannot be said to teach a second user identity space that is different from the first user identity space. Id. On the question of same or different user identity space, whether the two environments share or do not share objects or access control lists is non-determinative. For instance, the defined sets of users for the two environments may be the same and yet the access control lists for numerous objects, shared or non-shared, may be different. Also, the access control lists may be the same in the two environments for the same data objects, but the two environments overall may not be associated with the same users. The Examiner, in the Answer, evidently takes the position that a person who is associated with different access control authorities in different 7 Appeal 2016-001997 Application 13/681,533 computing environments counts as two different users, and therefore two environments having different access control lists have different user identity spaces. Ans. 8. We disagree. As Appellants persuasively argue, "[ w ]hile the same user may be identified with different access control objects, this does not transform the same user into 'different users."' Reply Br. 3. Further, "[ c ]hanging how a user is identified does not change the identity of the underlying user." Id. We disagree with the suggestion by the Examiner that if a person is a user in both the first and second computing environment but has different access authority to data depending on whichever computing environment it is in, then the person represents two different users. Ans. 8. The Examiner states: The appellant argues that the difference [is] "in the defined users - not different access permissions" however based on the appellant's specifications at paragraph 24 the distinctions between different identities of users is based on data associated with the accounts which includes access permission data. Ans. 8. However, we have reviewed paragraph 24 of the Specification, which is reproduced below, and find nothing in that disclosure to suggest that the same person, when assigned different access authorities by two different computing environments, constitute two different users: A "user identity space" refers to a computing environment having a defined set of users and/or user groups. Two computing environments that have [the] same user identity space or that share [the] same user identity space have same users and same user groups. A "user" refers to a human being that operates or uses a particular data processing system. An "identity" of a user refers to data that uniquely identifies or distinguishes that user from one or more other users of the same user identity space. Similarly, an identity of a group of users refers to data that uniquely identifies or distinguishes that group from one or more 8 Appeal 2016-001997 Application 13/681,533 other groups of the same user identity space. For example, an identity can be a user name or other unique identifier associated with a user and/or a group. Spec. ,-r 26. In summary, the Examiner has not established Ducott teaches "the second user identity space is different from the first user identity space," as recited in claim 1. Replicating an ACL Object Claim 1 recites, in pertinent part: "creating a replicated version of the ACL object within the second data processing system." App. Br. 17. Claim 15 recites, in pertinent part: "creating, using the processor, a replicated version of the ACL object within the second data processing system." Id. at 20. According to the Examiner, Ducott in paragraphs 30 and 35 discloses this limitation. Final Act. 4. We find no such disclosure or even suggestion in those paragraphs. In plain and ordinary meaning, and consistent with the Appellants' Specification, replicate means to make a duplicate or a copy. The cited paragraphs of Ducott do not convey to one with ordinary skill in the art that any access control list (ACL) in a first data processing system would be duplicated or copied in a second data processing system. To the extent that the Examiner is of the position that the creation of any ACL in the second data processing system counts as a duplicated version of the corresponding ACL in the first data processing system for the same object, that reflects an excessively broad reading of the above-quoted limitations. We determine that a replicated version of an item has to be a duplicate or copy of that item. In summary, the Examiner has not established that Ducott discloses or suggests these limitations of claims 1 and 15. 9 Appeal 2016-001997 Application 13/681,533 Substituting an Identity within the Replicated ACL Claim 1 recites, in pertinent part: "substituting, within the replicated version of the ACL object, an identity from the first user identity space with a selected identity from the second user identity space." App. Br. 17. Claim 15 recites, in pertinent part: "substituting, using the processor and within the replicated version of the ACL object, an identity from the first user identity space with a selected identity from the second user identity space." Id. at 20. The Examiner takes several positions, first relying on Ducott and then relying on Oracle, to meet this substitution requirement. Final Act. 2-3. For reasons discussed below, the Examiner's assertions are unpersuasive. First, the Examiner asserts that Ducott in paragraph 29 and 30 "describe substitution examples such [as] describe[ing] updating information within the ACL." Id. at 3. We find, however, no such disclosure or even suggestion in these paragraphs which indicate, at most, the creation of a different ACL. The "data change updates" referenced in paragraph 30 refer to received changes on the content of data objects, not new ACL information. Second, the Examiner asserts: "Ducott teaches at paragraphs 31 and 32 updating aspects of the ACL related to specific sites. The limitation of substituting the identities is taught by the updated ACL information in specific sites." Final Act. 3. However, as is correctly noted by Appellants (App. Br. 13), the only "updates" described in these paragraphs are directed to data maintained at the second site and not to the access control list (ACL) with which that data is associated. Moreover, Appellants have claimed a specific manner of creating a second ACL, i.e., by substituting, within a replicated version of an ACL object, an identity from the first user identity 10 Appeal 2016-001997 Application 13/681,533 space with a selected identity from the second user identity space. The mere creation of a different ACL in the second data processing system to be associated with a stored data object, in general, is not sufficient to meet the claim limitation regarding the required substitution. The Examiner asserts: "Ducatt [sic] III at paragraph 31 teaches the concept of 'cross-ACL' which teaches having different identities of users between the sites." Ans. 9. But as discussed above, Ducott does not disclose two different user identity spaces. At most, "cross-ACL" indicates the ACL for a shared object between two sites may be different. The Examiner further asserts that because the ACL for the same data object may be different between two sites, that meets the claim limitation of "substituting, within the replicated version of the ACL object, an identity from the first user identity space with a selected identity from the second user identity space." For reasons discussed above, we disagree. Generally creating a different ACL does not meet the substitution limitation. The Examiner has failed to account for the specific requirements of the substitution claimed. Third, the Examiner relies on Oracle as teaching the claimed substitution limitation. Final Act. 4. Specifically, the Examiner states: "However the analogous art of Oracle teaches this technique of connect an ACL to a database (DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL)." Id. The Examiner further states: "Moreover Oracle further teaches 'DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL' updating a specific user's information which is substituting user access information." Id. at 3; Ans. 9. The assertion is not understood and insufficiently explained. We do not find anything in the functionality of the 11 Appeal 2016-001997 Application 13/681,533 DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL procedure that indicates substitution, within the replicated version of the ACL object, an identity from the first user identity space with a selected identity from the second user identity space. Oracle describes its ASSIGN_ACL_Procedure as follows: "This procedure assigns an access control list (ACL) to a host computer, domain, or IP subnet, and if specified, port range." Oracle 4. That does not indicate anything about substituting, within an already replicated ACL object, an identity from a first user identity space with a selected identity from the second user identity space. The Examiner also has not found that Oracle discloses a first data processing system associated with a first user identity space and a second data processing system associated with a second and different user identity space. Additionally, as discussed above, the mere creation of a different ACL in the second data processing system to be associated with a stored data object, in general, is not sufficient to meet the claim limitation regarding the required substitution. 2. Claims 2 and 3 Claims 2 and 3 each depend directly from independent claim 1. The deficiencies of the rejection as applied to claim 1 carry through to dependent claims 2 and 3. Accordingly, the rejection of claims 2 and 3 as obvious over Ducott and Oracle cannot be sustained. B. Rejection of Claims 7-10 as Obvious over Ducott, Oracle, and Oracle2 Each of claims 7-10 depends directly from independent claim 1. They each recite additional limitations relative to those incorporated from claim 1. The deficiencies of the combined teachings of Ducott and Oracle, with respect to claim 1, have been discussed above. As applied by the 12 Appeal 2016-001997 Application 13/681,533 Examiner, Oracle2 does not make up for those deficiencies. Accordingly, the rejection of claims 7-10 as obvious over Ducott, Oracle, and Oracle2 cannot be sustained. DECISION The rejection of claims 1-3 and 15-17 as obvious over Ducott and Oracle is reversed. The rejection of claims 7-10 as obvious over Ducott, Oracle, and Oracle 2 is reversed. REVERSED 13 Copy with citationCopy as parenthetical citation