Ex Parte Chan

Board of Patent Appeals and Interferences

Jul 31, 2007

09792918 (B.P.A.I. Jul. 31, 2007)

The opinion in support of the decision being entered today is not binding
precedent of the Board.

UNITED STATES PATENT AND TRADEMARK OFFICE
____________

BEFORE THE BOARD OF PATENT APPEALS
AND INTERFERENCES
____________

Ex parte CHRISTINE WAI HAN CHAN
____________

Appeal 2007-0153
Application 09/792,918
Technology Center 2100
____________

Decided: July 31, 2007
____________

Before JOSEPH F. RUGGIERO, LANCE LEONARD BARRY, and
MAHSHID D. SAADAT, Administrative Patent Judges.

SAADAT, Administrative Patent Judge.

STATEMENT OF THE CASE
This is a decision on appeal under 35 U.S.C. § 134(a) from the
Examiner’s Final Rejection of claims 1-5, 7-15, 17-32, and 35-42. Claims 6,
16, 33, and 34 have been canceled. We have jurisdiction under 35 U.S.C.
§ 6(b).
Appellant’s invention generally relates to protecting resources
available on a network and more specifically, to assessing coverage of
Appeal 2007-0153
Application 09/792,918

access control criteria in an access management system by determining
access results without granting access to the resource (Specification 4). The
determination is made based on receiving the access information and testing
whether the identified resources are authorized for use based on the access
information (Specification 5). An understanding of the invention can be
derived from a reading of exemplary independent claim 1, which is
reproduced as follows:
1. A method for testing access to a resource available on a
network, comprising the steps of:

receiving access information;

testing whether access to said resource is authorized based on
said access information without granting authorization to said
resource, said testing includes accessing an authorization rule for said
resource and accessing an identity profile for a first user to determine
whether at least a portion of said authorization rule is satisfied based
on information in said identity profile, said authorization rule is not
part of said identity profile; and

reporting whether access to said resource is authorized based on
said step of testing.

The Examiner relies on the following prior art references:
Pachauri US 6,005,571 Dec. 21, 1999
Lewis US 6,233,576 B1 May 15, 2001
(§ 102(e) date Nov. 14, 1997)
Bienvenu US 6,526,438 B1 Feb. 25, 2003
(filed Jul. 12, 1999)
Wood US 6,691,232 B1 Feb. 10, 2004
(filed Aug. 5, 1999)

2
Appeal 2007-0153
Application 09/792,918

The rejections as presented by the Examiner are as follows:
1. Claims 1, 2, 5, 11, 13-15, 17-20, 24, 25, 27, 28, 30-32, 35, 37, 38,
40, and 41 stand rejected under 35 U.S.C. § 102(e) as being anticipated by
Pachauri.
2. Claim 4 stands rejected under 35 U.S.C. § 103(a) as being
unpatentable over Pachauri and Bienvenu.
3. Claims 3, 7-10, 12, 21, 26, 29, 36, and 39 stand rejected under
35 U.S.C. § 103(a) as being unpatentable over Pachauri and Wood.
4. Claims 22, 23, and 42 stand rejected under 35 U.S.C. § 103(a) as
being unpatentable over Pachauri and Lewis.
Rather than reiterate the opposing arguments, reference is made to the
Briefs and the Answer for the respective positions of Appellant and the
Examiner.
We affirm-in-part.
ISSUES
The issues on appeal are whether Examiner makes a prima facie case
for rejections under 35 U.S.C. § 102(e) and 35 U.S.C. § 103(a).
The Examiner characterizes the “test security” function 240 in Figure
2 of Pachauri as the claimed “testing whether access to said resource is
authorized” (Answer 3) and argues that testing for the actions a user is
authorized to do is the same as testing for access authorization (Answer 9-
10). Appellant contends that the testing performed in Pachauri only
determines whether a user can perform certain actions instead of testing
access to a resource, which means that the security module presumes access
without testing for it (Br. 5).
3
Appeal 2007-0153
Application 09/792,918

The issues turn on whether a preponderance of the evidence shows
that Pachauri anticipates Appellant’s claimed invention by disclosing the
step of “testing whether access to said resource is authorized based on said
access information without granting authorization to said resource.”

FINDINGS OF FACT
Pachauri relates to managing security of a database based on limiting
the users to performing actions on the database that are dictated by defined
task groups the user is assigned to (Abstract; col. 2, ll. 24-38).
Pachauri further discloses that the system for managing the security
of the database uses a test security module 240 to ensure that a database user
can perform actions that are included in the user’s security profile (Figure 2;
col. 5, ll. 34-40).
Pachauri describes “task groups” as specific business activities that
include certain actions (col. 7, ll. 61-64).
Pachauri further describes “action” as a function that can be
performed on a database or even limited to functions performed on a
particular type of data (col. 10, ll. 49-52).

PRINCIPLES OF LAW
A rejection for anticipation requires that the four corners of a single
prior art document describe every element of the claimed invention, either
expressly or inherently, such that a person of ordinary skill in the art could
practice the invention without undue experimentation. See Atlas Powder
Co. v. IRECO, Inc., 190 F.3d 1342, 1347, 51 USPQ2d 1943, 1947 (Fed. Cir.
4
Appeal 2007-0153
Application 09/792,918

1999); In re Paulsen, 30 F.3d 1475, 1478-79, 31 USPQ2d 1671, 1673 (Fed.
Cir. 1994).
The test for obviousness is what the combined teachings of the
references would have suggested to one of ordinary skill in the art. See KSR
Int’l v. Teleflex, Inc., 127 S. Ct. 1727, 1740, 82 USPQ2d 1385, 1396 (2007),
In re Kahn, 441 F.3d 977, 987-988, 78 USPQ2d 1329, 1336 (Fed. Cir.
2006), In re Young, 927 F.2d 588, 591, 18 USPQ2d 1089, 1091 (Fed. Cir.
1991) and In re Keller, 642 F.2d 413, 425, 208 USPQ 871, 881 (CCPA
1981). Moreover, in evaluating such references it is proper to take into
account not only the specific teachings of the references but also the
inferences which one skilled in the art would reasonably be expected to draw
therefrom. In re Preda, 401 F.2d 825, 826, 159 USPQ 342, 344 (CCPA
1968).

ANALYSIS
1. 35 U.S.C. § 102 rejection of claims
Appellant correctly points out that the test security module 240 in
Pachauri only tests for the actions a user is authorized to perform on the
database secured by the database security managing system (Br. 5). While
some kind of authorization may be granted for the user access, Pachauri does
not disclose any teachings that indicate testing for the actions authorized by
the user is done without granting authorization to the database system.
Therefore, we agree with Appellant (Reply Br. 3-4) that the testing done by
Pachauri takes place after authorized access is checked or presumed. In fact,
5
Appeal 2007-0153
Application 09/792,918

the reference includes no information that the testing is performed without
granting authorization to said resource, as recited in claim 1.
With respect to claim 24, we also agree with Appellant (Br. 7; Reply
Br. 4-5) that the portions of Pachauri relied on by the Examiner contain no
teachings related to identifying a policy domain to which the resource
belongs and determining authorization based on rules associated with the
policy domain. The Examiner responds by stating that “policy domain” is
not materially different from “authorization rule set” since Appellant has not
defined what “policy domain” is (Answer 10).
As pointed out by Appellant (id.), the recited policy domain is defined
(Specification ¶ [102]) as “a logical grouping of Web Server host ID’s, host
names, URL prefixes, and rules.” We are persuaded by Appellant’s
arguments and find that the Examiner offers inadequate support for the
contention that the claimed limitations related to the policy domain and their
association with the resources is taught by Pachauri.
Turning now to claim 35, we note that the claim merely requires
testing whether access to a resource is authorized based on some received
access information. The claim, however, neither specifies any rules or
policies for determining authorization nor requires such determination
without granting authorization, as recited in claims 1 and 24. While an
access management system and an identity management system included in
the access system are recited, their functions in the testing step are not
recited. Additionally, we agree with the Examiner (Answer 11) that the
claimed access management system and the identity management system
reads on the design security profile module 210 and implement security
6
Appeal 2007-0153
Application 09/792,918

profile module 220 of Pachauri. These modules are used for designing a
security profile for the user and for implementing a security profile in the
database system (col. 5, ll. 22-29).
Based on the teachings of Pachauri outlined supra, we find ourselves
persuaded by Appellant’s argument that the method of managing security in
a database system of Pachauri is not the same as the claimed authorization
testing without granting authorization or based on rules and policies in a
policy domain, as recited in claims 1 and 24. However, we reach the
opposite conclusion with respect to the authorization testing of claim 35.
2. 35 U.S.C. § 103 rejection of claims
The 35 U.S.C. § 103 rejection of claims 3, 4, 7-9, 10, 12, 21-23, 26,
and 29 over Pachauri in various combinations with Bienvenu, Wood, and
Lewis cannot be sustained as we find no teachings in these references to
overcome the deficiencies of Pachauri discussed above with respect to their
base claims 1 and 24.
With respect to the rejection of claims 36 and 39 under 35 U.S.C.
§ 103 over Pachauri and Wood, Appellant argues combining Wood with
Pachauri would provide no benefit to Pachauri which assumes that the user
is authorized to access the database and merely controls which tasks the user
can perform (Br. 10). We agree with the Examiner (Answer 7) that within
the environment of the database security management system of Pachauri,
using the access information of Wood would improve security by
recognizing the potential attacks.
Wood provides for including temporal, locational, connection type
and/or client capabilities-related information to affect the authentication
7
Appeal 2007-0153
Application 09/792,918

process (col. 2, ll. 49-58). In particular, Wood describes session credentials
as evidence of prior authentication which may also include creation time and
expiration time for improving resistance to reply to attacks (col. 20, ll. 11-
20). We further find that Wood uses these information components in a
single sign-on for sessions that include accesses to further plural information
resources having differing security requirements (col. 3, ll. 49-57).
Therefore, although Pachauri may presume authorized access by the
user, one of ordinary skill in the art would have combined Wood’s process
for including timing and identification information in the access information
with the database security management system of Pachauri in order to block
attacks on the information resources the user may access after
authentication.
Turning now to the rejection of claim 42 under 35 U.S.C. § 103,
Appellant argues that even if Pachauri and Lewis could be combined, the
default permissions of Lewis cannot be read to teach “identifying a policy
domain” or “searching for a policy” (Br. 10-12). Lewis gives default
permission to a subject that creates a resource instance (col. 14, ll. 15-18).
However, Lewis uses the term “permission” different from its normal
meaning such that permissions are not used to represent resource
authorization, but rather to protect the authorization files themselves (col.
13, ll. 16-18). Based on the teachings of Lewis and absent any convincing
argument by the Examiner as to why the default permissions of Lewis for
modifying a resource instance is the same as identifying a policy domain and
searching for a policy, we agree with Appellant’s position that the Examiner
erred in rejecting claim 42.

8
Appeal 2007-0153
Application 09/792,918

CONCLUSION
On the record before us, we find that the Examiner fails to make a
prima facie case that Pachauri anticipates claims 1 and 24, and thus, the
35 U.S.C. § 102 rejection of claims 1, 2, 5, 11, 13-15, 17-20, 24, 25, 27, 28,
and 30-32 cannot be sustained. The 35 U.S.C. § 102 rejection of claims 35,
37, 38, 40, and 41 over Pachauri is sustained.
We also sustain the 35 U.S.C. § 103 rejection of claims 36 and 39
over Pachauri, but will not sustain the 35 U.S.C. § 103 rejection of claim 4
over Pachauri and Bienvenu, of claims 3, 7-10, 12, 21, 26, and 29 over
Pachauri and Wood, and of claims 22, 23, 42 over Pachauri and Lewis.

DECISION
The decision of the Examiner rejecting claims 1, 2, 5, 11, 13-15, 17-
20, 24, 25, 27, 28, and 30-32 under 35 U.S.C. § 102 and rejecting claims 3,
4, 7-10, 12, 21-23, 26, 29, and 42 under 35 U.S.C. § 103 is reversed. The
rejection of claims 35, 37, 38, 40, and 41 under 35 U.S.C. § 102 and
rejecting claims 36 and 39 under 35 U.S.C. § 103 is affirmed.

9
Appeal 2007-0153
Application 09/792,918

No time period for taking any subsequent action in connection with
this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv).

AFFIRMED-IN-PART

rwk

TOWNSEND AND TOWNSEND AND CREW LLP
TWO EMBARCADERO CENTER
8TH FLOOR
SAN FRANCISCO CA 94111-3834

10