Appeal 2007-0153
Application 09/792,918
process (col. 2, ll. 49-58). In particular, Wood describes session credentials
as evidence of prior authentication which may also include creation time and
expiration time for improving resistance to reply to attacks (col. 20, ll. 11-
20). We further find that Wood uses these information components in a
single sign-on for sessions that include accesses to further plural information
resources having differing security requirements (col. 3, ll. 49-57).
Therefore, although Pachauri may presume authorized access by the
user, one of ordinary skill in the art would have combined Wood’s process
for including timing and identification information in the access information
with the database security management system of Pachauri in order to block
attacks on the information resources the user may access after
authentication.
Turning now to the rejection of claim 42 under 35 U.S.C. § 103,
Appellant argues that even if Pachauri and Lewis could be combined, the
default permissions of Lewis cannot be read to teach “identifying a policy
domain” or “searching for a policy” (Br. 10-12). Lewis gives default
permission to a subject that creates a resource instance (col. 14, ll. 15-18).
However, Lewis uses the term “permission” different from its normal
meaning such that permissions are not used to represent resource
authorization, but rather to protect the authorization files themselves (col.
13, ll. 16-18). Based on the teachings of Lewis and absent any convincing
argument by the Examiner as to why the default permissions of Lewis for
modifying a resource instance is the same as identifying a policy domain and
searching for a policy, we agree with Appellant’s position that the Examiner
erred in rejecting claim 42.
8
Page: Previous 1 2 3 4 5 6 7 8 9 10 Next
Last modified: September 9, 2013