Hybrid Approach Of Delegating Access Decision Evaluation For Building Automation And Control: Technical

4.2 The invention relates to a building automation and control system (BACS) comprising access decision evaluation, i.e. deciding whether a certain device should be allowed to communicate with or otherwise interact with another device in the system; see page 1, lines 9 to 20, and page 3, lines 21 to 29.

4.3 The invention is aimed at improving the information security of such systems, in particular access control in the sense of authentication (who you are) and authorisation (what you are permitted to do); see page 3, lines 17 to 20. One limitation on improving access control is the delay (latency) such measures introduce between a user giving a command and the system reacting. The invention seeks to reduce latency by combining an initially centralised approach, which offers high scalability, with a subsequently distributed approach, which offers reduced latency; see page 2, line 23, to page 3, line 10. This has been referred to in this case as the "hybrid" approach.

4.4 As illustrated in figure 5, an "accessing device" (10)(defined on page 4, lines 4 to 8), for instance a smartphone, sends an "access request" (20) to an "accessed device" (defined on page 4, lines 9 to 13), for instance a lighting device or electronic lock. The accessed device in turn sends an "evaluation request" to a "central decision evaluation apparatus" (30) which decides, based on one or more "central access control policies", whether the access request is to be granted or denied. Figure 6 shows a sequence diagram of the information flows in the system. "Policies" are defined as a "set of criteria for the provision of access to resources"; see page 3, lines 30 to 31.

4.5 The central decision evaluation apparatus derives a device-specific access policy from one or more central access control policies and sends this, together with its grant/deny access decision, to the accessed device, the "device-specific access policy" being stored in the accessed device.

4.6 When the accessing device subsequently sends an access request to the accessed device, the latter checks whether the access request matches a stored device-specific access policy and, if so, decides whether to grant or deny the request, based on the stored device-specific access policy without reference to the central decision evaluation apparatus.

4.7 A key difference between the "distributed approach" to access control, shown in figures 1 and 2, and the "centralised approach", illustrated in figures 3 and 4, is that the latter has a separate central decision evaluation apparatus (30). The "hybrid" approach of the invention, shown in figures 5 and 6, combines the "distributed" and "centralised" approaches (see page 10, line 1, to page 14, line 15) in that it initially uses the "centralised" approach, but then switches to the "distributed approach".

IMG A

Claim 1 (Allowed)

1.1 Method for access decision evaluation in a building automation and control system, the method comprising:

1.2 sending, from an accessing device (10) to an accessed device (20), an access request,

1.3 sending, from the accessed device (20) to a central decision evaluation apparatus (30), an evaluation request asking if the access request is granted or denied,

1.4 evaluating, at the central decision evaluation apparatus(30), the evaluation request using one or more central access control policies in order to reach a decision on if the access request is granted or denied,

1.5 deriving, at the central decision evaluation apparatus(30), from one or more central access control policies that was used for evaluation a device specific access policy,

1.6 sending, from the central decision evaluation apparatus(30) to the accessed device (20), the decision and the device specific access policy,

1.7 storing, at the accessed device (20), the device specific access policy; and

1.8.01 sending, from the accessing device (10) to the accessed device (20), a subsequent access request,

1.8.02 evaluating, at the accessed device (20), if the subsequent access request matches with the device specific access policy stored in the accessed device (20), if so,

1.8.03 deciding, at the accessed device (20), if the subsequent access request is granted or denied based on the device specific access policy.

Claim 7 (Allowed)

7. Access decision evaluation system in a building control system, the access decision evaluation system comprising: an accessing device (10), an accessed device (20) comprising a local memory (22) storing one or more device specific access policies, a matching point (24) and a policy decision point (26), and

a central decision evaluation apparatus (30) comprising a database (33) of one or more central access control policies, an access policy decision point (34) and an access policy deriver (36), wherein the accessing device (10) is arranged to send an access request to the accessed device (20), and characterized in that the matching point (24) of the accessed device (20) is arranged to evaluate the access request to see if the access request matches with one of the one or more device specific access policies stored in the local memory (22), if so, the policy decision point(26) of the accessed device (20) is arranged to decide if the access request is granted or denied based on the matched device specific access policy, if not so, the accessed device (20) is arranged to send an evaluation request asking if the access request is granted or denied to the central decision evaluation apparatus (30), wherein the access policy decision point (34) of the central decision evaluation apparatus (30) is arranged to evaluate the evaluation request using one or more central access control policies in order to reach a decision on if the access request is granted or denied, wherein the access policy deriver (36) of the central decision evaluation apparatus (30) is arranged to derive from the one or more central access control policies that was used for the evaluation a derived device specific access policy, and wherein the central decision evaluation apparatus (30) is arranged to send the decision and the derived device specific access policy to the accessed device (20)

Claim 9 (Not allowed)

9. Central decision evaluation apparatus (30) in an access decision evaluation system comprising an accessing device (10), an accessed device (20) and the central decision evaluation apparatus (30), the central decision evaluation apparatus (30) comprising: a database (33) of one or more central access control policies, an access policy decision point (34) arranged to evaluate an evaluation request from the accessed device (20) using one or more central access control policies stored in the database (33) in order to reach a decision on if an access request being sent from the accessing device (10) to the accessed device (20) is granted or denied, and characterised in that the central decision evaluation apparatus (30) further comprises: an access policy deriver (36) arranged to derive from the one or more central access control policies that was used for the evaluation a device specific access policy, wherein the central decision evaluation apparatus (30) is arranged to send the decision and the device specific access policy to the accessed device (20) to enable the accessed device (20) to store the device specific access policy and thereby decide if a subsequent access request is granted or denied based on the device specific access policy

10.1 Claim 9 of auxiliary request 1 starting from D1

10.1.1 The subject-matter of claim 9 of auxiliary request 1 differs from the disclosure of D1 in further comprising:

a. an access policy deriver arranged to derive from the one or more central access control policies that were used for the evaluation a device specific access policy,

b. wherein the central decision evaluation apparatus is arranged to send the decision and the device specific access policy to the accessed device (20).

10.1.2 In the oral proceedings the respondent argued that sending the decision and the device specific access policy to the accessed device (feature "b") had the technical effect of enabling the hybrid approach, since the accessed device could only decide itself if it had the device specific access policy. It was moreover not usual to send rules to another system element.

10.1.3 The appellant argued that the features of the central decision evaluation apparatus were not limited by its effect on another system element, namely enabling the accessed device to decide. Moreover the access policy could be based on purely financial rather than technical considerations.

10.1.4 The board finds that sending the decision and the device specific access policy to the accessed device is a necessary but insufficient condition for the presence of a technical effect in the central decision evaluation apparatus, since the criteria in a policy need not be technical. The derivation of a device-specific access policy and the taking of a decision based on it can be non-technical steps which are thus unable to lend inventive step to the claim. For instance, sending the derived policy together with the decision could merely serve the non-technical purpose of informing the accessed device about the reasons for the decision taken.

10.1.5 Hence the subject-matter of claim 9 lacks inventive step in view of D1.

10.2.8 The board finds that the subject-matter of claim 1 of auxiliary request 5 differs from the disclosure of D1 in the following features:

a. the method takes place in a building automation and control system;

b1. deriving, at the central decision evaluation apparatus, a device-specific access policy from one or more central access control policies that were used for evaluation;

b2. sending the device-specific access policy from the central decision evaluation apparatus to the accessed device and storing it there and

b3. sending, from the accessing device to the accessed device, a subsequent access request, evaluating, at the accessed device, whether the subsequent access request matches the device-specific access policy stored in the accessed device, if so, deciding, at the accessed device, whether the subsequent access request is granted or denied based on the device-specific access policy.

10.2.9 The board does not accept the objective technical problem proposed by the appellant. From the perspective of D1, this formulation would require the skilled person to start from a known solution in a medical context and, in a way, to look for a problem, namely an automation domain which might profit from that solution. However, a central assumption of the problem-solution approach is that the skilled person starts with a problem and looks for a solution to it. The board also notes that the appellant has not justified the proposed objective technical problem in any other way.

10.2.10 The board finds that in claim 1 features "b1" to "b3", representing the so-called "hybrid" approach, would not have been obvious to the skilled person starting from D1. More specifically, although the hybrid approach, i.e. delegating the access control decisions to the accessed devices, has a clear advantage in a building automation and control system, which the board accepts (see above, point 6.2.2) must be construed as having a large number of "accessed devices" such as locks or lighting devices, no such advantage is apparent in the system of D1 in which there is only one, central accessed device. Furthermore, the skilled person would also have no reason to try applying the solution of D1 to such a building automation and control system. Inversely, it has not been argued that, and it is not apparent to the board why, a skilled person starting from, and addressing a problem in, a generic building automation and control system would look for a solution in a medical automation system such as that of D1.

10.2.11 Hence the subject-matter of claim 1 involves an inventive step in view of D1. The same applies mutatis mutandis to claim 7.

0.4.3 The board finds that neither auxiliary request 2 nor 3, nor their combination in 4 introduces amendments lending inventive step to claim 9 of auxiliary request 2 or claim 7 of auxiliary requests 3 and 4. In auxiliary requests 2 and 4 the restriction of the device-specific access policy to only the relevant rules valid for the accessed device seems to be a usual matter for the skilled person of conserving memory space and network bandwidth and, given that the policy need not be technical, the additional feature lacks technical character and is thus unable to contribute to inventive step. Turning to auxiliary requests 3 and 4, the derivation of the device-specific access policy using context attributes as variables lacks technical character, since the policy itself need not be based on technical considerations.

10.4.4 Hence the subject-matter of claim 9 of auxiliary request 2 and claim 7 of auxiliary requests 3 and 4 does not involve an inventive step, Article 56 EPC.