Cloud software authentication and authorisation – Frequently asked questions

This page provides frequently asked questions (FAQ) to assist software developers (SWD) with implementing the Cloud software authentication and authorisation (CAA) solution. For more information, refer to the CAA Software developer information kit. If you can’t find the answer to your question, contact us via the SBR Service Desk.

FAQ topics

CAA solution

Q1. What is the definition of Cloud, to which this applies?

The Department of Finance has released the Australian Government Cloud Computing Policy. The definition of ‘cloud’ can be found in this policy.

Australian Government Cloud Computing Policy (PDF, 334kB)

Q2. Will current desktop software solutions continue to be supported?

Yes. Businesses and intermediaries will still be able to maintain current processes and use existing AUSkey authentication models when using desktop software solutions.

Q3. What is a Software ID?

A Software ID is a unique ID that is used to identify each unique subscription or instance of software and is automatically generated by the software. See more information in the CAA Software developer information kit.

Q4. How secure is this solution, what if a fraudulent user obtains the software ID?

On lodgment, the software automatically sends the Software ID within the message (Software ID not entered by client). If a fraudulent user obtains the Software ID, they wouldn’t be able to enter it into the software. The ATO verification will fail if the ID does not match the notification.

Q5. Is it an issue if a different SWD has the same Software ID in their software?

No. The Software ID is only required to be unique across the cloud software provider business entity (ABN). There is no risk if two different software provider business entities (ABNs) happen to generate and provide the same software ID to their clients.

Q6. Will the CAA solution be implemented for the ATO only? 

The initial solution is for ATO only. It is intended that this solution will be leveraged for use across government.

Q7. Is the CAA solution for SBRCore and ebMS3?

Yes. The CAA solution is for both SBRCore and ebMS3 channels.

Q8. Is the ATO aware that this development will cause SWDs to support two SBR models if dealing with non-ATO organisations (eg SuperStream, other departments)?

Yes. It is intended that in the medium term, the proposed solution will be leveraged for use across government.

Q9. Can a SWD nominate multiple Device AUSkeys used to secure cloud software transmissions?

Yes.  A SWD can nominate multiple Device AUSkeys to secure cloud software transmissions.

Q10. Can a single device AUSkey be used on multiple servers?

The ATO supports the use of a single Device AUSkey or one for each server. The Keystore containing the single Device AUSkey can be copied and placed on each server. However, the Device AUSkey was designed so that a separate Device AUSkey is installed on each server, which enables better identification of which Device AUSkey on which server was used to authenticate (for fraud, accountability, logging etc).

Q11. Will web services be provided instead of (or as well as) the manual process of notification of a software provider in Access Manager?

No. Web services will not be available to set up notifications. Clients will be required to complete an online software provider notification in Access Manager or call the ATO via the 1300 85 22 32 priority phone service.

Q12. Is there a way SWD can verify if their clients have set up a notification in Access Manager correctly without transmitting an SBR message?

Yes. A SWD CAA authorisation check web service will be delivered as part of the phase 2 release for SWD to verify a client notification. A SWD can also verify client notification via the Access Manager under ‘Diagnostic reports’. More information on this service is available in the CAA Software developer information kit.

Q13. Can CAA be used with desktop solutions?

Yes, the CAA solution can now be leveraged using hybrid desktop via cloud software. See more details in the Software developer information kit.


Q14. Can a SWD upload a client’s AUSkey to the cloud?

No. Advice from the Department of Finance has confirmed that uploading clients’ AUSkey into the cloud is a breach of terms and conditions. 

Q15. Will businesses be able to specify certain permissions for each provider?
(for example, BAS for one and not the other)

No. A standard set of permissions will be set when completing an ‘Online Software Provider’ notification. It is up to the business to choose how they use their software product/s.

Q16. Will AUSkeys no longer be required?

The proposed cloud solution will mean an AUSkey will not be required by business to transmit information to the ATO via SBR enabled cloud software. The online software provider will require a Device AUSkey to authenticate the transmission. AUSkeys will still support non-cloud desktop software and portals.

Q17. Will business be permitted to authorise multiple providers?

Yes. Businesses will be able to notify multiple online software providers.

Q18. Can multiple users or ABNs lodge under a single subscription?

Yes, it is possible for cloud software products to allow:

  • multiple users submitting transmissions via a single cloud software subscription (using a single Software ID)
  • multiple ABNs submitting transmissions via a single software subscription (using a single Software ID)
  • multiple cloud software subscriptions submitting transmissions on behalf of the same business/ABN (multiple Software IDs against a single software provider notification)

Q19. When a business owner/employee removes a software provider notification , will the ATO notify the software provider?

No. The ATO will not be providing a service to notify the SWD if a notification is created or removed. The business and SWD will be informed upon lodgment via error messages if the notification has been removed.

Q20. How does an intermediary notify when holding both tax agent number and BAS agent number for the same business, ABN and AUSkey?

Only one software provider notification is required as notification is stored in Access Manager against the ABN. If both the Tax Agent and the BAS agent use the same instance of software or software subscription then only one Software ID needs to be registered with the notification. If the Tax Agent and BAS agent have separate instances of software or software subscriptions then both Software IDs need to be registered under the one notification.

Certification and testing

Q21. What will be the process for Software developers to ‘sign up’ and will it be the same process for registration or certification to that of SBR and/or ELS2SBR?

Yes, it will be the same process. The CAA Software Developer Information Kit explains the CAA onboarding and accreditation processes.

Q22. What are the certification requirements for CAA?

Once SBR-self certified, there are no additional certification requirements for CAA. The Integrated Product Test (IPT) suite is available to support software developers integrate with SBR and ATO by providing authentication and authorisation scenarios which may be used to test any message implementation.
Once software developers intending to use CAA have completed these scenarios they can then complete the CAA declaration form to declare that they have met the CAA requirements and be granted Online Software Provider access in Access Manager

Q23. Is there any testing and development documentation for CAA?

Yes. The Integrated product test (IPT) provides general authentication and authorisation scenarios including clients IDs that can be used to test with any message implementation.

Use the client data setup specified in the IPT for CAA. This can then be used to replace the designated conformance suite client data to test the scenarios for CAA clients. Contact us via SBR Service Desk for more information.

Q24. Can a universal test device credential be used to test CAA scenarios?

No, a universal test device is not required. To test CAA, use the data setup specified in the Integrated Product Test Suite (IPT). Only this data has been set up to give the correct responses for CAA. This data should then be used to replace the designated conformance suite data to test the scenarios in the conformance suites for CAA.

Q25. I have online software provider access in Access Manager. How can I get a Device AUSkey and make it visible on the screen to enable?

To make a device AUSkey visible in Access Manager you must:

  • Register for and install your Device AUSkey.
    If you don’t have a Device AUSkey see how to register for a Device AUSkey, and
  • Submit an initial SBR transaction with your Device AUSkey.
    To make the Device AUSkey visible in Access Manager, an initial transaction with a new Device AUSkey, through the SBR channel, must be performed. This transaction will likely fail (this is normal). Once this has occurred the Device AUSkey will become visible in Access Manager. See Using Access Manager - Access and permissions

Q26. Can I test the SWD CAA authorisation check service in EVTE?

No. This service will be available in production as part of the phase 2 release. The service will not be made available in EVTE. Detailed instructions are provided in the Online Software Provider (OSP) Appointment Web Service – Message Implementation Guide (PDF, 740kB).