Cloud software authentication and authorisation – Frequently asked questions

This page provides frequently asked questions (FAQ) to assist digital service providers (DSP) with implementing the Cloud software authentication and authorisation (CAA) solution. For more information, refer to the CAA Software developer information kit. If you can’t find the answer to your question, contact us via Online Services for DSPs or the SBR Service Desk.

On this page

CAA solution

Q1. What is the definition of Cloud, to which this applies?

The Australian Government has adopted the US Government’s National Institute of Standards and Technology (NIST) Definition of Cloud Computing noting:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models

Software developers should refer to the ATO Operational Security Framework (PDF 648KB) for mandatory controls related to DSP controlled cloud environments.

The Australian Cyber Security Centre offers guidance on Cloud Computing Security Considerations.

Q2. Are desktop software solutions still supported?

Yes. Businesses and intermediaries will still be able to maintain current processes and use existing machine credential authentication models when using desktop software solutions.

Q3. What is a Software ID?

A Software Subscription ID (SSID), commonly referred to as a Software ID, is a unique ID that is used to identify each unique subscription or instance of software and is automatically generated by the software. The Software Developer Information Kit (PDF 979KB) provides instructions on the generation and use of Software ID.

Q4. How does the ATO know that a Software ID is correct?

A notification that a relationship exists with a hosted software provider must be provided to the ATO by an authorised representative of the client.  The client must provide their unique Software ID and the ABN of the software provider. 

Q5. How secure is this solution, what if a fraudulent user obtains the software ID?

On lodgment, the software automatically sends the Software ID within the message (Software ID not entered by client). If a fraudulent user obtains a Software ID, they won't be able to manually enter it into the software. The ATO authorisation check will fail if the SSID, reporting party (or intermediary) and software provider registration passed by the software does not match the notification held by the ATO.

Q6. Is it an issue if a different DSP has the same Software ID in their software?

No. The Software ID is only required to be unique across the cloud software provider business entity (ABN). There is no risk if two different software provider business entities (ABNs) happen to generate and provide the same software ID to their clients.

Q7. Can the CAA solution only be used for the ATO? 

The solution has been implemented in the ATO Access Manager and is for ATO only.  A similar solution has been implemented for the Unique Student Identifier (USI) in the Relationship Authorisation Manager. Other agencies may choose to leverage this solution.

Q8. What services can I use the CAA solution for?

The CAA solution is used for the SBR1 (Core) and SBR2 (ebMS3) channels and the ATO API Gateway.

Q9. Can a DSP nominate multiple machine credentials to be used to secure cloud software transmissions?

Yes. A DSP can nominate multiple machine credentials to secure cloud software transmissions. This nomination is done in Access Manager.

Q10. Can a single device machine credential be used on multiple servers?

The ATO supports the use of a single machine credential or one for each server. The Keystore containing the single machine credential can be copied and placed on each server, however, the machine credential was designed to identify an electronic address that is authorised to transact with the ATO. Installing a unique machine credential on each server enables better identification of which server was used when transacting with the ATO (for fraud, accountability, logging etc).

Q11. Is there a web service that can be used as an alternative to the manual process of notification of a software provider in Access Manager?

No. Web services are not available to set up notifications. Clients are required to complete a hosted SBR software services notification in Access Manager or call the ATO via the 1300 852 232 priority phone service.

Q12. Is there a way DSP can verify if their clients have set up a notification in Access Manager correctly without transmitting an SBR message?

Yes. A DSP can verify client notifications in Access Manager under “Hosted SBR software service provider functions”. More information on this service is available in the Software Developer Information Kit (PDF 979KB).

Q13. Can CAA be used with desktop solutions?

Yes, the CAA solution can be leveraged using hybrid desktop via cloud software. See more details in the CAA Software developer information kit.


Q14. Can a DSP upload a client’s machine credential to the cloud?

No. Uploading clients’ machine credentials into the cloud is a breach of terms and conditions as it represents a significant risk to the integrity of the credential.

Q15. Will businesses be able to specify certain permissions for each provider?  (for example, BAS for one and not the other)

No. A standard set of permissions will be set when completing a hosted software service provider notification. It is up to the business to choose how they use their software products.

Q16. Will Machine credentials still be required?

When using the cloud solution the business does not require a machine credential of their own to transmit information to the ATO via SBR or ATO API enabled cloud software. The cloud software provider requires a machine credential to authenticate the transmission. Machine credentials can still be used for non-cloud desktop software, but cannot be used for any ATO online services such as Online Services for Agents and Access Manager.

Q17. Can a business authorise multiple providers?

Yes. Businesses can nominate multiple cloud software providers.

Q18. Can multiple users lodge under a single subscription?

Yes, it is possible for cloud software products to allow multiple users to submit transmissions via a single cloud software subscription (using a single Software ID).

Q19. Can multiple ABNs lodge under a single subscription?

No, cloud software products should issue a unique Software ID to each ABN.

Q20. When a business owner/employee removes a software provider notification, does ATO notify the software provider?

No. The ATO does not provide a service to notify the DSP if a notification is created or removed. The business and DSP will be informed upon lodgment via error messages if the notification has been removed.

Certification and testing

Q21. What is the process for DSPs to ‘sign up’ and is it the same process for registration or certification to that of SBR?

Yes, it is the same process. The CAA Software Developer Information Kit explains the CAA onboarding and accreditation processes.  The ATO Operational Security Framework (PDF 648KB) specifies the requirements for software developers implementing the CAA solution.

Q22. What are the certification requirements for CAA?

Once SBR-self certified, there are no additional certification requirements for CAA. The conformance test suite is available to support DSPs integrate with SBR and the ATO by providing authentication and authorisation scenarios which may be used to test any message implementation. The Integrated Product test (IPT) suite provides CAA specific scenarios for DSPs wishing to test their implementation.  As a Registered software developer you will have access to the IPT.

Once DSPs intending to use CAA have completed these scenarios they can then complete the CAA request in Online services for DSPs to declare that they have met the CAA requirements and be granted Hosted SBR Software Provider access in Access Manager.

Q23. Is there any testing and development documentation for CAA?

Yes. The Integrated product test (IPT) provides general authentication and authorisation scenarios including clients IDs that can be used to test with any message implementation.

Use the client data setup specified in the IPT for CAA. This can then be used to replace the designated conformance suite client data to test the scenarios for CAA clients. Contact us via Online Services for DSPs or SBR Service Desk for more information.

Q24. Can a universal test machine credential be used to test CAA scenarios?

To test CAA, use the data setup specified in the Integrated Product Test Suite (IPT). in conjunction with the test machine credentials (ato.M2M.keystore) available in Sharefile. Only this data has been set up to give the correct responses for CAA. This data should then be used to replace the designated conformance suite data to test the scenarios in the conformance suites for CAA.

Q25. I have hosted SBR software provider access in Access Manager. How can I get a machine credential and make it visible on the screen to enable?

If you don't have a machine credential, see How to create a machine credential.

To make a machine credential visible in Access Manager you must:

  • Create and install your machine credential.
  • Submit an initial SBR transaction with your machine credential. This transaction may fail (this is normal). Once this has occurred the machine credential will become visible in Access Manager. See Using Access Manager - Access and permissions.
Last modified date