|
The myGovID app is now known as myIDmyGovID has a new name and look – but how you use it is the same. Find out more at www.myID.gov.au/DiscovermyID |
On this page
- myID
- Relationship Authorisation Manager (RAM)
- Machine credentials (M2M solution)
- Support tools and resources
Together, myID and Relationship Authorisation Manager (RAM) provide flexible, easy and secure access to Online Services for DSPs.
Machine credentials allow you to interact with government online services through Standard Business Reporting (SBR)-enabled software.
How you set up these authentication and authorisation services depends on your circumstances and the type of Digital Service Provider (DSP) you are. Additional information is available if you are a:
- Cloud software provider
- Sending service provider (SSP) or Gateway provider
- Desktop software providers
- On-premise enterprise software provider
myID
A Digital ID, such as myID allows you to prove your identity when accessing Online services for DSPs and other government online services.
To access Online Services for DSPs, you need a myID with either:
- Basic identity strength - only allows access to some request types
- Standard or Strong identity strength - allows access to the full suite of request types.
See the myID website to find out how to set up.
Note: myID cannot be used for SBR services. You will need a machine credential to transact with the ATO through your software.
Relationship Authorisation Manager (RAM)
RAM is an authorisation service that allows you to act on behalf of a business or entity online when linked with your Digital ID. You need to log into RAM using Digital ID, such as myID.
To link online, an eligible principal authority needs to set up a Digital ID with a Strong identity strength. If the principal authority is unable to reach a Strong identity strength, check if there is an existing principal authority that can link you to the Australian business number (ABN). Alternatively, you can contact the ATO to link the ABN to a myID with a Standard identity strength. Once linked, you can access government online services and manage who can act on behalf of the business.
If there are existing principal authorities linked to the business, an email notification will be sent to notify them that you have linked to the ABN.
When authorising an individual to act on behalf of your business, they will receive an authorisation request which they must accept in RAM.
Visit Relationship Authorisation Manager for more information on how to get started or to find out how to link your business as a principal authority.
Unable to achieve a Standard identity strength
If you’re a principal authority and unable to achieve at least a Standard identity strength, check whether another principal authority can, so they can link the business.
Check the myID website for the latest list of accepted identity documents or email DPO@ato.gov.au for assistance or further advice.
RAM for SBR-enabled software
For SBR-enabled software you use RAM to:
- authorise a Machine Credential Administrator (MCA)
- create machine credentials to interact with government online services through your software
- notify government agencies about the software you’ll be using to interact with them through My Cloud Software Services (only the Office of the Student Identifiers Registrar, Department of Education, Skills and Employment).
Machine credentials (M2M solution)
Machine credentials allow DSPs, businesses and registered tax and BAS agents to interact with ATO online services through their SBR-enabled software. Machine credentials are installed from RAM and used in your SBR-enabled software.
You’ll need to create a machine credential if you:
- are a DSP who offers cloud-based SBR-enabled software
- use desktop or locally hosted software. Including employers using a Single Touch Payroll (STP) desktop solution that reports directly to the ATO.
Employers who are unsure of their connection to the ATO should seek guidance from their software provider in the first instance.
Create a machine credential
You can create a machine credential if you are a:
- principal authority
- Machine Credential Administrator (MCA) as authorised by a principal authority or authorisation administrator.
Once the machine credential is created, the principal authority or MCA will be responsible for its use in the business.
To create a machine credential, follow the step-by-step instructions on how to install a machine credential guide in RAM.
Additional information is available if you are a:
- Cloud software provider
- Sending service provider (SSP) or Gateway provider
- Desktop software providers
- On-premise enterprise software provider.
Machine credential expiry
Machine credentials expire 2 years from the date of creation.
The machine credential custodian (person who created or claimed the machine credential) is notified at 60, 30 and 7 days prior to expiry. Notifications are sent to the custodians current business email address as listed in RAM. Where the custodian is no longer authorised, the other machine credential administrators will be notified. Principal authorities will be notified if there are no machine credential administrators for the business.
You can incorporate a machine credential renewal function in your software. This allows a machine credential to be automatically renewed when it’s used to access your software within 14 months of its expiry. The machine credential (M2M) renewal FAQs in Online services for DSPs provides information to help you integrate this into your software.
If a renewal function is not available in your software, a new machine credential will need to be created using the same name as the existing one. To create a machine credential, follow the step-by-step instructions on how to install a machine credential in RAM.
To ensure continued access:
- the new machine credential should be created before the existing one expires
Note: If the new machine credential is on a different device and is given the same name as the first machine credential, then the 2 machine credential’s exist on both machines, both with the same name, but with different serial numbers. Both will display in RAM and the unused credential should be revoked)
- cloud software developers need to create the new machine credential
- locally hosted or desktop software users need to create the new machine credential.
You can check the expiry date of a machine credential in RAM.
It is best practice to revoke any unused, unassigned or duplicate credentials that are not required.
Additional information for Cloud software providers using the CAA model
As a Cloud Software Provider (CSP) you need to create a machine credential in RAM and update the authentication service endpoint as documented in ATO SBR Physical End Points (DOCX, 286KB).
Once a machine credential has been created, downloaded and installed, you will need to 'prime' your credential for use with SBR. You are not required to do this if you are renewing the credential.
The first time you send a message to SBR your machine credential appears in Access Manager. While a machine credential is created with full permissions by default, you still need to login to Access Manager. Select the machine credential for use in the hosted SBR services you provide. When this has been completed you are ready to transact with SBR.
What your users need to know
Information and advice you provide your users will vary depending on their technical knowledge. Your users need to:
- set up their myID and link their business in RAM to access government online services such as Access Manager and Online services for agents
- notify the ATO that they are using cloud hosted software by recording their Software ID provided by the DSP, in Access Manager
- they don’t need to install a machine credential.
See also
Additional information for Sending Service Providers (SSP) or Gateway providers
If you are an SSP or Gateway provider, your processes are closely related to a Cloud Software Provider (CSP) for installing machine credentials.
If your implementation does not fit the model described under CSP, contact us for assistance via Online services for DSPs.
Additional information for Desktop software providers
Desktop software users may need to use RAM to create and install a machine credential on their device.
Not all desktop software users need a machine credential. If your users transact with the ATO through a Gateway, or Sending Service Provider they will sign transactions on your users’ behalf.
If your users hold business appointments within Access Manager to report on behalf of other businesses, these permissions are not automatically applied to a new machine credential. Once they have used the credential for the first time, they will need to log in to Access Manager and assign the appropriate permissions to the credential. This will be necessary whenever a new machine credential is installed.
What your users need to know
The information and advice you give to your users will vary depending on their technical knowledge and whether they regularly transact with the ATO using a Sending Service Provider (SSP). Messages for your users may include:
- they need to set up their Digital ID, such as myID and link their business in RAM to access government online services such as Access Manager and Online services for agents
- add existing business appointments to their new machine credential. They need to check the details in Access Manager are correct after they send their first transaction.
Additional information for Digital Service Providers and the Operational Security Framework (OSF)
While the credential’s authentication service endpoint is defined in your software, your users also need a machine credential.
Large businesses or entities using On-premise software
Large entities may operate within private cloud-hosted software services, where the enterprise software provider host all or part of their software in the cloud. Where that tenancy remains under the control of the customer, this software is still considered to be ‘on-premise’.
As a machine credential custodian, you can only upload your credential to a cloud tenancy that remains in the exclusive use and control of your company.
Digital Service Provider and Operational Security Framework
DSPs are required to undertake ATO’s DSP Operational Security Framework (OSF) to access ATOs Application Programming Interfaces (APIs) and use their machine credential to sign transactions on behalf of their clients. The OSF is the ATO’s approach to recognise and respond to risks posed by exposure of ATO client data through APIs.
What your users need to know
The information and advice you give to your users will vary depending on their technical knowledge.
If your users hold business appointments within Access Manager to report on behalf of other businesses, these permissions are not automatically applied to a machine credential. Once they have used the credential for the first time via an SBR transmission, they will need to log into Access Manager and assign the appropriate permissions to the credential. This will be necessary whenever a new machine credential is installed.
Support tools and resources
We have a range of guidance material and resources available, including instructional videos, to support you and your users to access and use myID, RAM and the M2M solution:
- Online services for DSPs quick start guide
- Accessing online services with myID and RAM
- myID help
- RAM help
- Guide: how to install a machine credential
- Machine Credential (M2M) renewal FAQs
Stay informed
To get the latest information on these services, subscribe to our Digital Service Providers newsletter.
Contact us
For more information or to request assistance contact us via Online services for DSPs.