Using myGovID, RAM and machine credentials (M2M)

On this page

Together, myGovID and Relationship Authorisation Manager (RAM) provide flexible, easy and secure access to Online Services for DSPs.

Machine credentials allow you to interact with government online services through Standard Business Reporting (SBR)-enabled software.

How you set up these authentication and authorisation services depends on your circumstances and the type of Digital Service Provider (DSP) you are. Additional information is available if you are a:

myGovID

myGovID allows you to prove your identity when accessing Online services for DSPs and other government online services.

To access Online Services for DSPs, you need a myGovID with either:

  • Basic identity strength - only allows access to some request types
  • Standard or Strong identity strength - allows access to the full suite of request types.

See the myGovID website to find out how to set up.

Note: myGovID cannot be used for SBR services. You will need a machine credential to transact with the ATO through your software.

Relationship Authorisation Manager (RAM)

RAM is an authorisation service that allows you to act on behalf of a business or entity online when linked with your myGovID. You need to log into RAM using myGovID.

To link online, an eligible principal authority needs to set up a myGovID with a Strong identity strength. If the principal authority is unable to reach a Strong identity strength, check if there is an existing principal authority that can link you to the Australian business number (ABN). Alternatively, you can contact the ATO to link the ABN to a myGovID with a Standard identity strength. Once linked, you can access government online services and manage who can act on behalf of the business.

If there are existing principal authorities linked to the business, an email notification will be sent to notify them that you have linked to the ABN.

When authorising an individual to act on behalf of your business, they will receive an authorisation request which they must accept in RAM.  

Visit Relationship Authorisation Manager for more information on how to get started or to find out how to link your business as a principal authority.

Unable to achieve a Standard identity strength

If you’re a principal authority and unable to achieve at least a Standard identity strength, check whether another principal authority can, so they can link the business.

Check the myGovID website for the latest list of accepted identity documents or email DPO@ato.gov.au for assistance or further advice.  

RAM for SBR-enabled software

For SBR-enabled software you use RAM to:

  • authorise a Machine Credential Administrator (MCA)
  • create machine credentials to interact with government online services through your software
  • notify government agencies about the software you’ll be using to interact with them through My Cloud Software Services (only the Office of the Student Identifiers Registrar, Department of Education, Skills and Employment).

Machine credentials (M2M solution)

Machine credentials allow DSPs, businesses and registered tax and BAS agents to interact with ATO online services through their SBR-enabled software. Machine credentials are installed from RAM and used in your SBR-enabled software.

You’ll need to create a machine credential if you:

  • are a DSP who offers cloud-based SBR-enabled software
  • use desktop or locally hosted software. Including employers using a Single Touch Payroll (STP) desktop solution that reports directly to the ATO.

Employers who are unsure of their connection to the ATO should seek guidance from their software provider in the first instance.

Create a machine credential

You can create a machine credential if you are a:

Once the machine credential is created, the principal authority or MCA will be responsible for its use in the business.

To create a machine credential, follow the step-by-step instructions on how to install a machine credential guide in RAM.

Additional information is available if you are a:

Machine credential expiry

Machine credentials expire two years from the date of creation.

You can incorporate a machine credential renewal function in your software. This allows a machine credential to be automatically renewed when it’s used to access your software within 14 months of its expiry. The machine credential (M2M) renewal FAQs in Online services for DSPs provides information to help you integrate this into your software.

If a renewal function is not available in software, a new machine credential will need to be created using the same name as the existing one.  To create a machine credential, follow the step-by-step instructions on how to install a machine credential guide in RAM.

To ensure continued access:

  • the new machine credential should be created before the existing one expires

Note: If the new machine credential is on a different device and is given the same name as the first machine credential, then the two machine credential’s exist on both machines, both with the same name, but with different serial numbers. Both will display in RAM and the unused credential should be revoked)

  • cloud software developers need to create the new machine credential
  • locally hosted or desktop software users need to create the new machine credential.

You and your users will not be notified of the machine credential’s expiry. We recommend you let your users know if your software doesn’t have a renewal function.

You can check the expiry date of a machine credential in RAM.

It is best practice to revoke any unused, unassigned or duplicate credentials that are not required.

Additional information for Cloud software providers using the CAA model

As a Cloud Software Provider (CSP) you need to create a machine credential in RAM and update the authentication service endpoint as documented in ATO SBR Physical End Points (DOCX, 288KB).

Once a machine credential has been created, downloaded and installed, you will need to 'prime' your credential for use with SBR. You are not required to do this if you are renewing the credential.

The first time you send a message to SBR your machine credential appears in Access Manager. While a machine credential is created with full permissions by default, you still need to login to Access Manager. Select the machine credential for use in the hosted SBR services you provide. When this has been completed you are ready to transact with SBR.

What your users need to know

Information and advice you provide your users will vary depending on their technical knowledge. Your users need to:

  • set up their myGovID and link their business in RAM to access government online services such as Access Manager and Online services for agents
  • notify the ATO that they are using cloud hosted software by recording their Software ID provided by the DSP, in Access Manager
  • they don’t need to install a machine credential.

See also

Additional information for Sending Service Providers (SSP) or Gateway providers

If you are an SSP or Gateway provider, your processes are closely related to a Cloud Software Provider (CSP) for installing machine credentials.

If your implementation does not fit the model described under CSP, contact us for assistance via Online services for DSPs.

Additional information for Desktop software providers

Desktop software users may need to use RAM to create and install a machine credential on their device.

Not all desktop software users need a machine credential. If your users transact with the ATO through a Gateway, or Sending Service Provider they will sign transactions on your users’ behalf.

If your users hold business appointments within Access Manager to report on behalf of other businesses, these permissions are not automatically applied to a new machine credential. Once they have used the credential for the first time, they will need to log in to Access Manager and assign the appropriate permissions to the credential. This will be necessary whenever a new machine credential is installed.

What your users need to know

The information and advice you give to your users will vary depending on their technical knowledge and whether they regularly transact with the ATO using a Sending Service Provider (SSP). Messages for your users may include:

  • they need to set up their myGovID and link their business in RAM to access government online services such as Access Manager and Online services for agents
  • add existing business appointments to their new machine credential. They need to check the details in Access Manager are correct after they send their first transaction.

Additional information for Digital Service Providers and the Operational Security Framework (OSF)

While the credential’s authentication service endpoint is defined in your software, your users also need a machine credential.

Large businesses or entities using On-premise software

Large entities may operate within private cloud-hosted software services, where the enterprise software provider host all or part of their software in the cloud. Where that tenancy remains under the control of the customer, this software is still considered to be ‘on-premise’.

As a machine credential custodian, you can only upload your credential to a cloud tenancy that remains in the exclusive use and control of your company.

Digital Service Provider and Operational Security Framework

DSPs are required to undertake ATO’s DSP Operational Security Framework (OSF) to access ATOs Application Programming Interfaces (APIs) and use their machine credential to sign transactions on behalf of their clients. The OSF is the ATO’s approach to recognise and respond to risks posed by exposure of ATO client data through APIs.

What your users need to know

The information and advice you give to your users will vary depending on their technical knowledge.

If your users hold business appointments within Access Manager to report on behalf of other businesses, these permissions are not automatically applied to a machine credential. Once they have used the credential for the first time via an SBR transmission, they will need to log into Access Manager and assign the appropriate permissions to the credential. This will be necessary whenever a new machine credential is installed.

Support tools and resources

We have a range of guidance material and resources available, including instructional videos, to support you and your users to access and use myGovID, RAM and the M2M solution:

Stay informed

To get the latest information on these services, subscribe to our Digital Service Providers newsletter.

Contact us

For more information or to request assistance contact us via Online services for DSPs.

Last modified date