Show download pdf controls
  • Responsibilities for using Access Manager

    Access Manager allows you to manage who has electronic access to the tax information of the business. It's your responsibility to implement processes that allow you to regularly review and monitor who has access to the business records.

    Data about individuals and entities within Access Manager is confidential. You must ensure that unauthorised people do not compromise the integrity of that data. If your computer will be unattended, even briefly, you must log out from Access Manager or lock your computer.

    By logging into Access Manager, you agree to:

    • comply with the terms and conditions of the AUSkey
    • keep the AUSkey secure at all times
    • not disclose your password or share it with others.

    By providing others in the business with electronic access to the secure information of the business, through an AUSkey, as yourself or as an agent for tax purposes, you must understand the following.

    • User access and permissions – what level of access is provided to each type of user (Administrator, Standard, Device) and the transactions the users can undertake (see Access and permissions).
    • Business appointments – the nature of your relationship with any entities you have appointed as an agent for tax purposes and what transactions your agent can undertake (see Business appointments).
    • Legally binding actions – the actions these users and agents undertake through Access Manager are legally binding to your business.

    If you're using RAM, see Access Manager via RAM for more information.

    Preventing unauthorised access to business information

    If you have allowed your staff access to your secure information on the Business Portal, Tax Agent Portal or BAS Agent Portal, we strongly recommend that you:

    • use Access Manager regularly to ensure that user's level of access to the portals is appropriate
    • cancel AUSkeys (in the AUSkey Manager) if staff no longer require them or the AUSkey has been compromised
    • immediately disable or remove a user's account in Access Manager if you have any concerns about their activities
    • ensure that each person who deals with us online on behalf of your business has their own security credential
    • keep passwords secure – they must not be shared.

    If you use a hosted (online) SBR software service, we strongly recommend that you limit access to stored business information to appropriate staff only. If you have any concerns, contact your software service provider for advice.

    Access Manager via RAM

    RAM is now connected to Access Manager. This means when you authorise a person to act for a business using RAM, you can set their permissions for ATO online services in Access Manager at the same time.

    By logging in to Access Manager through RAM, you agree to:

    • comply with the terms and conditions of myGovID and RAM
    • keep your myGovID secure at all times and to not share it with others.

    See also:


    Assigning and managing permissions for staff is one of the main functions of Access Manager. It enables businesses to manage which ATO online services and functions their employees can access.

    To set permissions in Access Manager through RAM you need to be the principal authority or authorisation administrator (previously known as Administrators).

    1. Select Custom in the 'Agency access' section when you add a new user. Custom access users will be visible in Access Manager once the authorisation is created in RAM.
    2. Complete the steps in the 'Summary' section.
    3. Select ATO Access Manager (not all government online services offer this option) in the 'Customise access' section.
    4. Once in Access Manager, choose the relevant permissions from the access and permissions displayed and save.

    To view or modify existing permissions:

    • Select the user.
    • Select view or modify.
    • Select ATO Access Manager.
    • Once in Access Manager, select Access and Permissions from the left hand menu.

    To disable, remove or restore an authorised user, go to RAM.

    If your access level is set as Full, you automatically have access to all ATO online services, however you may not be an authorisation administrator. Avoid copying permissions from a full access user as this may cause an error to occur.

    Device AUSkeys are not managed in RAM, however principal authorities or authorisation administrators can manage permissions for Device AUSkeys in Access Manager.

    See also:

    Business appointments

    When using the 'Who has access to my business' function, available under Business Appointments in Access Manager, through RAM, note that users will appear as 'Standard' users.

    We are working on adding the 'Auto access feature' when using Access Manager from RAM. This means you will be able to update permissions for custom access users in bulk, giving the user all of the permissions assigned by the principal business.

    Authorising users to registered agent numbers

    If you're a registered tax or BAS agent, to give your staff access to the clients of your registered agent number, you need to authorise them in Access Manager and give them the necessary permissions. A user will need Custom access level in Access Manager at minimum to enable you to give them access to your registered agent number (RAN).

    If you have Full access level or you are a principal authority you will automatically have access to all RANs.

    Assigning user permissions to access your clients

    As a registered agent you may restrict client accounts deemed to be sensitive or private, such as your own accounts. You may not want some or all of your staff with Custom access level users to have access to these client accounts in Online services for agents or the Tax or BAS Agent Portal.

    When you restrict a client, only principal authorities and Full access level users (by default) will have access to that client's information. You can then specify which standard or Custom access users will have access to that client in Online services for agents or the Tax or BAS Agent Portal.

    See also:

      Last modified: 24 Jun 2019QC 40983