Skip to content

Controlling who can access your tax online

Your business deals with the Australian Taxation Office (ATO) online. Not everyone who works for you needs to see all of that, and not everyone needs to be able to lodge things on the business's behalf. The good news is you don't have to choose between "full access" and "no access". You can decide exactly which people can see and do what.

For example, you can let one person prepare and lodge your Activity Statements, while someone else can only look but not lodge. Each person gets only the access their job needs — nothing more.

In one line

In the ATO's online services you can control which people can see and do what — such as who can prepare and lodge your Activity Statements — so staff have only the access they need.

Why this matters

The things you do in the ATO's online services are real. When someone lodges an Activity Statement, that lodgment is legally binding on your business. The ATO makes this point plainly: anything an authorised person does in your online services is binding on the business.

So the more carefully you control access, the safer your business is. Giving a new staff member the power to lodge tax forms, or change business details, before they're ready is a risk. Limiting access means a mistake, or the wrong person, can only reach as far as you allowed.

What you will learn

  • That you can control which people can see and do what in your tax online
  • Who sets this up, and how access is granted to staff
  • Why limiting access protects your business

Understanding the concept

The ATO's main online service for businesses lets you manage who can act for your business, and what each person is allowed to do. Access is not all-or-nothing — it is broken into separate permissions, so you can switch on just the ones a person needs.

The tool that manages these permissions is called Access Manager. Through it, the person in charge can decide, for each staff member, things like:

  • Who can view your tax information.
  • Who can prepare an Activity Statement.
  • Who can actually lodge it.

One person might be allowed to prepare a statement but not send it, so an owner still gives the final go-ahead. Another might have no access at all. You choose.

Setting this up is the job of the principal authority — usually the business owner, or the person the business has formally put in charge of its online dealings. That person automatically has full access, and can then hand out limited permissions to others. It is also their responsibility to review, from time to time, who still has access and whether they still need it.

For accountants & bookkeepers

The principal authority (or an authorisation administrator) sets up in the business's identity records automatically becomes an administrator in Access Manager, with all permissions. From there they grant granular, per-function permissions to standard users. The ATO stresses two points worth passing on to clients: access should be reviewed regularly, and any action an authorised user takes in ATO online services is legally binding on the business. Note this is separate from authorising a registered tax or BAS agent, which is done through the agent-linking process rather than by giving the agent a staff login.

Example

Priya owns a small café and has just hired Jordan as a part-time bookkeeper. Priya wants Jordan to prepare and lodge the quarterly Activity Statements so she doesn't have to — but she does not want him able to change the business's bank account details or other sensitive settings.

As the principal authority, Priya opens the ATO's online services and grants Jordan just the permissions he needs to prepare and lodge Activity Statements. She leaves everything else switched off. Jordan can now do his job in full, but he cannot touch the bank details. A few months later Priya checks the access list, sees Jordan is the only extra person on it, and knows exactly who can act for her business.

Common mistakes

  • Giving every staff member full access "to keep it simple" — this exposes the business.
  • Forgetting to remove access when someone leaves or changes roles.
  • Confusing staff access with authorising your registered agent — those are set up differently.
  • Assuming access is all-or-nothing — you can grant just the permissions a person needs.

How this works in myaccountant

In the app — myaccountant lets you set up your own authorised users, so the people who work in your business have access that suits their role. When it's time to lodge an Activity Statement, the person doing it signs off before it is sent, so your business stays in control of what goes to the ATO.

Key points

  • You can control which people can see and do what in your tax online.
  • Access is not all-or-nothing — you grant only the permissions a person needs.
  • The business owner or principal authority sets this up.
  • The ATO's permissions tool is called Access Manager.
  • Anything an authorised person does is legally binding on the business.
  • Review who has access regularly, and remove access no longer needed.

Learn next

General information only — not tax, super or financial advice.

Share X LinkedIn Email

Did this answer your question?