Specifiers can be used to limit Suomi.fi authorisations
With a Suomi.fi authorisation, your employees can use the Incomes Register’s e-service on behalf of the company. With a specifier, you can limit this authorisation to reports concerning travel expenses or a specific customer company, for example.
A limited authorisation consists of two parts: the authorisation and the specifier.
Two mandate specifiers are used in the Incomes Register to limit authorisations: the suborganisation identifier and the customer ID.
The specifier can be used in the authorisations:
Browsing earnings payment data
Reporting earnings payment data
Browsing benefits payment data
Reporting benefits payment data
Suborganisation identifier
With the payer's suborganisation identifier, you can, for example, separate the management of travel expense accounts from the rest of payroll accounting and make it a separate suborganisation.
When you add the suborganisation identifier for travel expense accounts in the authorisations of certain employees and use the same identifier when reporting travel expenses, these employees will only be able to view the travel expense data in the Incomes Register. As the authorisation of the actual payroll clerk does not have the specifier, they will be able to view all the reports submitted by the organisation.
Specify the suborganisation identifier you want to use. You can specify the identifier yourself, provided that it meets the Incomes Register’s scheme requirements:
Length of the identifier must be 1–20 characters. The name of the authorisation (e.g. Reporting earnings payment data) does not have to fit into those 20 characters.
You may use letters, numbers and spaces in the identifier. Special characters are not allowed: &, <, >, ', ", -- (double hyphen), /*, &#.
When you grant a new authorisation to an employee of the company or organisation, add the identifier you have defined as the authorisation’s specifier in the Suomi.fi e-Authorizations service:
The suborganisation identifier is now part of the authorisation granted to the employee. The specifier will be transferred to the Incomes Register with the authorisation when the employee logs in to the e-service.
The employee who has been granted the authorisation will only be able to view in the e-service data that has been reported using the specified suborganisation identifier.
Use the identifier when reporting data you want such employees to view in the Incomes Register. The employees will not be able to view any reports that do not contain the identifier.
If an employee completes a report in the e-service and you have added a suborganisation identifier to their authorisation, the identifier will be automatically added to the report based on the employee’s identification data. All reports completed by the employee will contain the suborganisation identifier and will be visible to employees whose authorisation includes this specifier.
If the employee requests a transcript in the e-service, only reports with that suborganisation identifier will be included in the transcript.
If you report data via a technical interface or the upload service, you must separately add the suborganisation identifier. An identifier always applies to the entire file, which means that you must send data for each suborganisation as a separate record.
Select “Payer’s own codes” (2) as the suborganisation identifier type in the record. Give the same suborganisation identifier that you added to the Suomi.fi authorisation.
Only give the suborganisation identifier part, not the name of the authorisation (e.g. “Reporting earnings payment data”).
If you are also using a suborganisation identifier according to the Keva submitter codes or a government agency identifier, you can use that it the same record as the identifier compliant with the payer’s own codes.
In employer’s separate reports, use your own suborganisation identifier if you want specific employees to be able to view in the e-service only the data on those reports.
Please note that you can only submit one employer’s separate report per month per payer. Even if you are using the payer’s suborganisation to limit visibility, the report always applies to the entire organisation. A report cannot be submitted separately for each suborganisation. Therefore, only submit one report with the whole company’s details for the month.
The suborganisation identifier limits the visibility of the data only in the e-service. All the data on a separate report is always included in transcripts requested from the Incomes Register regardless of whether you have used a suborganisation identifier.
Make sure that the employees in your organisation have the correct authorisations.
If an employee’s authorisation includes a suborganisation identifier as a specifier, they will only be able to view reports containing the same identifier.
If an employee’s authorisation does not include a specifier or if they are using the service in an official role, they will always be able to view all reports.
It is not possible to add a specifier to an already granted authorisation.
If you wish to start using a suborganisation identifier and there are currently valid authorisations, you must delete those first.
Define the suborganisation identifier and then regrant the authorisations in Suomi.fi e-Authorizations. Please note that once this is done, the authorised person will only be able to view data submitted using the suborganisation identifier in the Incomes Register’s e-service.
If an organisation is divided into suborganisations, you can use the payer’s suborganisation identifier to notify the details of the paying suborganisation.
If you want the identifier to be pre-filled for your employees in the e-service, restrict your employees’ authorisations by using the suborganisation identifier as a specification of the authorisation mandate.
Any pre-filled details cannot be changed.
For more detailed instructions and restrictions, see “How to restrict an authorisation mandate with the payer’s suborganisation identifier”.
You can also personally fill in the section when submitting the report.
Select “Payer’s own codes” as the type of suborganisation identifier.
Report the payer’s suborganisation identifier, such as the accounting unit identifier.
You can enter several suborganisation identifiers for a payer in an earnings payment report and an employer’s separate report, but only one in a benefits payment report.
For wages, there are three types of suborganisation identifiers for payers. You can enter only one value for each type.
Keva’s submitter codes are used by the social insurance institution (Kela) and municipal, government and church employers. Notify an identifier from Keva’s submitter codes only when you have paid income subject to earnings-related pension. A Keva submitter code identifier does not limit the visibility of the data.
Use the Payer’s own codes type to indicate a suborganisation identifier defined by the payer. This identifier is also used to limit the visibility of data, as a specifier of an authorisation mandate.
The government agency identifier is used by government agencies and other government bodies. The government agency identifier does not limit the visibility of data.
Note that the employer’s separate report always applies to the entire company, even if you enter the suborganisation identifier of one or more payers in the notification.
For benefits, there is only one type of suborganisation identifier for payers.
Use the Payer’s own codes type to indicate a suborganisation identifier defined by the payer. This identifier is also used to limit the visibility of data, as a specifier of an authorisation mandate.
Customer ID
With the customer ID, for example, an accounting firm can limit features such as which customers each employee is able to see in the Incomes Register’s e-service.
When you add specific customer IDs to an employee’s mandate to represent, the employee will be able to manage the affairs of those customers. If this is not done, all employees who have been granted a mandate to represent will be able to view the data for all the accounting firm’s customers.
A customer grants an accounting firm the right to use the e-service on their behalf by granting the “Reporting earnings payment data” authorisation, for example.
The accounting firm grants a mandate to represent the company to an employee in the Suomi.fi e-Authorizations service. The customer ID is also added as a specifier to the mandate to represent.
The mandate to represent gives the employee the right to represent the accounting firm. This means that the employee will be able to use the authorisations granted by customer companies to the accounting firm to, for example, report the customers’ earnings payment data to the Incomes Register.
If the mandate to represent is not limited in any way, the employee will be able to view all data for the company’s current and future customers, and will be able to manage the affairs of all customers.
When the mandate to represent is limited with a customer ID, the employee will only be able to manage the affairs of that customer. It is possible to simultaneously add several customer IDs to a mandate to represent.
The customer ID is the Business ID in the case of companies and the personal identity code in the case of individuals.
The specifier is part of the authorisation granted to the employee. The specifier will be transferred to the Incomes Register with the authorisation when the employee logs in to the e-service.
When the accounting firm has granted a mandate to represent to an employee, including the required customer IDs as specifiers, the employee will be able to use the authorisations granted by the customer to manage the customer’s affairs in the Incomes Register’s e-service.
In the Suomi.fi e-Authorizations it is possible to add new customer IDs and delete unnecessary ones from a mandate to represent. A mandate to represent can also be used as a template for a new mandate.
