Back to blog
HR Techmanager portalauthorization

Manager portal: what a manager can see about employees (and shouldn't)

Published on 2026-04-164 min readCleanIssue

> TL;DR: Manager portals are often too permissive by default. Three access bugs to fix before a client audit.

What HR data should managers never have access to?

The manager portal deserves its own review

In many HRIS products, a manager's scope is defined by a simple rule: "employees on my team". That rule is often enforced in the UI, not in the database.

For more — see our payroll software security review.

Typical mistakes

  • a manager still sees employees from old teams after a move;
  • a team manager sees data that should be HR-only (salary, sick leave);
  • the API allows filtering by manager_id but doesn't prevent changing the filter.
  • The test that surfaces it

    Log in as a manager, try to read an employee outside your team via the API. If it works, the rule is in the wrong place.

    For HR & Payroll vendors

    CleanIssue specializes in security reviews for HR, payroll, and recruiting software. If you're building an HRIS, payroll tool, or ATS and want an external review of your exposure before a client audit or security questionnaire, see our offer for HR & Payroll vendors.

    Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-04-16

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit