Manager portal: what a manager can see about employees (and shouldn't)
The manager portal deserves its own review
In many HRIS products, a manager's scope is defined by a simple rule: "employees on my team". That rule is often enforced in the UI, not in the database.
For more — see our payroll software security review.
Typical mistakes
manager_id but doesn't prevent changing the filter.The test that surfaces it
Log in as a manager, try to read an employee outside your team via the API. If it works, the rule is in the wrong place.
For HR & Payroll vendors
CleanIssue specializes in security reviews for HR, payroll, and recruiting software. If you're building an HRIS, payroll tool, or ATS and want an external review of your exposure before a client audit or security questionnaire, see our offer for HR & Payroll vendors.
Go further
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Multi-tenant HRIS: verifying that one client can't see another's data
Multi-tenant isolation bugs are the most expensive class in an HRIS. Three quick tests before a client security review.
DPAE data leak: where the risks actually are
DPAE-related flows touch sensitive data and are often treated as plain operations, even though they also create access and traceability risk.
Employee portal and RLS: what really breaks separation
Even with RLS enabled, an employee portal can still expose too much if the business rules behind it stay incomplete.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.