BreezeLeave
Back to blog
GuideMay 13, 2026·8 min read

External HR Scoped Access Guide

How to give an outsourced HR provider or regional coordinator HR-level access scoped to specific companies or countries, with audit, offboarding, and access review.

Share
External HR Scoped Access Guide preview

Your company outsources Croatia and Serbia payroll to a regional HR provider. The provider's coordinator needs HR-level access to those two countries: approvals, balance adjustments, sick-day documentation, and the country-scoped reports. She does not need to see Sweden, the German entity, or the group billing. The first version of access most companies give her is a shared admin login. The second version is the one that survives the next audit.

This article walks through configuring external HR access in BreezeLeave: what scope means in practice, how to name and assign the role, what to record in the audit log, and what to do on the day the contract ends. Written for HR admins and IT admins who provision third-party access.

What "scoped" means here

External HR access in BreezeLeave is not a different product surface. It is the standard HR role with a scope attached. The role inherits the HR permission set (manage employees, approve requests, adjust balances, access reports) but applies it only to employees who match the scope filter.

The supported scope dimensions:

  • Company. One or more legal entities the user is allowed to see.
  • Country. One or more countries; useful when an entity has employees in multiple jurisdictions.
  • Combination. Company plus country. "HR for the Croatia and Serbia operating countries of Entity X" is a valid scope.

Outside the scope, the user does not see the employee, the request, the balance, or the audit entry. The data is filtered server-side, not just in the UI. That distinction matters for GDPR data-minimization claims.

BreezeLeave roles page showing an external HR role scoped to two countries with audit log access
External HR role with country scope applied. The same HR permissions; a narrower data slice.

Who needs external HR access

Four situations cover almost every external HR setup we see.

  • Outsourced HR provider. A third-party firm handles all HR operations for one country or one entity. The provider's assigned coordinator needs HR access to that scope only.
  • Regional office coordinator. A local office manager handles approvals and balance questions for their office while doing their main job. HR-scoped access for their country, nothing more.
  • Franchise or branch HR. A franchisee runs their branch independently. They need HR access for their branch only and must not see other branches' data.
  • Compliance auditor with limited scope. An external auditor reviewing one country's leave records gets read-only HR-scoped access for the audit period, then is offboarded.

Each of these wants the same permission set with a different scope. The broader role-by-role view is in our role-based permissions matrix. For the multi-country setup that makes this scoping necessary, see the multi-country leave management use case.

Provisioning an external HR user, step by step

The configuration takes about five minutes on the BreezeLeave settings page. The discipline around naming and audit is what makes it survive.

  1. Use a real, named login. The provider's coordinator gets their own email-backed login. Do not share an "external-hr@" inbox across multiple individuals. The audit log only matters if it names a person.
  2. Create a custom role, not a one-off permission set. Build a custom role called "External HR: Croatia + Serbia." Reuse it if a second coordinator from the same provider joins later.
  3. Set scope first, then assign the role. Pick the companies and countries the user can see before turning the role on. Scopes attached after the fact are the most common access-review finding.
  4. Disable global views by default. Cross-country reports and group dashboards stay off for external roles. Only re- enable them if the contract explicitly requires it.
  5. Confirm audit log access matches scope. External HR should see audit entries for their scope, not the whole company. BreezeLeave applies the same filter automatically; verify on the audit page after assignment.
  6. Record the contract end date. Add it to the user record as a note or a calendar event. The offboarding step is the one most companies miss.

What external HR can and cannot do

The cleanest way to think about external HR is "regular HR, with the company-wide buttons removed." The table below is the matrix to share with the provider during onboarding so they know what to expect.

ActionWithin scopeOutside scope
Approve or reject a leave requestYesNo (request not visible)
Adjust an employee balanceYes, loggedNo
Run a country or entity reportYes, filtered to scopeNo
See group-wide dashboardsNo by defaultNo
Edit company-wide vacation policyNoNo
Manage users in other countriesN/ANo
Access billing and planNoNo

Share this matrix with the provider before the kickoff call. It saves the "why can't I see X" conversation that always comes up in week one.

Notifications: keeping external HR in the loop without leaks

External HR users should receive the same approval and reminder emails as internal HR, scoped to their data. The notification settings to confirm before the provider's first week:

  • Approval emails route to the external user only for requests in their scope. A pending request from a Swedish employee never lands in the Croatia/Serbia coordinator's inbox.
  • Weekly digests filter to in-scope employees only. The digest sent to the external coordinator shows pending requests, recent approvals, and balance changes for their countries only.
  • Sensitive emails (rule changes, billing) are not sent to external roles by default. If the provider needs to know about a rule change in their countries, deliver it as a separate communication.

Email content is auto-filtered to the same scope as the audit log. An external HR user sees only the variables and links relevant to their in-scope employees.

Audit log: the bit that matters at year-end

External HR actions show up in the audit log the same way internal HR actions do: actor, action, timestamp, affected employee, before-and- after values. The differences are subtle but important.

  • The actor name is the named external user, not a generic "External HR" label.
  • The role attached to the action is recorded at the time of the action. If the role is later modified, historical entries keep the old role label.
  • The scope at the time of action is recorded. A future scope change does not rewrite history.

Those three properties are what makes the audit log usable a year later when finance asks "who approved this adjustment in September." For the full audit-log behavior, see our piece on why audit logging matters for leave management.

Offboarding an external HR user

Offboarding is where access-review findings come from. The four-step sequence that holds up to an audit:

  1. Disable the login immediately on contract end. Do not wait for the next access review. The audit log will record the disable event.
  2. Keep the user record archived, not deleted. Audit entries reference the user by ID. Deleting the user breaks historical traceability.
  3. Reassign open requests to internal HR. Any pending requests still routed to the external user need a new approver before close.
  4. Run an offboarding access review. Confirm the archived user no longer appears in any scoped role assignment. Export the user list once the role is revoked.

The most common offboarding miss

Forgetting that the external HR user was the primary approver for one or two transferred employees. When the login is disabled, their requests escalate to nobody. Reassign primary approver before disabling the account, not after.

When external HR is not the right answer

External HR scoped access is useful but not universal. Three situations where a different model fits better.

The provider needs full group access

Some agreements give the provider responsibility for the whole company. That is a full HR or Admin role, not a scoped external role. Use the standard internal HR role with a named external user.

The user only needs read access

An external auditor or compliance reviewer often needs read-only access for a defined period. Build a "Read-only auditor" custom role scoped the same way. Strip the write permissions; keep the audit visibility.

The setup is permanent and growing

If the "external" team is now five people and growing, the provider relationship is in practice an in-house HR team. Convert them to internal HR users with the same scoping. The audit log treatment is identical; the licensing accounting may differ.

Bring external HR onboard cleanly

The point of external HR scoped access is that the provider can do their job (run leave for their countries) without seeing data they should not have. Done well, the configuration is invisible: requests get approved, balances stay accurate, and the audit log records who did what. Done badly (shared logins, no scope, no offboarding) it becomes the access-review finding that no team wants to read.

BreezeLeave supports per-entity and per-country scope on any role, including HR. The same matrix and audit-log behavior applies whether the user sits inside the company or with an outsourced provider. Control access with custom roles and use the steps above as the runbook for the next external user you provision.

Ready to simplify your vacation management?

Free for teams up to 10. Set up in 10 minutes.

Related articles

External HR Users: Managing Leave Across Country Offices
Guide5 min read

External HR Users: Managing Leave Across Country Offices

Role-Based Permissions Matrix for Leave Management
Guide9 min read

Role-Based Permissions Matrix for Leave Management

Why Audit Logging Matters for Leave Management
Guide5 min read

Why Audit Logging Matters for Leave Management