HiBob: Missing or Incorrect Employee Fields Due to Service User Permissions

HiBob service users have no data access permissions by default. When you create a service user and generate an API token in Bob, that token can authenticate successfully but will only return the fields the service user has been explicitly granted access to. Fields from restricted categories are silently omitted from API responses - no error is returned.

This means that if your HiBob service user is missing certain permission categories, the Apideck Unified API will return default/empty values for the affected fields. Common symptoms include:

• employment_status returning "other" for all employees (including active ones)

• gender returning "not_specified" for all employees

• phone_numbers returning an empty array

• addresses returning only the office/work location, with no home address

• employment_end_date, leaving_reason, and other lifecycle fields returning null

This guide covers which HiBob permission categories are required for each set of Unified API fields, and how to configure them.

1. In Bob, go to Settings > Service Users

2. Find the service user whose API token you're using with Apideck

3. Open the service user's Permission Group

4. Under People's Data, enable "View all employees' [Category] sections" for each required category (see section 3 below)

5. Save the permission changes, then re-authorize the connection in Apideck Vault so the updated permissions take effect. Once reconnected, make a new API call to verify the fields are now populated correctly.

The table below maps each HiBob permission category to the Unified API fields it unlocks.

Minimum required: Enable at least the Lifecycle category to resolve employment_status: "other". We recommend enabling all categories relevant to the fields your integration depends on.

Note on Personal Identification: HiBob requires both View and Edit permissions on this category to expose SSN and identification number fields via the API. This is a HiBob security requirement for sensitive data.

The Apideck HiBob connector calls POST /v1/people/search to list employees, and explicitly requests all standard field IDs in the request body - including internal.status, internal.terminationDate, and root.state, which are needed for employment_status. However, when the service user lacks the corresponding permission, HiBob silently excludes those fields from the response rather than returning an error.

Because the source fields are absent, the Unified API mapping falls through to its default value (e.g., "other" for employment_status, "not_specified" for gender).

This only affects the list employees operation. The get employee operation (GET /v1/people/{id}) has the same permission requirement - missing permissions will cause the same fields to be absent on individual employee responses too.

If you're unsure whether a missing field is a permissions issue, you can confirm by making a request with raw=true appended to your API call. This returns the raw downstream HiBob response alongside the unified response. If categories like internal, home, or address are null or absent in the raw response, the service user is missing the relevant permissions.

See the Raw Mode guide for details.

• HiBob: Categories and Permissions

• HiBob: API Service Users

• Apideck Raw Mode guide