Changelog
Become a partner
Back to All
Improved

Employee Tables API: Detect restricted columns in responses

2 days ago

To align with HiBob’s new Field Level Permissions (FLP) feature (currently in beta), the Employee Tables Public API now supports returning partial results when access to specific columns is restricted.

When this happens, endpoints may return null values for restricted columns. To make this explicit, we added response metadata + a lightweight response header to help you detect restricted columns and alert on missing permissions.

What changed

  1. New response header: X-Has-Restricted-Columns

    GET endpoints now return: X-Has-Restricted-Columns: true when at least one column in the response was restricted.

  2. New response field: restricted_columns

    Employee table response schemas now optionally include a restricted_columns object, which lists the columns that were restricted due to missing field level permission. The permission can be view or view history.

    Example:

{
	"values": [...],
	"restricted_columns": {
		"no_view_permission": ["salaryPayType", "fte"],
		"no_view_history_permission": ["department"]
	}
}

When you’ll see this

The new restricted_columns field and X-Has-Restricted-Columns header are returned only when:

  • FLP is enabled for the company (currently this feature is in beta and not publicly available) and
  • at least one column in the response is restricted for the service user.

If FLP is disabled, or if there are no restrictions, responses remain unchanged (no restricted_columns, no header).

Why this matters

This change helps API consumers:

  • Distinguish between missing data vs. restricted data
  • Understand which columns are blocked (and why)
  • Set up monitoring/alerts when integrations are missing permissions
  • Request the correct permissions from admins

Backward compatibility

This is an additive and backward-compatible change:

  • Existing integrations won’t break.
  • Integrations that want to detect partial results due to field level permissions can start checking restricted_columns and/or X-Has-Restricted-Columns.

To learn more, see Detecting restricted columns in API responses.