I would just use user roles for it: employee, manager and HR. Then entity access can be set based on this role. And you probably still need some organisational or project entity to attach employees, managers and HR to these entities. This way you can set the XPath that a manager can only see employees that belong to the same entity that he or she is attached to.
Regards,
Ronald