When the request contains a Login block, the endpoint links the employee to the normalized Login e-mail. In Default LinkMode, a clean employee with Login.Email and omitted or null Login.AccessLevel is treated as EmployeeAccess provisioning. If that Default-mode request resolves an existing Login and has no filled Login.Password, the Login must already have a valid role in this company or the endpoint returns Password_required_for_existing_login_without_client_context. Existing password-set Login credentials are verified, not overwritten; mismatches return Password_does_not_match_Login_exists. Creating a new employee Login without Login.Password provisions a password-not-set account that cannot authenticate until credential setup. LinkMode LinkBySharedClientContext skips password verification only for an existing Login that already has a valid role in this company; it does not create new Logins and rejects filled Login.Password values. Additional HTTP 400 error codes for LinkBySharedClientContext are Login_not_in_client_context, Login_not_found_for_link_mode, and Password_not_allowed_with_link_mode. If the employee is already linked to another Login than the request e-mail resolves to, Employee_already_linked_to_different_login is returned.
Access: System, Admin, and ClientAdmin users only.
The endpoint applies merge-patch style semantics by using PatchValueHelper so the server can distinguish omitted properties from explicit null values.
When payroll address validation suggests a corrected address, the endpoint responds with HTTP 400 and an AddressFix_v10 payload instead of applying the update.