I want to restrict users to change role assignments or change "give access" but still allow them to edit employee records. In suiteanswers I could only find that you can create a form that hides the access tab and then restrict the roles to only be able to use that form. Is this the only way? (Besides changing the permission for employees to "View")

Yep pretty much, unless you want to build something unnecessarily complicated with scripting and/or workflows. Employee permissions and CSV import permissions are the bane of my existence as they are both huge security holes IMHO. The employee record actually somewhat less so. I think you'll be fine with changing the form and then adding some saved search alerting on top if you really want to belt-and-suspenders it, unless you've got some super special security considerations.