I have done this exact thing before for HR forms.
You need an originating user field. if it is blank then set it with the current user. (new form Scenario)
I usually put a version field in somewhere so I know how many times a form has been modified too. (have it incremented each submit)
Put in a rule on open that checks the originating user field, if not blank, does current AD user name = originating user name if not true does AD username = manager user name? if yes switch views to approver if not exit form (security).
I had a table of manager/department relationships but if you have AD implemented well and the reports to complete you can use that.
This security is not perfect hawever since someone could hack the form and bypass your open rules check.
You may want to look at the Database Accelerator Web Services Suite, it includes a full Active Directory web service too and Database enumeration to query any table. It then allows your forms to be stored and secured with SQL server to provide much better security and control. This is critical for most enterprise solutions that deal with employee data. We also have mechanisms for approvals, work flows, text search, etc.
Qdabra Database Accelerator Suite Version 2.0 - Developer
Contact me and I could show you a demo if you would like.