Lead Identity Engineer

About The Position

Requirements

• Minimum of 15 years of related experience with a Bachelor’s degree; or 12 years and a Master’s degree; or a PhD with 8 years experience; or equivalent experience.
• 7+ years of experience in Identity & Access Management / Identity Governance.
• Strong hands-on Saviynt experience, including advanced configuration and custom development.
• Proven expertise in SAP provisioning and access governance (ECC, S/4HANA, BW, SuccessFactors, or similar platforms).
• Ability to design and debug complex identity and GRC integrations across multiple platforms.
• Demonstrated experience with Saviynt GRC for SAP and/or SAP GRC Access Control, including: SoD rule design and administration, Risk analysis and mitigation, GRC-driven approval workflows.
• Strong understanding of SAP security concepts, including: Roles (single and composite), profiles, and authorization objects.

Nice To Haves

• Deep hands-on experience with Saviynt GRC and SAP GRC configuration and operations.
• Experience integrating Saviynt with ServiceNow for access requests and fulfillment.
• Strong scripting and development skills (e.g., REST APIs, PowerShell, Python, SQL).
• Experience with cloud identity ecosystems (Entra ID / Azure AD, Okta, Ping).
• Familiarity with SAP licensing considerations tied to roles and user types.
• Saviynt and/or SAP Security / SAP GRC certifications.

Responsibilities

• Serve as the technical lead for Saviynt implementations and enhancements, with a strong emphasis on SAP IAS and GRC integration use cases.
• Establish engineering standards for Saviynt configuration, custom development, testing, deployment, and operational support.
• Design, build, and maintain Saviynt functionality, including: Joiner/Mover/Leaver (JML) lifecycle automation, Access request workflows with dynamic, risk-aware approvals, Provisioning rules and event-driven logic, Birthright and policy-based access, Access certifications and recertification campaigns.
• Lead the design and implementation of automated SAP user and role provisioning using Saviynt.
• Build and maintain Enterprise Role and SAP access request catalogs aligned with role design and compliance policies.
• Ensure reliable deprovisioning and role cleanup to support least-privilege and audit requirements.
• Translate SAP security constructs into Saviynt models, including: Enterprise and composite roles, Profiles and authorization objects, User types and license-relevant attributes.
• Build and customize Saviynt connectors and integrations for SAP and SAP GRC, including: API and out-of-the-box connector integrations, File-based and event-driven provisioning patterns.
• Develop custom provisioning logic using Saviynt-supported scripting and rule frameworks to handle: Complex role assignment logic, Conditional access decisions, Exception handling and retries.
• Design and implement programmatic integrations between Saviynt and SAP GRC, supporting: Real-time or near-real-time risk evaluation, Automated mitigation controls, Closed-loop access request and fulfillment workflows.
• Troubleshoot complex cross-system issues involving Saviynt, SAP, SAP GRC, HR sources, and directories.
• Ensure high-quality identity data through robust correlation rules, attribute mappings, and validation logic.
• Design monitoring, logging, and alerting for provisioning and GRC workflows.
• Lead integrations with: Authoritative sources (HRIS), Directories (AD / Entra ID / LDAP), ITSM platforms (e.g., ServiceNow).
• Own technical delivery end to end, including requirements, design, build, testing, deployment, and steady-state operations.
• Act as the primary technical advisor for Saviynt IAM- and GRC-related initiatives.
• Mentor IAM engineers and administrators, and establish patterns and reusable components.
• Communicate effectively with Security Architecture, SAP Security/Basis, GRC, Compliance, and Internal Audit teams.