Specialist Identity & Access Management - SAP Security and Controls

Specialist Identity Access Management - SAP Security and Controls At CN, everyday brings new and exciting challenges. You can expect an interesting environment where you’re part of making sure our business is running optimally and safely―helping keep the economy on track. We provide the kind of paid training and opportunities that long-term careers are built on and we recognize hard workers who strive to make a difference. You will be able to thrive in our close-knit, safety-focused culture working together as ONE TEAM. The careers we offer are meaningful because the work we do matters. Join us! Job Summary This role requires a highly motivated IAM specialist with strong expertise in Saviynt and SAP Access Security. The Specialist will contribute across two primary domains: access automation through system integrations and role-based access control (RBAC) design, build, and validation. Successful execution of this role requires close collaboration with business, project, and IT teams to deliver secure, compliant, and scalable access solutions. This is an individual contributor role focused on ensuring the effectiveness, accuracy, and sustainability of access management automation and RBAC capabilities. The Specialist acts as a trusted subject matter expert, leading hands-on design and execution activities, validating outcomes, supporting project delivery, and actively sharing knowledge with project and operational teams. Main Responsibilities Access Automation Integrations o Serve as a trusted authority on Saviynt IGA functionality, configuration, and enterprise integrations, providing guidance to technical and business stakeholders. o Design and monitor high ‑ quality integrations between Saviynt and systems including ServiceNow, Active Directory, SaaS and PaaS applications, and on ‑ premise target systems. o Configure, maintain, and enhance identity integrations between SaaS/PaaS applications and SAP Cloud Identity Services, ensuring secure and reliable data flows. o Oversee execution and be a subject matter expert for the following, o Identity personas and identity-related data across connected systems (create, update, decommission) o Integrations with Active Directory, enterprise portals, RPA solutions, MFA, and SSO platforms o Onboarding and integration of new target systems (cloud and on‑prem), to ensure integration patterns are secure, scalable, and compliant o S upport user lifecycle management processes, including joiner, mover, and leaver (JML) workflows and automation. o Saviynt Risk and Compliance capabilities, including Segregation of Duties (SoD) analysis, Critical Action monitoring, access certifications, and audit evidence generation. o Direct and participate in unit testing, and support end-to-end functional validation of integrations and automation workflows. SAP Access Security o Design, build, unit test, and deploy SAP roles, translating functional business requirements into security technical role designs. o Demonstrate comprehensive knowledge of various SAP security role types and authorization concepts. o Possess hands-on experience with SAP Fiori Spaces and Pages. o Utilize SAP Change Request Management (ChaRM) to manage security transports across SAP landscapes. o Support security role design, modification, and lifecycle maintenance across multiple SAP platforms, modules, and SaaS and PaaS applications, including: o SAP Analytics Cloud o SAP Business Technology Platform (BTP) o SAP Cloud ALM o SAP Cloud Identity Services o SAP Datasphere o SAP Enable Now o SAP HANA Databases o SAP Integrated Business Planning (IBP) o SAP Signavio o Vertex o Demonstrate a strong understanding user provisioning process in multiple SAP platforms and SaaS and PaaS applications, perform manual user provisioning steps when automated solutions are unavailable. o Ensure SAP roles are free of unmitigated segregation of duties conflicts or critical action risks and align with least-privilege principle. o Troubleshoot access issues, analyze authorization failures, and resolve security conflicts. o Provide application security support for both on-premises SAP environments and SAP RISE solutions. o Participate in testing cycles to validate access changes, role updates, and remediation activities. o Possess hands-on experience with SAP Cloud Identity Services, including user authentication and user provisioning for SaaS and PaaS applications. Communications, Collaboration and Support o Collaborate closely with technical, functional, data, risk, and control teams across SAP and IAM initiatives. o Communicate effectively with both technical and non‑technical stakeholders, clearly explaining security concepts, design decisions, and recommendations. o Manage incoming requirements, competing priorities, and deadlines using strong organizational and planning skills. o Provide regular status updates, identify risks and roadblocks, and propose mitigation strategies. o Support end‑user acceptance testing (UAT) and regression testing activities. o Maintain current process documentation, control narratives, and audit evidence for assigned IAM controls. o Contribute to the continuous improvement of IAM compliance procedures, templates, validation checklists, and operational standards. o Promote knowledge sharing within the IAM team to strengthen audit readiness and control maturity. Working Conditions The role operates under standard office working conditions, with a regular 8 hour day (8.30am – 5pm EST), and workweek from Monday to Friday. Due to the nature of the responsibilities, the incumbent must be able to meet tight deadlines, manage competing priorities, engage with multiple stakeholders and leaders, and work effectively under pressure. Minimal travel may be required (up to 10%) within Canada. Holidays follow Quebec statutory standards. Requirements Experience o Minimum 5 - 7 years of experience in Identity Access Management, Application Security, IAM Integrations and SAP Cloud Identity Services o Minimum 5 years of experience in SAP Application role design o Experience with SAP Migrations (Greenfield and Brownfield) as well as RISE Migrations a plus Education/Certification/Designation o Bachelor’s Degree in Computer Science, Information Systems, or an equivalent combination of education and relevant work experience. Competencies o Adapt to evolving requirements and unexpected challenges within a fast‑paced SAP program environment. o Communicates with impact across diverse audiences. o Demonstrates accountability and ownership for deliverables. o Exercises sound judgment in identifying, managing, and escalating risks. o Results‑oriented, with a strong focus on quality and timely delivery. o Ability to manage multiple concurrent assignments of moderate complexity. o Strong problem‑solving skills, applying ingenuity and creativity. o Detail‑oriented with a strong quality mindset. o Produces clear, concise documentation tailored to various audiences. o Strong time management, prioritization, and organizational skills. o Able to think and act decisively under pressure. o Works effectively with limited supervision while demonstrating a sense of urgency. o Capable of resolving complex security issues through research and technical investigation. o Demonstrates strong teamwork and collaboration skills, adapting communication style as needed. Technical Skills/Knowledge o Application security knowledge across SAP ABAP and Fiori, SAP Cloud Applications, SAP Cloud Identity Services, SAP HANA, and SAP RISE environments. Strong functional and integration knowledge of Saviynt. o Integration experience with ServiceNow, Active Directory, enterprise portals, RPA solutions, MFA, and SSO platforms o Experience integrating SAP systems with third‑party applications. o Solid understanding of SOX requirements, ITGC frameworks, and audit methodologies related to access management. o Knowledge of IAM processes, including user lifecycle management, provisioning, deprovisioning, and recertification. o Familiarity with IAM tools, enterprise systems, and access governance principles. o Strong analytical skills to identify, assess, and mitigate security risks. About CN CN is a world-class transportation leader and trade-enabler. Essential to the economy, to the customers, and to the communities it serves, CN safely transports more than 300 million tons of natural resources, manufactured products, and finished goods throughout North America every year. As the only railroad connecting Canada’s Eastern and Western coasts with the Southern tip of the U.S. through a 19,500 mile rail network, CN and its affiliates have been contributing to community prosperity and sustainable trade since 1919. CN is committed to programs supporting social responsibility and environmental stewardship. At CN, we work as ONE TEAM, focused on safety, sustainability and our customers, providing operational and supply chain excellence to deliver results.