Job Description

Position : Senior SAP GRC & IAG Consultant

Remote Role.

Must be able to work in USA EST hours

Job Summary:

Senior SAP GRC & IAG Consultant with strong technical proficiency in designing and deploying access governance frameworks across SAP S/4HANA and a suite of SAP Cloud applications. The candidate must have hands-on experience with SAP GRC Access Control, SAP IAG, SAP Identity Authentication Service (IAS), Identity Provisioning Service (IPS), and integration of GRC with Solution Manager CHARM and Jira.

This role is responsible for building scalable, audit-compliant access models in hybrid cloud landscapes spanning SAP BTP, IBP, SAC, Ariba, Concur, and DSP.

Technical Responsibilities:

GRC Access Control & Compliance Automation

Design and implement SAP GRC AC 12.0 modules:

Access Request Management (ARM): o Configure multi-stage request workflows, mitigation paths, and agent rules.

Access Risk Analysis (ARA):

o Build custom SoD risk rules, simulate risks across systems (via RFC and IAG bridge), and automate preventive risk detection.

Emergency Access Management (EAM):

o Deploy firefighter IDs across landscapes with real-time logging and automated review workflows.

Business Role Management (BRM):

o Define role derivation strategies, composite roles, and role approval hierarchies.

SAP GRC Process Control

Design and implement SAP GRC Process Control 12.0 to automate control testing, support regulatory compliance, and enable centralized control governance across enterprise business processes.

Continuous Control Monitoring (CCM): o Develop technical rules using BRF+ and configure automated control tests from SAP and non-SAP data sources (e.g., BKPF, BSEG, EKKO).

o Schedule real-time or periodic monitoring jobs and link monitoring results to control assessments. Trigger automated issue logs upon control failures with follow-up remediation workflows.

Control Self-Assessment (CSA):

o Design CSA campaigns using predefined questionnaires linked to internal controls.

o Automate evidence collection and control owner attestations. Integrate results with compliance dashboards and audit follow-up cycles.

Control Documentation & Repository:

o Maintain a centralized control repository with versioning, policy linkage, and control classification (automated/manual/key).

o Associate controls with relevant regulations (e.g., SOX 404, GxP, FDA, ITGC).

Workflow & Assessment Automation:

o Configure multi-step assessment workflows involving control performers, testers, reviewers, and compliance leads. Enable role-based task assignments and SLA tracking for assessment completion.

Issue Management:

o Automate issue creation for failed tests, surveys, or control assessments. Configure root cause fields, impact analysis, corrective action plans, and escalation routes.

SAP Risk Management

Implement SAP Risk Management 12.0 to enable proactive identification, assessment, monitoring, and mitigation of enterprise risks across business and IT domains.

Risk Identification & Documentation:

o Configure a centralized risk repository with risk categories, descriptions, causes, and impacts. Map risks to business objectives, organizational units, and business processes.

Risk Assessment Framework:

o Define custom risk assessment scales (e.g., likelihood, impact, velocity) and scoring models.

o Enable periodic or real-time assessments using configurable methodologies (qualitative/quantitative). Visualize risk trends using heatmaps, risk matrices, and dashboards.

Mitigation Planning & Risk Response: o Document mitigation plans and assign risk response strategies (avoid, accept, mitigate, transfer). Link mitigation plans to internal controls in Process Control for automated effectiveness tracking.

Risk Workflow Management: o Automate risk review, approval, and reassessment workflows based on role hierarchy. Route risk events to appropriate owners, compliance teams, and executive reviewers.

Integration with GRC Access Control & Process Control:

o Link risks to controls in Process Control to monitor control effectiveness.

o Map access-based risks (e.g., SoD violations) from GRC ARA directly to enterprise risk profiles.

SAP IAG (Identity Access Governance)

Deploy SAP IAG as a central governance layer for SAP Cloud apps. Enable risk analysis, access requests, and role lifecycle management for:
o SAP Ariba (Operational Procurement, Sourcing, Supplier Management) o SAP Concur (Travel & Expense) o SAP Integrated Business Planning (IBP) o SAP Analytics Cloud (SAC) - including Workspace and Model-level access o SAP BTP - including subaccount role collections, entitlements, and destinations o DSP (Data Services Platform) - for sensitive data controls and admin roles.

IAS / IPS Integration

Configure SAP IAS for SSO and identity federation with Azure AD/Okta. Set up IPS connectors for automated provisioning/de-provisioning between:
o IAS
IAG
Cloud Applications o Workday/Okta
IPS
GRC
Target Systems

Map corporate identity attributes to application-specific roles and user types.
SAP Security Architecture (Hybrid & On-Prem)

Design role architecture compatible with Fiori Launchpad, OData services, and SAP Gateway. Implement S/4HANA authorization concepts for key modules (FI/CO/MM/SD/PP/QM/PM). Secure SAP BTP with entitlements, role collections, and XSUAA integration. Maintain connector configuration (SM59), GRC plug-ins, and AC landscape sync. Integration with CHARM, and Jira Integrate SAP GRC Access Control with SAP Solution Manager CHARM for automated risk checks and change control traceability. Configure GRC risk analysis as part of transport request approval flow. Implement bi-directional integration with Jira Service Desk using REST APIs or middleware for ticketing and approvals tied to ARM workflows.
Required Technical Skills:

Deep expertise in SAP GRC Access Control 12.0 and SAP IAG Strong understanding of IAS/IPS architecture, SCIM-based provisioning, and SAML2 SSO Experience securing and provisioning users in:
o SAP Ariba (Buyer Network & Sourcing) o SAP Concur (Audit/Expense Approver roles) o SAP BTP (Subaccounts, Role Collections, Entitlements) o SAP IBP (Excel UI & Web UI authorization objects) o SAP SAC (BI roles, content security) o SAP Datasphere

Understanding of authorizations in S/4HANA (Fiori apps, CDS views, analytical privileges) Strong skills in SoD risk rule building (custom functions, action/object level), mitigation controls, and audit reports Experience with LDAP, Azure AD, or Okta integration Familiarity with SAP IDM, or Workday for user lifecycle management Experience with Control Self-Assessment (CSA) frameworks and GRC Process Control
Compliance Knowledge:

SOX, GDPR, GxP, FDA, ITAR External audit remediation, user attestation campaigns, control testing automation
Deliverables May Include:

GRC/IAG configuration documents and process flows SoD risk matrix and mitigation library IAG connector and IPS provisioning map CHARM-GRC integration framework Role design templates and BRM libraries CSA workshop templates and access review procedures
Job Type: Contractual / Temporary

Experience:

GRC: 4 years (Required)
Work Location: Remote