SAP Security Architect

Description du poste

Our Toronto/Montreal based client is seeking an experienced SAP Security Architect to join their team on a full time permanent basis. The ideal candidate should have 8+ years of experience in application security, security architecture, or enterprise IT security, with at least 5 of those years focused specifically on SAP security architecture and IAM architecture in design or senior engineering roles. This individual should possess deep expertise across SAP security (roles/authorizations, S/4HANA, Fiori, GRC), Identity & Access Management (IAM), application security principles and SDLC, as well as cloud and hybrid architectures.

Principales responsabilités

• Architect access governance controls including User Access Reviews (UAR), Segregation of Duties (SoD), and Role-Based / Attribute-Based Access Control (RBAC / ABAC).
• Define and maintain end-to-end security architecture for SAP (ECC, S/4HANA, BTP, Fiori, GRC) and non-SAP enterprise platforms (custom apps, SaaS, COTS).
• Define and maintain the enterprise IAM architecture, roadmaps, and reference designs.
• Lead IAM strategy aligned with Zero Trust, Identity-First Security, and cloud adoption.
• Establish standards for authentication, authorization, identity lifecycle, and privileged access.
• Embed security-by-design principles into application development, integrations, and system landscapes.
• Review solution designs and provide security architecture sign-off.
• Design robust SAP security models including roles, authorizations, and SoD controls.
• Define SAP user lifecycle, privilege access, and logging/monitoring standards.
• Advise on SAP GRC, access controls, emergency access (Firefighter), and compliance configuration.
• Support SAP transformations (S/4HANA, cloud, RISE, hybrid landscapes).
• Architect security controls for non-SAP applications, APIs, middleware, and cloud services (IaaS, PaaS, SaaS).
• Define standards for authentication, authorization, encryption, secrets management, and secure integrations.
• Support IAM, SSO, MFA, and directory integrations (e.g., Entra ID, LDAP).
• Design Joiner-Mover-Leaver (JML) processes and automated provisioning/deprovisioning.
• Integrate IAM with HR, ITSM, and GRC platforms.
• Architect secure authentication mechanisms (MFA, passwordless, conditional access).
• Design federation and SSO integrations (SAML, OAuth 2.0, OIDC).
• Support B2E, B2B, and B2C identity scenarios where required.
• Design PAM architecture for administrative, service, and privileged user accounts.
• Enforce least privilege, session monitoring, credential vaulting, and just-in-time access.
• Integrate PAM controls across infrastructure, applications, and cloud platforms.
• Design IAM controls for cloud platforms (Azure / AWS / GCP).
• Integrate IAM with enterprise applications (e.g., SAP, ERP, SaaS platforms).
• Ensure secure API and service identity design.
• Align application security architecture with enterprise security frameworks and policies.
• Support regulatory and audit requirements (e.g., SOX, GDPR, ISO 27001).
• Perform threat modeling, security risk assessments, and control gap analysis.
• Define security standards, patterns, and reference architectures.
• Partner with application owners, developers, infrastructure, and cloud teams.
• Act as a security SME for projects, incidents, and design reviews.
• Contribute to security roadmap planning and technology selection.

Exigences

• Must be legally authorized to work in Canada.