Identity and Access Management Specialist

The IAM Specialist is responsible for the end‑to‑end identity and access management function across AECI’s Microsoft 365 E5 and SAP-centric environment. This role ensures that the right people have the right access to the right systems at the right time, aligned to business needs, risk appetite, and regulatory obligations. The position drives secure authentication (including single sign‑on, multi‑factor authentication and Conditional Access), robust identity lifecycle processes (joiner/mover/leaver), and strong access governance (reviews, certifications and segregation of duties). The role partners closely with HR, IT, Information Security, internal audit, business application owners, and external vendors to maintain control effectiveness and enable secure digital transformation.

Roles and Responsibilities:

Identity Lifecycle Management (Joiner / Mover / Leaver)

• • Own and continuously improve identity lifecycle processes across AECI (joiner, mover, leaver, role changes, terminations and contractors).
  • Ensure timely provisioning, modification and de‑provisioning of access based on approved requests and role changes.
  • Work with HR and line management to ensure accurate source data, trigger events and approvals for lifecycle actions.
  • Define and maintain identity data standards (unique identifiers, attributes, account naming conventions, joiner triggers, termination timelines).
  • Monitor and resolve lifecycle exceptions (late removals, orphan accounts, shared accounts, inactive accounts, duplicate identities).
  • Contribute to automation opportunities (workflow improvements, reduced manual interventions, improved auditability).

Authentication & Access Management (SSO, Federation, MFA, Conditional Access)

• • Design, implement and maintain secure authentication patterns across business applications using Microsoft Entra ID as the corporate Identity Provider (IdP).
  • Configure and support Single Sign‑On (SSO) and federation (SAML/OIDC/OAuth where applicable), ensuring consistent user experience and secure access.
  • Implement and maintain Multi‑Factor Authentication and Conditional Access policies in Microsoft Entra ID, aligned to risk and business requirements.
  • Define access methods for internal and external users (e.g., B2B collaboration), including secure onboarding, policy enforcement and periodic review.
  • Ensure authentication controls meet business continuity needs (break-glass accounts, emergency access, resilient sign-in processes).

SAP IAS & Application Integrations (SAP ECC → S/4HANA, Syspro, SaaS & On‑Prem)

• • Manage and optimise the integration pattern where SAP IAS acts as a proxy IdP for SAP applications while centralising authentication/MFA/Conditional Access in Microsoft Entra ID.
  • Maintain and troubleshoot trust configurations, federation flows and authentication paths between Entra ID, SAP IAS and SAP applications.
  • Partner with application owners to onboard new SaaS and on‑prem applications into Entra ID for SSO, access controls and governance.
  • Support application access design for key platforms (e.g., SAP ECC, planned SAP S/4HANA, Syspro and other critical systems) with clear security and operational standards.
  • Develop integration runbooks and ensure stable operations through monitoring, logging and incident response support.

Role Design, RBAC & Entitlement Management

• • Define and maintain role-based access control (RBAC) principles and standard role catalogues across business systems.
  • Build and maintain entitlement models (business roles, technical roles, privileged access roles) including role descriptions and access boundaries.
  • Ensure role assignment processes are controlled, approved, and aligned to job functions and segregation of duties requirements.
  • Reduce excessive access by driving least privilege and standardised role adoption.
  • Support privileged access practices (admin roles, elevation, governance of privileged entitlements) in line with AECI standards.

Access Reviews, Certifications & Remediation

• • Plan and execute periodic user access reviews across critical systems and privileged roles (including Microsoft, SAP and key business applications).
  • Coordinate manager and application owner recertifications, track completion, and escalate overdue actions appropriately.
  • Analyse review outcomes, drive remediation of exceptions, and ensure evidence is complete and audit-ready.
  • Provide metrics and reporting on review coverage, completion rates, exceptions, and remediation timelines.

Segregation of Duties (SoD) – SAP Focus

• • Maintain SoD principles, rulesets and monitoring practices, particularly for SAP ECC environments.
  • Identify, assess and remediate SoD conflicts in collaboration with business owners, finance, IT and SAP support partners.
  • Support the design of roles and access assignments to prevent SoD conflicts by design (rather than detective-only controls).
  • Produce SoD risk and exception reporting, including compensating controls documentation and follow-up actions.

Compliance, Audit & IAM Governance

• • Support internal and external audits by providing IAM control evidence, access reports, review artefacts, and configuration documentation.
  • Maintain IAM policies, standards, procedures and operating runbooks (including identity lifecycle, access control, privileged access and review processes).
  • Contribute to continuous control improvement and risk reduction through control testing, gap assessments and remediation planning.
  • Ensure IAM practices support relevant legal/regulatory and governance requirements applicable to a large South African enterprise.

Stakeholder Collaboration & Service Enablement

• • Act as the IAM subject matter expert for business initiatives, projects and system changes, ensuring secure-by-design access patterns.
  • Partner with HR, IT operations, service desk, application owners and vendors to ensure efficient request handling and high-quality outcomes.
  • Provide operational support for IAM incidents, access issues, and root-cause analysis, including prevention of recurring problems.
  • Deliver user and stakeholder guidance, training and clear communications on IAM processes, responsibilities and expectations.

Qualifications and Experience

• • Relevant tertiary qualification in Information Systems, Computer Science, IT, Cybersecurity, or equivalent experience.
  • 5–8+ years in identity and access management, security administration, or related enterprise IT roles, with demonstrable end‑to‑end IAM ownership.
  • Proven experience implementing and operating IAM controls in a regulated or complex enterprise environment.
  • Hands-on experience with Microsoft Entra ID (Azure AD) including SSO/federation, Conditional Access and MFA.
  • Experience integrating enterprise applications with an IdP (SAML/OIDC), ideally in environments spanning cloud and on‑prem systems.
  • SAP security/IAM exposure (SAP ECC essential; SAP S/4HANA advantageous), including role concepts and access control design.
  • Demonstrated experience with access reviews, certifications, remediation tracking and audit evidence management.

Advantageous certifications (one or more):

• • Microsoft: SC‑300 (Identity and Access Administrator) and/or other relevant Microsoft security certifications.
  • IAM/Security: CIAM/IAM-related credentials (e.g., identity governance, access management), Security+ / equivalent, or vendor-neutral governance certifications.
  • SAP: SAP security/authorisations training or certifications (authorisation concept, role design, GRC/SoD exposure).

Technical Skills

Core IAM / Microsoft Stack

• Microsoft Entra ID / Azure AD: tenant administration, enterprise applications, SSO, federation, MFA, Conditional Access, identity protection concepts, external identities (B2B).
• Microsoft 365 E5 security/IAM capabilities relevant to identity and access governance (e.g., identity-related security controls, monitoring, reporting and secure access practices).
• Authentication protocols and concepts: SAML 2.0, OAuth 2.0, OpenID Connect, SCIM (where applicable), certificate management basics, claims-based access.

SAP & SoD

• SAP ECC security and authorisations concepts (roles, profiles, transactions/authorisations), access provisioning approaches, user administration principles.
• Exposure to SAP S/4HANA security concepts and migration considerations (advantageous).
• SAP IAS (or equivalent proxy IdP) integration patterns with corporate IdP (Entra ID), including federation configuration and troubleshooting.
• Segregation of Duties concepts and practical application in SAP; familiarity with SoD tooling and rulesets (e.g., SAP GRC or equivalent), conflict identification and remediation methods.

Operational & Governance Capability

• Access review tooling/process design, evidence capture, metrics and reporting.
• Troubleshooting and incident handling related to authentication, SSO failures, MFA challenges, Conditional Access, and access provisioning issues.
• Documentation discipline: procedures, role catalogues, control narratives, runbooks and audit packs.

Key Competencies

• • Strong stakeholder engagement
  • Clear communicator (written and verbal) with the ability to explain technical concepts in plain language.
  • High attention to detail and commitment to accurate records, approvals and audit-ready evidence.
  • Analytical and structured problem-solving approach; comfortable troubleshooting complex identity and SSO issues.
  • Strong sense of accountability and confidentiality when dealing with sensitive access and identity information.
  • Ability to prioritise and deliver under pressure while balancing operational support with control improvements.
  • Collaborative mindset with the ability to influence without authority in a matrix environment.

AECI respects your right to privacy. Please review our privacy policy at https://investor.aeciworld.com/governance.