IT Engineer (IAM) SaaS & Fine-Grained RBAC

Location:

Function:

We’re working on a secure, multi-tenant SaaS platform and need a hands-on IAM engineer to own the end-to-end identity lifecycle and authorization model—down to table/row/column-level policies. You’ll standardize Joiner-Mover-Leaver (JML) workflows, lead least-privilege RBAC across the product and business apps, and automate everything you can.

• Own the IAM lifecycle:

  Design, develop, and standardize identity lifecycle workflows for employee and service accounts (JML, break-glass, access reviews).

• Automate provisioning:

  Configure and maintain automated workflows for provisioning, de-provisioning, and access changes using IdP workflows and APIs to eliminate manual effort and reduce MTTR.

• Integrate the stack:

  Complete and maintain key IdP integrations (varying complexity) with business apps and internal services using

  SCIM 2.0

  and

  OIDC/SAML

  .

• Drive least-privilege:

  Lead the organization-wide

  RBAC initiative

  so access maps to job function and need; partner with stakeholders to set/enforce policy.

• Engineer data-layer RBAC:

  Design and enforce

  fine-grained authorization

  at the

  schema/table/column/row level

  (e.g., Postgres RLS, column masking) using attributes like organization, region, and role.

• Harden the platform:

  Implement policy-as-code (e.g., OPA/Rego), secrets management, and auditable change controls (GitOps) for IAM.

• Document everything:

  Keep clear runbooks, diagrams, and standards for core applications, policies, and processes.

• Operate & respond:

  Triage and resolve identity incidents and escalations; drive root-cause and prevention.

• Governance & culture:

  Establish IAM policies and guardrails that foster a least-privilege culture across engineering, IT, and business teams.

• Bring

  5+ years

  in fast-paced

  SaaS

  environments focused on

  Identity & Access Management

  (Okta strongly preferred).
• Have

  subject-matter expertise

  in IdP implementation,

  JML automation

  , and integrating SaaS apps using

  APIs, SCIM, OIDC/SAML

  .
• Have

  led or played a key role

  in large-scale access-controls/RBAC deployments with cross-functional change management.
• Partner smoothly with stakeholders to synthesize and present solutions that

  improve business efficiency

  .
• Work

  autonomously

  with methodical planning, visibility, and crisp execution.
• Embrace feedback and a

  growth mindset

  ; stay current on identity, security, and privacy best practices.

• Identity:

  Okta (or similar IdP), Okta Workflows, Lifecycle/JML, adaptive MFA, SCIM directories, groups & claims mapping.

• AuthZ (product & data):

  RBAC/ABAC design;

  PostgreSQL

  GRANTs &

  Row-Level Security

  ; column masking/tokenization; Snowflake/Trino/ClickHouse RBAC a plus.

• Automation:

  Scripting (

  Python/Go/Bash

  ),

  Terraform

  (incl. Okta/AWS providers), CI/CD, GitOps for policy changes.

• APIs & Integrations:

  REST/JSON, webhooks, SCIM servers/clients, service account patterns, secrets (Vault/KMS).

• Observability & Audit:

  SIEM (Datadog/Splunk/ELK), identity audit logs, access reviews, SoD checks.

• Compliance mindset:

  SOC 2 / ISO 27001, data-privacy basics (GDPR/DPF), least-privilege by default.

• Experience with

  multi-tenant SaaS

  isolation models (schema-per-tenant, row-level tenancy, org/workspace scoping).
• Lakehouse/data-platform security (Iceberg-native catalogs, policy enforcement in query engines).
• OPA/Rego, Cedar, Apache Ranger/Atlas; Just-In-Time (JIT) access; break-glass with audit.
• Incident response for identity, tabletop exercises, access review automation.

• Stand up standardized

  JML

  with automated de-provisioning and zero-touch offboarding.
• Ship

  table/row-level RBAC

  for at least one high-value domain (e.g., customer data) enforced via Postgres

  RLS

  and role hierarchies.
• Deliver an

  Okta-backed SSO + SCIM

  integration pack for top SaaS apps and internal services.
• Publish baseline

  IAM Policy & Standards

  and a quarterly access review cadence.