[Hiring] Lead IAM Provisioning Engineer @NTT DATA Services

Role Description

This SailPoint-Focused L3 Senior User Provisioning Engineer is a technical leader for identity lifecycle, entitlement engineering, and privileged access across enterprise IGA/PAM and cloud identity platforms. This role owns complex SailPoint and CyberArk integrations, designs Entra ID identity flows, manages PKI and certificate automation, and drives reliability, auditability, and automation across provisioning processes. The L3 engineer resolves escalated incidents, leads root-cause remediation, and mentors L2/L1 staff.

• Technical ownership of user lifecycle and entitlement engineering across Active Directory, Entra ID, SaaS apps, and custom systems.
• SailPoint IGA leadership: design, implement, and tune connectors, provisioning policies, role engineering, reconciliation, and certification campaigns.
• CyberArk PAM stewardship: onboard targets, manage vault policies, implement credential rotation, and support privileged session controls.
• PKI and certificate lifecycle: architect and operate certificate issuance, renewal, revocation, and automation for service identities and TLS endpoints.
• Cloud identity engineering: design Entra ID conditional access, cross-tenant syncs, and entitlement models; coordinate with AWS/GCP IAM as needed.
• Automation and infrastructure as code: develop and maintain SCIM/SAML/OIDC connectors, PowerShell/Python scripts, and Terraform/IaC for repeatable provisioning patterns.
• Incident response and RCA: lead Tier-3 troubleshooting for provisioning failures, perform root-cause analysis, implement permanent fixes, and reduce recurrence.
• Governance and audit readiness: lead access reviews, entitlement remediation, evidence collection, and support external/internal audits.
• Mentorship and documentation: create runbooks, operational playbooks, and train L1/L2 engineers to improve throughput and reduce manual errors.

Qualifications

• 5+ years of hands-on IAM experience with progressive responsibility in provisioning and identity engineering.
• Proven, practical experience with SailPoint (IGA) and CyberArk (PAM) implementations.
• Deep operational knowledge of Entra ID / Azure AD and identity synchronization patterns.
• Strong understanding of PKI concepts and hands-on certificate management.
• Proficient with identity protocols: SCIM, SAML, OAuth/OIDC, MFA.
• Advanced scripting and automation skills: PowerShell, Python, Bash; experience with Terraform or CloudFormation.
• Experience with ITSM/ticketing tools (ServiceNow, Jira) and SLA management.
• Demonstrated ability to perform complex troubleshooting and deliver durable engineering fixes.

Preferred Qualifications

• Experience integrating HR systems (Workday, SuccessFactors) with IGA.
• Familiarity with Kubernetes RBAC, secrets management (Vault, Key Vault), and DevSecOps CI/CD integration.
• Certifications: SailPoint, CyberArk, Microsoft Identity/Entra, CISSP, or equivalent.

Soft Skills and Logistics

• Analytical and detail oriented with strong problem-solving and RCA discipline.
• Effective communicator able to influence engineering, security, and business stakeholders.
• Proven mentor and team player who improves operational maturity.
• Employment type: Full-time or contract.
• Location: Remote / Hybrid / On-site.
• Reports to: IAM Operations or Security Architecture Lead.

Benefits

• Medical, dental, and vision insurance with an employer contribution.
• Flexible spending or health savings account.
• Life and AD&D insurance.
• Short and long term disability coverage.
• Paid time off.
• Employee assistance.
• Participation in a 401k program with company match.
• Additional voluntary or legally-required benefits.