We are looking for a seasoned SAP GRC and Security Consultant to take full ownership of access risk, compliance controls, and identity governance across a complex SAP landscape. This is a hands-on contract engagement based in Calgary — you will not be advising from the sidelines. You'll configure, remediate, govern, and deliver, working directly with business process owners, internal audit, and IT security teams to build a compliant, audit-ready SAP environment.
What you'll do
- Own the end-to-end design, configuration, and ongoing governance of SAP GRC Access Control (AC) — including ARA, ARM, EAM, and BRM modules.
- Define and maintain the enterprise Segregation of Duties (SoD) ruleset; identify, analyze, and remediate SoD conflicts across SAP ECC and/or S/4HANA landscapes.
- Design and implement role-based access control (RBAC) frameworks — building, testing, and documenting SAP roles and authorization objects aligned to least-privilege principles.
- Configure and govern Firefighter (Emergency Access Management) workflows — owner assignments, log reviews, and audit trail reporting.
- Lead access certification campaigns and periodic user access reviews (UAR) in collaboration with role owners and business process owners.
- Support and drive SAP S/4HANA security migration and role redesign initiatives where applicable.
- Partner with internal audit and compliance teams to prepare evidence packages, remediate findings, and maintain SOX, SOC 2, or equivalent compliance posture.
- Integrate SAP GRC with Identity Governance and Administration (IGA) tools — SailPoint, Saviynt, or equivalent — where required.
- Develop and maintain GRC governance documentation: rulesets, control matrices, risk registers, and process runbooks.
- Mentor junior security analysts and serve as the internal SAP GRC subject matter expert for stakeholder escalations.
What you bring
8–10 years of hands-on SAP security and GRC experience — not advisory or project management, but direct configuration and governance ownership.
Deep expertise in SAP GRC Access Control — ARA (Access Risk Analysis), ARM (Access Request Management), EAM (Emergency Access Management), and BRM (Business Role Management).
Expert-level knowledge of SAP authorization concepts: authorization objects, profiles, roles (single, composite, derived), SU24, PFCG, and SU53 analysis.
Proven experience designing and remediating SoD rulesets in production SAP environments — not just running SoD reports, but owning the ruleset and driving remediation to closure.
Experience with SAP ECC and/or S/4HANA security — including Fiori app authorization, business roles, and the S/4 authorization concept changes from ECC.
Working knowledge of SOX IT General Controls (ITGCs) as they apply to SAP access and change management — and experience preparing audit evidence.
Strong communication skills — able to translate SAP authorization complexity into plain language for business process owners, auditors, and C-level stakeholders.
Nice to have
- Experience with SAP GRC Process Control (PC) for automated control monitoring.
- SAP S/4HANA security migration project experience — role redesign, clean-up, and Fiori authorization model.
- Integration experience with IGA platforms: SailPoint IdentityIQ/IdentityNow, Saviynt, or CyberArk.
- Background in energy, oil and gas, utilities, or financial services — sectors with complex Calgary-market SAP footprints.
- SAP Certified Technology Associate — SAP GRC Access Control certification.
- Familiarity with SAP BTP (Business Technology Platform) security and identity management.
- Experience with SAP Audit Management or integration of GRC with external GRC platforms (Archer, ServiceNow GRC).
Tech stack & tools
SAP GRC
GRC AC 12.0, ARA, ARM, EAM, BRM, Process Control, Risk Management
SAP Security
PFCG, SU24, SU53, SUIM, S/4HANA roles, Fiori authorization, derived roles
Compliance
SOX ITGCs, SoD ruleset design, UAR campaigns, audit evidence, control matrices
IGA integration
SailPoint, Saviynt, CyberArk, Azure AD / Entra ID, LDAP
Reporting & docs
SAP SUIM, GRC dashboards, risk registers, runbooks, Archer, ServiceNow GRC
Platforms
SAP ECC 6.0, S/4HANA 2020/2022, SAP BTP, Fiori Launchpad
Why Calgary — why now
Calgary's enterprise SAP market is anchored by some of Canada's largest energy, pipeline, and financial services organizations — many in the middle of S/4HANA migrations with significant GRC remediation backlogs. If you've done real SoD ownership, Firefighter governance, and audit prep in complex, multi-module SAP landscapes, there is a high-demand market here waiting for exactly that expertise.
Hard requirements — please read before applying
Work authorization: Candidates must be legally eligible to work in Canada. This engagement is not able to support work permit applications or immigration sponsorship.
Location: This is an on-site or hybrid contract engagement based in Calgary, AB. Remote-only candidates will not be considered. Candidates must be available to work in the Calgary area for the duration of the contract.
