Principal SAP Security Architect (S/4HANA & Government Systems)

The Principal Saviynt IAM Architect (Government Systems & SAP Security Integration) serves as the enterprise design authority for Identity Governance & Administration (IGA), identity lifecycle automation, and regulated access architecture supporting NuSil's U.S. Government operations.

This role is primarily responsible for architecting and leading Avantor's identity governance strategy within highly regulated environments, including the implementation and integration of Saviynt with SAP S/4HANA and other enterprise platforms.

The team

NuSil operates within a defense-regulated environment subject to:

• CMMC (Cybersecurity Maturity Model Certification) requirements
• Controlled Unclassified Information (CUI) handling mandates
• ITAR / Export Administration Regulations (EAR) restrictions
• Controlled materials and proprietary formulation protections
• SOX IT General Controls

This role designs and engineers identity-driven access controls to ensure regulatory alignment, secure provisioning, defensible audit posture, and sustainable governance of sensitive access across SAP and integrated enterprise systems. The position carries enterprise accountability for IAM architecture in regulated environments and operates with principal-level independence within Architecture & Engineering.

What we're looking for

• Education: Bachelor's degree and/or equivalent experience, education and training
• Experience: 12+ years of Identity & Access Management experience
  • 5+ years of enterprise IGA architecture experience
  • Deep expertise with Saviynt architecture, workflows, and governance models
  • Strong understanding of:
    • Identity lifecycle management
    • Entitlement modeling
    • Automated provisioning
    • Access certification
    • Role governance
  • Experience integrating IDM Solutions with SAP S/4HANA and enterprise applications
  • Experience designing IAM controls in regulated environments subject to CMMC, CUI, ITAR, or SOX
  • Expert understanding of SAP authorization concepts and SAP role structures
  • Experience designing identity-driven access controls for enterprise ERP environments
  • Demonstrated ability to operate independently as enterprise architectural authority
• Preferred Qualifications
  • Saviynt certifications or implementation experience
  • Experience with SAP GRC Access Control
  • Experience supporting U.S. Government or defense-regulated environments
  • Familiarity with Zero-Trust and ABAC security models
  • Experience with data masking or privileged access governance solutions
  • CISSP, CIAM, or related security certifications

Primary Responsibilities

Identity Governance & Administration (IGA) Architecture

• Serve as the architectural authority for SAP implementation and identity governance strategy
• Design enterprise identity governance frameworks supporting regulated environments
• Architect identity lifecycle processes including Joiner/Mover/Leaver automation
• Define enterprise entitlement models and role governance structures
• Design automated provisioning and de-provisioning workflows across SAP and integrated platforms
• Architect access certification, attestation, and role review processes
• Define identity governance controls supporting audit, compliance, and regulatory requirements
• Engineer scalable identity governance models supporting growth of U.S. Government operations
• Define API integration strategies, connectors, and identity synchronization mechanisms

Saviynt Platform Architecture & Integration

• Lead architecture and integration of Saviynt with SAP S/4HANA and other enterprise systems
• Define entitlement mapping strategies between SAP roles and Saviynt access models
• Architect birthright access, dynamic role assignment, and conditional access frameworks
• Configure and optimize provisioning workflows, approval chains, and governance processes
• Prevent over-provisioning and privilege escalation through identity-centric control design
• Design scalable identity governance processes for regulated manufacturing environments
• Partner with enterprise IAM teams on roadmap, standards, and platform optimization

CMMC, CUI & ITAR-Aligned Access Architecture

• Architect identity-driven access controls aligned to CMMC access control domains
• Engineer segregation and governance of CUI within enterprise systems
• Design controls ensuring ITAR-restricted data is accessible only to authorized U.S. persons
• Define identity governance models supporting controlled manufacturing and export-sensitive processes
• Implement auditable and traceable identity governance controls for regulated environments
• Partner with Information Security and Compliance teams to support evolving regulatory requirements

SAP Security Integration

• Provide architectural oversight for SAP S/4HANA and Fiori security integration into Saviynt
• Support SAP role governance, entitlement mapping, and Segregation of Duties alignment
• Partner with SAP Security teams on:
  • SAP GRC integration
  • Access certification alignment
  • Provisioning workflows
  • SoD remediation strategies
• Ensure SAP authorization structures align with enterprise IAM governance models
• Support secure integration of SAP identities, RFC/service accounts, and privileged access workflows

Data Protection & Sensitive Access Controls

• Support governance of sensitive and regulated data access within SAP and integrated platforms
• Architect identity-centric controls supporting:
  • Data masking
  • Sensitive data segmentation
  • Privileged access governance
• Partner with Security and SAP teams on Zero-Trust and least-privilege initiatives
• Ensure regulated data access is controlled through sustainable identity governance processes

Regulatory & Audit Technical Leadership

• Serve as IAM technical authority during CMMC readiness reviews and audits
• Support audit evidence generation related to identity governance and access certification
• Design defensible access governance processes aligned to SOX and regulatory expectations
• Lead remediation efforts related to identity governance findings and access control deficiencies
• Partner with Internal Audit, Compliance, and Security teams on preventive control design

Leadership & Cross-Functional Influence

• Act as principal-level technical authority for identity governance architecture
• Influence enterprise IAM and access governance strategy decisions
• Partner cross-functionally with:
  • SAP teams
  • Information Security
  • Infrastructure
  • Compliance
  • Internal Audit
  • Enterprise IAM teams
• Mentor IAM engineers and analysts
• Reduce dependency on external consultants by institutionalizing identity governance expertise

Complexity & Regulatory Impact

• Multi-regulatory exposure (CMMC, CUI, ITAR, SOX)
• Defense-customer audit scrutiny
• Enterprise identity governance across regulated manufacturing systems
• Complex entitlement and provisioning architecture across SAP and integrated platforms
• Direct impact on government contract eligibility and audit readiness
• Enterprise-level IAM design authority
• Cross-platform integration complexity spanning Saviynt, SAP, security tooling, and enterprise identity infrastructure

#LI-Remote

Disclaimer:

The above statements are intended to describe the general nature and level of work being performed by employees assigned to this classification. They are not intended to be construed as an exhaustive list of all responsibilities, duties and skills required of employees assigned to this position. Avantor is proud to be an equal opportunity employer.

Why Avantor?

Dare to go further in your career. Join our global team of 14,000+ associates whose passion for discovery and determination to overcome challenges relentlessly advances life-changing science.

The work we do changes people's lives for the better. It brings new patient treatments and therapies to market, giving a cancer survivor the chance to walk his daughter down the aisle. It enables medical devices that help a little boy hear his mom's voice for the first time. Outcomes such as these create unlimited opportunities for you to contribute your talents, learn new skills and grow your career at Avantor.

We are committed to helping you on this journey through our diverse, equitable and inclusive culture which includes learning experiences to support your career growth and success. At Avantor, dare to go further and see how the impact of your contributions set science in motion to create a better world. Apply today!

Pay Transparency:

The expected pre-tax pay for this position is

Actual pay may differ depending on relevant factors such as prior experience and geographic location.

EEO Statement:

We are an Equal Employment/Affirmative Action employer and VEVRAA Federal Contractor. We do not discriminate in hiring on the basis of sex, gender identity, sexual orientation, race, color, religious creed, national origin, physical or mental disability, protected Veteran status, or any other characteristic protected by federal, state/province, or local law.

If you need a reasonable accommodation for any part of the employment process, please contact us by email at recruiting@avantorsciences.comand let us know the nature of your request and your contact information. Requests for accommodation will be considered on a case-by-case basis. Please note that only inquiries concerning a request for reasonable accommodation will be responded to from this email address.

For more information about equal employment opportunity protections, please view the Know Your Rights poster.

Privacy Policy:

We will use the personal information that you have submitted to us in order to consider your application for the relevant role.

Your privacy is important to us. Please click here for our Privacy Policy which explains the purposes for which we will use your personal information and the ways in which we will handle and retain your information. It also explains the rights you have in relation to your information, and how to contact us with any queries or requests.

3rd Party Non-Solicitation Policy:

By submitting candidates without having been formally assigned on and contracted for a specific job requisition by Avantor, or by failing to comply with the Avantor recruitment process, you forfeit any fee on the submitted candidates, regardless of your usual terms and conditions. Avantor works with a preferred supplier list and will take the initiative to engage with recruitment agencies based on its needs and will not be accepting any form of solicitation.

Avantor offers a comprehensive benefits package including medical, dental, and vision coverage, wellness programs, health savings and flexible spending accounts, a 401(k) plan with company match, and an employee stock purchase program. Employees also receive 11 paid holidays, accrue 18 PTO days annually, are eligible for volunteer time off and 6 weeks of 100% paid parental leave (except in states that offer paid family leave). These benefits may not apply to employees covered by a collective bargaining agreement or those subject to other eligibility rules.