Overview
The ICT Officer (Identity and Access Management) will lead and evolve the identity and access management (IDAM) ecosystem, acting as the gatekeeper for digital identity and ensuring appropriate access.
Key Responsibilities
- Design, configure, and maintain One Identity - Identity Manager (IDAM) for user lifecycle management, provisioning, and role-based access control.
- Integrate identity data from the WAVE ERP system to drive Joiner/Mover/Leaver (JML) processes.
- Manage synchronization and identity federation between Microsoft Active Directory and Azure Active Directory (Entra ID).
- Define and implement access governance, including role modelling, segregation of duties (SoD), and access review campaigns.
- Develop automated workflows for account provisioning, deprovisioning, and entitlement management across all ICT platforms.
- Collaborate with HR, Information Security, and Compliance teams to enforce identity related policies.
- Enforce Just-In-Time (JIT) access for sensitive operations.
- Monitor and respond to identity-related incidents and service requests.
- Create and maintain IAM documentation including architecture diagrams, SOPs, and audit records.
- Supervise the IAM team and conduct effective performance management and promote a cooperative work environment.
- Ensure correct operation of hybrid identity sync from AD to Entra ID via Azure AD Connect and monitor sync health and conflict resolution.
- Define entitlement management with access packages for joiners/movers/leavers.
- Enforce naming conventions and OU placement standards.
- Manage service accounts with lifecycle governance (preferably with expiration controls).
- Manage access using Azure AD roles, administrative units, and custom roles.
- Assign privileged roles via Privileged Identity Management (PIM) with time-bound or approval-based access.
- Define Conditional Access Policies based on risk, device, location, and user sensitivity.
- Enforce MFA using built-in Entra policies.
- Enable the publishing and management of SaaS apps using SAML, OAuth, or OIDC for Single Sign-On (SSO).
- Configure provisioning connectors to automate account creation in cloud apps.
- Build processes to enforce user consent restrictions to limit data exposure to risky apps.
- Create and maintain procedures for maintenance of security groups and distribution lists.
- Implement and enforce role-based access control (RBAC) through group nesting and inheritance.
- Periodically review and clean up stale groups and memberships and establish access review campaigns for groups, apps, and privileged roles across regional offices.
- Provide input for the license entitlements and ensure correct integration with FinOps and licensing portals.
- Perform such other relevant duties as may be assigned.
Required Experience
- A minimum of 5 years of experience in Identity & Access Management, IT Security, or related infrastructure engineering roles.
- Hands-on experience with One Identity - Identity Manager (strongly preferred).
- Solid proficiency in Microsoft Active Directory, Group Policy, and Azure Active Directory (Microsoft Entra ID).
- Experience in integrating IAM solutions with ERP systems for automated provisioning (e.g. SAP, Oracle).
- Understanding of authentication and authorization protocols (SAML, OAuth, OpenID Connect).
- Experience implementing RBAC, ABAC, and SoD controls.
- Strong scripting ability (PowerShell, SQL, or similar) for automating IAM workflows.
Qualifications
- Master’s degree in Cybersecurity, Computer Engineering, Computer Science, or a related field from an accredited academic institution with five years of relevant professional experience; or,
- University degree in the above fields with seven years of relevant professional experience.
- Microsoft Certified: Identity and Access Administrator Associate (SC-300).
- Microsoft Certified: Azure Administrator Associate (AZ-104).
- Must attain and maintain ITIL version 4 Foundation certification and CISSP.
