Job Details:

Job Description

The SAP Security & Platform Security Engineer is an experienced SAP and Workday security professional with deep expertise in SAP GRC, Workday security configuration, Emergency Access/Firefighter processes, and cross application Segregation of Duties and privileged access controls. This role is responsible for architecting secure integrations for SAP’s Joule AI capabilities and promoting Responsible AI and privacy by design principles. The engineer partners closely with IT, HRIS, Audit, Compliance, and business stakeholders to align SAP and Workday security with the enterprise Privileged Access Management (PAM) program, ensuring secure, compliant, and efficient access across the organization.

Essential Duties and Responsibilities

• Lead the redesign and governance of SAP Emergency Access Management (Firefighter), including policy development, workflow design, automated logging and auditing, and stakeholder training.

• Architect secure end-to-end SAP security for Business AI/Joule, integrating IAS/IPS, SCIM/IPS provisioning, Global User ID strategy, OIDC authentication, and user bound principal propagation.

• Implement core AI security controls aligned with Responsible AI principles; including authentication, authorization, encryption, masking, content filtering, and RAG processes.

• Establish a unified cross application Segregation of Duties (SoD) framework across SAP, Workday, and other enterprise systems, defining risks, rulesets, and mitigating controls.

• Lead SoD and access risk remediation efforts by refining user access, adjusting roles, and coordinating with audit and compliance teams to meet SOX, GDPR, and regulatory requirements.

• Integrate SAP and Workday privileged access requirements into the enterprise PAM framework and define standardized workflows for request, approval, usage, and revocation of elevated access.

• Lead Workday security architecture, including security groups, domain policies, role hierarchies, permission models, and consistent least privilege design.

• Oversee enterprise access governance, including periodic access reviews, JML processes, and certification cycles to prevent entitlement creep.

• Act as the primary liaison across IT Security, HRIS, Audit, Compliance, and business stakeholders to ensure alignment of SAP and Workday security with PAM, SoD, and enterprise IAM strategies.

• Conduct audits, risk assessments, and remediation planning while delivering clear reporting, training, and communication to stakeholders.

Outcomes

• A modern, policy driven SAP Emergency Access program that ensures controlled, traceable, and audit ready emergency access while reducing misuse and backlog.

• Secure, identity consistent AI enablement for Joule, ensuring AI actions operate strictly within user authorized privileges and comply with Responsible AI requirements.

• A unified SoD framework that provides enterprise-wide visibility into access risks, minimizes cross process conflicts, and improves audit readiness.

• Reduced privileged access risk through standardized PAM workflows, centralized oversight, and integrated logging across SAP and Workday.

• A resilient Workday security architecture with well-structured roles, controlled permissions, and documentation aligned with audit and compliance expectations.

• A strengthened compliance posture with faster remediation, fewer audit findings, and alignment with SOX, GDPR, and enterprise security standards.

• Improved lifecycle access governance that prevents entitlement creep and ensures least privilege access across all business areas.

• More effective cross functional collaboration, resulting in consistent controls, clear ownership, and greater confidence from leadership and audit stakeholders.

Qualifications

• SAP Security & GRC Expertise: 5–10+ years designing SAP roles and authorizations, managing GRC Access Control, and leading Firefighter, SoD analysis, and access risk remediation in S/4HANA and Fiori.

• Workday Security Experience: 3–5+ years configuring Workday’s role-based security model, including domain policies, security groups, hierarchies, granular permissions, and SoD controls.

• Privileged Access & Identity Management: Experience designing and operating PAM/EAM workflows, enforcing least privilege access, and supporting audit, monitoring, and compliance processes.

• Cross Application SoD & Governance: Ability to define and manage SoD rulesets across SAP and Workday using platforms such as SAP IAG for unified risk visibility and mitigation.

• AI & SAP Security Architecture: Understanding of SAP Business AI/Joule, IAS/IPS, SCIM provisioning, OIDC authentication, principal propagation, and AI security controls aligned with Responsible AI principles.

• Education & Certifications: Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field; certifications such as CISSP, CISM, CISA, SAP Security/GRC, or Workday Security preferred.

• Leadership & Communication: Strong ability to lead cross functional security initiatives and communicate complex IAM and AI security concepts to technical teams, business partners, auditors, and senior leadership.

Special Skills

• SAP security design and GRC expertise

• SoD analysis and cross application ruleset creation

• SAP S/4HANA, Ariba, Concur, Fieldglass authorization knowledge

• Workday security configuration and permission modeling

• Workday hierarchies, security groups, and SoD controls

• Privileged access management (PAM/EAM) operations

• Emergency access workflows, logging, and auditing

• SIEM and GRC platform integration

• Identity federation (OIDC, SAML, OAuth 2.0)

• SCIM/IPS based identity synchronization

• AI security (encryption, masking, content filtering)

• Responsible AI governance

• JML governance and access certification

• Risk mitigation and compensating controls

• IAM roadmap and program planning

Soft Skills

• Cross functional leadership

• Clear communication of complex security concepts

• Strong collaboration with HR, IT, audit, and compliance teams

• Analytical problem solving

• Change management and process adoption

• Leadership for large security initiatives

• Team mentoring and capability development

• Security awareness advocacy

Not eligible for visa sponsorship now or in the future

Relocation Assistance Eligible:

No

Work Shift:

1ST SHIFT (United States of America)

Certain roles at Tyson require background checks. If you are offered a position that requires a background check you will be provided additional documentation to complete once an offer has been extended.

Hourly Applicants ONLY -You must complete the task after submitting your application to provide additional information to be considered for employment.

Tyson is an Equal Opportunity Employer. All qualified applicants will be considered without regard to race, national origin, color, religion, age, genetics, sex, sexual orientation, gender identity, disability or veteran status.

We provide our team members and their families with paid time off; 401(k) plans; affordable health, life, dental, vision and prescription drug benefits; and more.

If you would like to learn more about your data privacy rights and how you may use that information, please read our Job Applicant Privacy Notice here.

Unsolicited Assistance: Tyson Foods and its subsidiaries do not accept unsolicited support from external recruitment vendors for open positions within the United States. Any resumes or candidate profiles submitted by recruitment vendors or headhunters to any employee or applicant tracking system at Tyson Foods or its subsidiaries, without a valid written request and search agreement approved by HR, will be considered the property of Tyson Foods. No fees will be paid if the candidate is hired due to an unsolicited referral.