We are looking for a seasoned SAP GRC and Security Consultant to take full ownership of access risk, compliance controls, and identity governance across a complex SAP landscape. This is a hands-on contract engagement based in Calgary — you will not be advising from the sidelines. You'll configure, remediate, govern, and deliver, working directly with business process owners, internal audit, and IT security teams to build a compliant, audit-ready SAP environment.

What you'll do

• Own the end-to-end design, configuration, and ongoing governance of SAP GRC Access Control (AC) — including ARA, ARM, EAM, and BRM modules.
• Define and maintain the enterprise Segregation of Duties (SoD) ruleset; identify, analyze, and remediate SoD conflicts across SAP ECC and/or S/4HANA landscapes.
• Design and implement role-based access control (RBAC) frameworks — building, testing, and documenting SAP roles and authorization objects aligned to least-privilege principles.
• Configure and govern Firefighter (Emergency Access Management) workflows — owner assignments, log reviews, and audit trail reporting.
• Lead access certification campaigns and periodic user access reviews (UAR) in collaboration with role owners and business process owners.
• Support and drive SAP S/4HANA security migration and role redesign initiatives where applicable.
• Partner with internal audit and compliance teams to prepare evidence packages, remediate findings, and maintain SOX, SOC 2, or equivalent compliance posture.
• Integrate SAP GRC with Identity Governance and Administration (IGA) tools — SailPoint, Saviynt, or equivalent — where required.
• Develop and maintain GRC governance documentation: rulesets, control matrices, risk registers, and process runbooks.
• Mentor junior security analysts and serve as the internal SAP GRC subject matter expert for stakeholder escalations.

What you bring

8–10 years of hands-on SAP security and GRC experience — not advisory or project management, but direct configuration and governance ownership.

Deep expertise in SAP GRC Access Control — ARA (Access Risk Analysis), ARM (Access Request Management), EAM (Emergency Access Management), and BRM (Business Role Management).

Expert-level knowledge of SAP authorization concepts: authorization objects, profiles, roles (single, composite, derived), SU24, PFCG, and SU53 analysis.

Proven experience designing and remediating SoD rulesets in production SAP environments — not just running SoD reports, but owning the ruleset and driving remediation to closure.

Experience with SAP ECC and/or S/4HANA security — including Fiori app authorization, business roles, and the S/4 authorization concept changes from ECC.

Working knowledge of SOX IT General Controls (ITGCs) as they apply to SAP access and change management — and experience preparing audit evidence.

Strong communication skills — able to translate SAP authorization complexity into plain language for business process owners, auditors, and C-level stakeholders.

Nice to have

• Experience with SAP GRC Process Control (PC) for automated control monitoring.
• SAP S/4HANA security migration project experience — role redesign, clean-up, and Fiori authorization model.
• Integration experience with IGA platforms: SailPoint IdentityIQ/IdentityNow, Saviynt, or CyberArk.
• Background in energy, oil and gas, utilities, or financial services — sectors with complex Calgary-market SAP footprints.
• SAP Certified Technology Associate — SAP GRC Access Control certification.
• Familiarity with SAP BTP (Business Technology Platform) security and identity management.
• Experience with SAP Audit Management or integration of GRC with external GRC platforms (Archer, ServiceNow GRC).

Tech stack & tools

SAP GRC

GRC AC 12.0, ARA, ARM, EAM, BRM, Process Control, Risk Management

SAP Security

PFCG, SU24, SU53, SUIM, S/4HANA roles, Fiori authorization, derived roles

Compliance

SOX ITGCs, SoD ruleset design, UAR campaigns, audit evidence, control matrices

IGA integration

SailPoint, Saviynt, CyberArk, Azure AD / Entra ID, LDAP

Reporting & docs

SAP SUIM, GRC dashboards, risk registers, runbooks, Archer, ServiceNow GRC

Platforms

SAP ECC 6.0, S/4HANA 2020/2022, SAP BTP, Fiori Launchpad

Why Calgary — why now

Calgary's enterprise SAP market is anchored by some of Canada's largest energy, pipeline, and financial services organizations — many in the middle of S/4HANA migrations with significant GRC remediation backlogs. If you've done real SoD ownership, Firefighter governance, and audit prep in complex, multi-module SAP landscapes, there is a high-demand market here waiting for exactly that expertise.

Hard requirements — please read before applying

Work authorization: Candidates must be legally eligible to work in Canada. This engagement is not able to support work permit applications or immigration sponsorship.

Location: This is an on-site or hybrid contract engagement based in Calgary, AB. Remote-only candidates will not be considered. Candidates must be available to work in the Calgary area for the duration of the contract.