IT Engineer

2 days ago

Thiruvarur, Tamil Nadu, India Pashtek • Salesforce and SAP Partner Full time ₹ 12,00,000 - ₹ 36,00,000 per year

Location:
Thiruvarur, Tamil Nadu (Onsite)

Function:
Security Engineering / Platform (Identity & Access Management)

Why this role matters

We're working on a secure, multi-tenant SaaS platform and need a hands-on IAM engineer to own the end-to-end identity lifecycle and authorization model—down to table/row/column-level policies. You'll standardize Joiner-Mover-Leaver (JML) workflows, lead least-privilege RBAC across the product and business apps, and automate everything you can.

What you'll do

  • Own the IAM lifecycle:
    Design, develop, and standardize identity lifecycle workflows for employee and service accounts (JML, break-glass, access reviews).
  • Automate provisioning:
    Configure and maintain automated workflows for provisioning, de-provisioning, and access changes using IdP workflows and APIs to eliminate manual effort and reduce MTTR.
  • Integrate the stack:
    Complete and maintain key IdP integrations (varying complexity) with business apps and internal services using
    SCIM 2.0
    and
    OIDC/SAML
    .
  • Drive least-privilege:
    Lead the organization-wide
    RBAC initiative
    so access maps to job function and need; partner with stakeholders to set/enforce policy.
  • Engineer data-layer RBAC:
    Design and enforce
    fine-grained authorization
    at the
    schema/table/column/row level
    (e.g., Postgres RLS, column masking) using attributes like organization, region, and role.
  • Harden the platform:
    Implement policy-as-code (e.g., OPA/Rego), secrets management, and auditable change controls (GitOps) for IAM.
  • Document everything:
    Keep clear runbooks, diagrams, and standards for core applications, policies, and processes.
  • Operate & respond:
    Triage and resolve identity incidents and escalations; drive root-cause and prevention.
  • Governance & culture:
    Establish IAM policies and guardrails that foster a least-privilege culture across engineering, IT, and business teams.

You may be a great fit if you

  • Bring
    5+ years
    in fast-paced
    SaaS
    environments focused on
    Identity & Access Management
    (Okta strongly preferred).
  • Have
    subject-matter expertise
    in IdP implementation,
    JML automation
    , and integrating SaaS apps using
    APIs, SCIM, OIDC/SAML
    .
  • Have
    led or played a key role
    in large-scale access-controls/RBAC deployments with cross-functional change management.
  • Partner smoothly with stakeholders to synthesize and present solutions that
    improve business efficiency
    .
  • Work
    autonomously
    with methodical planning, visibility, and crisp execution.
  • Embrace feedback and a
    growth mindset
    ; stay current on identity, security, and privacy best practices.

Core skills we value

  • Identity:
    Okta (or similar IdP), Okta Workflows, Lifecycle/JML, adaptive MFA, SCIM directories, groups & claims mapping.
  • AuthZ (product & data):
    RBAC/ABAC design;
    PostgreSQL
    GRANTs &
    Row-Level Security
    ; column masking/tokenization; Snowflake/Trino/ClickHouse RBAC a plus.
  • Automation:
    Scripting (
    Python/Go/Bash
    ),
    Terraform
    (incl. Okta/AWS providers), CI/CD, GitOps for policy changes.
  • APIs & Integrations:
    REST/JSON, webhooks, SCIM servers/clients, service account patterns, secrets (Vault/KMS).
  • Observability & Audit:
    SIEM (Datadog/Splunk/ELK), identity audit logs, access reviews, SoD checks.
  • Compliance mindset:
    SOC 2 / ISO 27001, data-privacy basics (GDPR/DPF), least-privilege by default.

Nice to have

  • Experience with
    multi-tenant SaaS
    isolation models (schema-per-tenant, row-level tenancy, org/workspace scoping).
  • Lakehouse/data-platform security (Iceberg-native catalogs, policy enforcement in query engines).
  • OPA/Rego, Cedar, Apache Ranger/Atlas; Just-In-Time (JIT) access; break-glass with audit.
  • Incident response for identity, tabletop exercises, access review automation.

Impact in your first 90 days

  • Stand up standardized
    JML
    with automated de-provisioning and zero-touch offboarding.
  • Ship
    table/row-level RBAC
    for at least one high-value domain (e.g., customer data) enforced via Postgres
    RLS
    and role hierarchies.
  • Deliver an
    Okta-backed SSO + SCIM
    integration pack for top SaaS apps and internal services.
  • Publish baseline
    IAM Policy & Standards
    and a quarterly access review cadence.