Identity and Access Management (IAM) Engineer (DOA)

DepartmentDepartment of AdministrationDivisionInformation Technology/ComputersSalary$110,849.00 - $127,368.00Job ProfileJC-02797004-99 - Identity and Access Management (IAM) Engineer (DOA) (Non-Union Executive Branch Agency Employees)Scheduled Work Days & Work Hours

Monday - Friday, 8:30am - 4:00pm

35 Hours - Non-Standard

Job Requisition NumberJR103127 Identity and Access Management (IAM) Engineer (DOA) (Open)Pay GradeC00140 AClassificationIdentity and Access Management (IAM) Engineer (DOA)Class Definition

CLASS DEFINITION:
GENERAL STATEMENT OF DUTIES: Within the Department of Administration (DOA), Division of Enterprise Technology Strategy and Services (ETSS); to perform, organize, direct, and coordinate the planning, administration, and maintenance of the State’s identity and access management systems; to oversee the secure integration of user authentication, authorization, and provisioning processes across on-premises and cloud platforms, including Active Directory, Azure Entra ID P2, and Workday ERP; and to perform related duties as required.
SUPERVISION RECEIVED: Works under the direct supervision of the Deputy Chief Information Security Officer within the Enterprise Technology Strategy & Services (ETSS) cybersecurity division, with wide latitude for the exercise of independent judgment in the application of identity and access management standards, systems engineering, and cybersecurity principles. Work is reviewed upon completion for conformance with departmental policies, standards/frameworks like NIST, and state and federal security requirements.
SUPERVISION EXERCISED: May plan, coordinate, and direct the work of professional and technical staff engaged in identity governance, access control, and directory service operations. Provides guidance to IT and cybersecurity personnel on authentication, provisioning, and identity lifecycle management.

ILLUSTRATIVE EXAMPLES OF WORK PERFORMED:

• Within the Department of Administration (DOA), Division of Enterprise Technology Strategy and Services (ETSS); to perform, organize, direct, and coordinate the planning, administration, and maintenance of the State’s identity and access management systems; to oversee the secure integration of user authentication, authorization, and provisioning processes across on-premises and cloud platforms, including Active Directory, Azure Entra ID P2, and Workday ERP.
• To serve as the technical lead and subject matter expert (SME) for all IAM technologies and processes across the executive branch.
• To administer and optimize systems like Active Directory (on-prem) and Microsoft Entra ID P2, including Conditional Access, SSO (SAML/OIDC), MFA, and Identity Governance features.
• To lead identity governance integration with Workday, supporting role-based provisioning and access control for ERP users.
• To develop and enforce IAM standards, policies, and procedures in alignment with state and federal cybersecurity frameworks (e.g., NIST 800-53, CJIS, IRS 1075).
• To coordinate identity lifecycle processes (joiner/mover/leaver) and drive automation for provisioning, deprovisioning, and access recertification.
• To collaborate with the Security vertical, technology colleagues, and application owners to support Zero Trust Architecture implementation.
• To lead IAM support during internal and external audits and participate in risk assessments related to access controls.
• To track and report on IAM metrics, anomalies, and compliance trends to inform dashboards and executive briefings.
• To mentor and support IAM technicians and coordinate with external vendors or integrators as needed.
• To maintain accurate documentation, architectural diagrams, and system runbooks.
• To complete other related work tasks as required to align with evolution of supported processes, technologies, or organizational strategy.
• To do related work as required.

REQUIRED QUALIFICATIONS FOR APPOINTMENT:
KNOWLEDGE, SKILLS AND CAPACITIES: A thorough knowledge of the principles, practices, and standards of Identity and Access Management (IAM), including authentication, authorization, and account lifecycle management; knowledge of Active Directory and Azure Entra ID (formerly Azure AD) administration, including Group Policy, OU design, replication, synchronization, and federation; knowledge of Multi-Factor Authentication (MFA), Conditional Access, and Privileged Identity Management (PIM) concepts within modern Zero Trust architectures; knowledge of SAML, OAuth 2.0, and OpenID Connect protocols and their use in federated identity and Single Sign-On (SSO) solutions; knowledge of security principles aligned with NIST CSF 2.0, NIST SP 800-53 (Moderate), and Zero Trust Architecture (NIST SP 800-207) frameworks; knowledge of data privacy and regulatory compliance requirements applicable to identity systems, including State, Federal, and agency-specific mandates; knowledge of common cybersecurity threats, vulnerabilities, and attack methods targeting identity infrastructure, such as Pass-the-Hash, Golden Ticket, and credential replay; knowledge of Directory synchronization tools such as Azure AD Connect, and identity governance tools used for provisioning and audit; knowledge of change management and configuration control processes for enterprise identity systems; knowledge of the fundamentals of incident response, access certification, and audit remediation; skill in administering hybrid identity environments that integrate on-premises AD, cloud-based Entra ID, and SaaS applications like Workday; skill in design and maintenance of role-based access control (RBAC) models that reflect business functions and separation of duties; skill in automating identity management tasks using PowerShell, Python, or equivalent scripting language; skill in reviewing and interpreting logs from directory services, authentication systems, and cloud security tools for anomalies; skill in documenting system configurations, workflows, and policy enforcement mechanisms in clear and auditable form; skill in communicating technical information effectively to non-technical staff, agency partners, and executive leadership; ability to analyze, plan, and implement identity security improvements across a complex, multi-agency enterprise environment; ability to apply sound judgment and independent decision-making to resolve operational and security challenges within delegated authority; ability to work collaboratively with cybersecurity, IT operations, HR, and procurement teams to maintain consistent identity governance processes; ability to prioritize tasks and manage multiple projects with attention to deadlines, accuracy, and compliance; ability to maintain confidentiality of sensitive security and personnel data while ensuring accountability and transparency; ability to stay current with emerging IAM technologies, threat intelligence, and best practices to continuously improve statewide identity posture; and related capacities and abilities.

EDUCATION AND EXPERIENCE:
Education: Graduation from a college or university with a bachelor’s degree in computer science, information technology, cybersecurity, or a closely related field and maintain continuing education in identity security, access governance, and cybersecurity trends; and
Experience: Considerable employment in systems administration, directory services management, or cybersecurity engineering, with demonstrated experience managing Active Directory, Azure Entra ID (P2), and associated identity and access management technologies as well as participate in professional inter-agency working groups, and statewide cybersecurity exercises to ensure continued competency and operational readiness.
Or, any combination of education and experience that shall be substantially equivalent to the above education and experience.

SPECIAL REQUIREMENTS: Possession of one or more of the following certifications, or the ability to obtain within a reasonable period after appointment and may be considered evidence of advanced technical competency:
1. Microsoft Certified: Identity and Access Administrator Associate (SC-300).
2. Certified Information Systems Security Professional (CISSP).
3. GIAC Certified Windows Security Administrator (GCWN) or GIAC Enterprise Defender (GCED).
4. Or equivalent cloud identity certification.

Supplemental Information

https://www.everify.gov/sites/default/files/everify/posters/IER_RighttoWorkPoster.pdf
https://everify.uscis.gov/web/media/resourcesContents/EVerify_Participation_Poster_ES.pdf
The individual hired to fill this position will have access to Federal tax Information (FTI), as defined in IRS Publication 1075, and, as such, must undergo a national fingerprint background screening in accordance with the set forth in regulation 220-RICR-40-00-2 (IRS Publication 1075 – Background Check Process and Criteria available at https://rules.sos.ri.gov/regulations/part/220-40-00-2. Additionally, the individual is being hired to an E-Verify site which contains FTI and must have their employment eligibility validated through E-Verify.Benefits

For information regarding the benefits available to State of Rhode Island employees, please visit the Office of Employee Benefits' website at http://www.employeebenefits.ri.gov/.
 

Also, be advised that a new provision in RI General Law 35-6-1 was enacted requiring direct deposit for all employees. Specific to new hires, the law requires that all employees hired after September 30, 2014 participate in direct deposit. Accordingly, any employee hired after this date will be required to participate in the direct deposit system. At the time the employee is hired, the employee shall identify a financial institution that will serve as a personal depository agency for the employee.