Senior CyberArk Engineer [Interim]

Interim / Contract  |  100% Remote (CET working hours preferred)  | 6 months rolling engagement — multi-year programme

Our client, a major European grocery retail group, is running a business-critical programme to modernise and secure Identity and Access Management across its operations in Belgium, Serbia, Greece and Romania. A central pillar is onboarding all business-critical and cyber-critical assets onto a centralised Privileged Access Management (PAM) solution — built on CyberArk and complemented by Azure Entra PIM for cloud-native workloads — supporting Zero Trust principles across hybrid, multi-cloud and on-premises environments.

You join an established team of CyberArk engineers, working alongside a global PAM function, as the programme scales up its onboarding capacity. You report to the regional IAM Team Leader and own privileged-access use cases end-to-end — from first engagement with an application owner, through technical onboarding and testing, to formal sign-off and operational handover.

Riverflex was founded in Amsterdam and London in 2018, eventually growing into a global team of consultants united by a mission to help courageous leaders drive transformative change. Today, we offer an integrated service through three service pillars: strategy and transformation consulting that Creates Change, talent services that Build Teams, and business-accelerating products that Augment Intelligence. For more information, visit www.riverflex.com.

You own privileged-access onboarding use cases end-to-end across network devices, infrastructure platforms, databases, cloud workloads and business applications.

You run application-owner discovery: leading intake meetings, completing intake forms, and capturing server, database, web-layer and privileged-role detail per use case.

You onboard accounts into CyberArk: duplicating and configuring platforms, creating Safes, assigning accounts, and configuring CPM password rotation and PSM / PSM-for-SSH session management.

You coordinate UAT with application owners through to closure: collecting evidence, securing formal sign-off, updating the Safe repository and handing over to Operations.

You keep the onboarding tracker and Jira board current, logging newly discovered access layers as separate tickets for scope traceability.

You onboard and manage both personal privileged accounts and non-personal / service accounts.

You configure credential vaulting and automated rotation, and manage resource and group mappings for onboarded accounts.

You support self-service and API-driven onboarding at scale (e.g. REST-API store rollouts).

You configure and support core CyberArk components: Digital Vault, PVWA, CPM, PSM, PSM for SSH (PSMP) and Credential Provider (AAM / CCP).

You diagnose and resolve onboarding blockers — CPM rotation failures, PSM/PKI certificate and CRL issues, LDAP integration, GPO/NTLM and network-connectivity problems.

You support platform activities such as Vault upgrades and primary-site switches, including re-verification of custom plugins post-upgrade.

You act as first point of contact for application teams, engaging owners, vendors and regional / platform teams (network, storage, database, SAP Basis) to unblock onboarding.

You drive resistant application owners to commitment, using programme wave initiatives and business-security-advisor input as leverage.

You contribute to PAM strategy and architectural decisions and feed sizing / effort data into PI planning.

You maintain documentation on configurations, onboarding processes, Safe repositories and audit controls.

You support break-glass, vaulting-standard and Definition-of-Done work in line with programme requirements.

3+ years hands-on experience in CyberArk engineering and administration (on-premises; SaaS exposure an advantage).

Strong knowledge of CyberArk components: Digital Vault, PVWA, CPM, PSM, PSM for SSH (PSMP), AAM / Credential Provider (CCP).

Proven end-to-end application and infrastructure onboarding experience: discovery, platform / Safe configuration, CPM rotation, PSM session management, UAT and sign-off.

Strong troubleshooting across CPM rotation, PKI/CRL and certificate issues, LDAP integration and network connectivity.

Confident, customer-facing engagement with application owners, vendors and platform teams; able to drive resistant stakeholders to commitment.

Familiarity with Jira-based delivery tracking and disciplined intake / documentation and compliance evidence collection.

Fluent in English.

Experience configuring web and SSH connectors, and developing or customising CPM plugins and PSM connectors for non-standard targets (e.g. thick-client and homegrown applications).

Proficiency in PowerShell and the CyberArk REST API for automation and bulk / self-service onboarding.

Working knowledge of Azure Entra ID / Entra PIM and how PAM complements directory services.

This is a hands-on engineering seat on a multi-year, business-critical security programme at significant scale — securing privileged access across four countries and a broad estate of infrastructure, cloud and application systems. You’ll have real ownership of your use cases end-to-end, an established team and global function around you, and a long runway: the engagement is rolling with strong extension potential.

Interested in this role? Submit your CV and a brief note on your relevant experience through the Riverflex website or reach out to our talent team directly.

We are an Equal Opportunity Employer and take pride in a diverse environment. We do not discriminate in recruitment, hiring, training, promotion, or other employment practices for reasons of race, color, religion, gender, sexual orientation, national origin, age, marital status, medical condition, or disability. Even if you believe you do not tick all the aforementioned requirements for the role, we still encourage you to take the time to apply.