Job Description

The Position

We are seeking a technically deep, outcome-driven Enterprise Data Access Product Owner to own and evolve the Enterprise Data Access Control (EDAC) platform — the centralized access control middleware that governs how data products are securely accessed across The Company’s Discover ecosystem.

This role is a 50/50 blend of Product Manager and Product Owner:

• As Product Manager (~50%): You will define the product vision, strategy, and roadmap for EDAC; conduct market and technology research on access control paradigms; drive adoption and usage growth; identify opportunities to automate and enhance the platform with AI/GenAI; and represent EDAC's strategic direction to senior stakeholders and cross-functional partners.
• As Product Owner (~50%): You will own the product backlog, write and prioritize user stories and acceptance criteria, collaborate daily with engineering teams, participate in sprint ceremonies, and ensure delivery aligns with measurable business outcomes and user satisfaction.

You will report to the Group Product Manager for Discover and collaborate closely with Product Managers across Marketplace, Search, Cataloging, API Orchestration, and Analytics, as well as Architecture, Security, Engineering, and domain teams across divisions.

What will you do?

• Contribute and communicate the product vision, strategy, and multi-quarter roadmap for EDAC as the enterprise's authoritative access control layer.
• Anchor all roadmap decisions in measurable business outcomes: reduced time-to-access, increased data product consumption, improved compliance posture, and higher user satisfaction scores.
• Conduct continuous discovery with data consumers, data stewards, security teams, and platform engineers to identify unmet needs and emerging access patterns.
• Own and drive product success metrics and KPI’s.
• Research and evaluate industry-leading access control platforms and technologies (e.g., Immuta, Privacera, Collibra Data Access Governance, Okera, Apache Ranger, Open Policy Agent) to inform build-vs-buy-vs-integrate decisions.
• Translate regulatory requirements (GDPR, HIPAA, GxP) and enterprise security policies into product capabilities and technical specifications.
• Identify and drive opportunities to automate access governance workflows using AI/GenAI, including:Intelligent policy recommendation — leveraging LLMs to suggest access policies based on data classification, usage patterns, and organizational contextAutomated access request triage — using ML models to auto-approve low-risk requests and flag anomalies for human reviewNatural language policy authoring — enabling data stewards to define access rules in plain language, translated into enforceable policy codeSemantic search for access discovery — helping users understand what access they need and how to obtain it (aligned with Discover's Search 2.0 / LLM-assisted retrieval vision)Anomaly detection & risk scoring — applying behavioral analytics to detect unusual access patterns and dynamically adjust permissions.
• Stay current on GenAI capabilities and proactively propose experiments that reduce manual effort, improve user experience, and accelerate time-to-access.
• Collaborate with the Decision Intelligence and Data & AI Studio teams to leverage shared AI/ML infrastructure for EDAC automation use cases.
• Own the adoption strategy for EDAC — ensuring that access control capabilities are not just built but actively used, understood, and valued by data stewards and consumers across all divisions.
• Apply design thinking and user-centric principles to simplify complex access workflows:Map end-to-end user journeys for data consumers (from discovery → access request → provisioning → consumption)Map data steward journeys (from policy definition → enforcement → audit → iteration)Identify and eliminate friction points that slow adoption or create shadow workarounds.
• Build self-service experiences that empower domain teams to manage their own access policies without requiring central IT intervention.
• Establish feedback loops (surveys, usage analytics, user interviews, retrospectives) to continuously improve the product based on real user behavior and satisfaction.
• Partner with the E2E Capability Services team (UX, adoption, agile, BA) to design enablement programs, onboarding journeys, and training materials that drive sustained adoption.
• Track and report on adoption funnels: awareness → trial → active use → advocacy, with clear actions to improve conversion at each stage.
• Design and evolve sophisticated access control models that go beyond traditional Role-Based Access Control (RBAC) to implement:Attribute-Based Access Control (ABAC) — fine-grained, context-aware authorization decisions based on user attributes, data attributes, environmental context, and organizational policiesPolicy-Based Access Control (PBAC) — leveraging frameworks like XACML, OPA/Rego, or Cedar for externalized, auditable policy definitionsPurpose-Based Access Control — ensuring data access is tied to declared business purposes and consent frameworksDynamic/Risk-Adaptive Access — adjusting access decisions based on real-time risk signals and behavioral analytics.
• Maintain deep expertise across multiple access technologies and platforms, including:Immuta (data security platform — policy enforcement at the data layer)SailPoint / Saviynt (Identity Governance & Administration)Okta / Azure AD / Entra ID (Identity Providers, SSO, SAML, OAuth/OIDC)Apache Ranger / Trino access controls (data platform-level enforcement)Open Policy Agent (OPA) (general-purpose policy engine)HashiCorp Vault (secrets management and dynamic credentials).
• Ensure access control mechanisms integrate seamlessly with enterprise identity management (Active Directory, SailPoint) and data platforms (Databricks, Redshift, Trino).
• Balance security rigor with usability — protecting sensitive data without creating excessive friction for legitimate data consumers.
• Own and prioritize the EDAC product backlog, ensuring it reflects strategic priorities, stakeholder needs, adoption goals, and technical debt reduction.
• Write clear user stories, epics, and acceptance criteria that translate complex access control requirements into actionable engineering work.
• Participate actively in sprint planning, daily standups, reviews, and retrospectives with the engineering team.
• Make real-time prioritization decisions, balancing feature development, security hardening, automation initiatives, operational excellence, and platform stability.
• Implement audit, logging, and compliance reporting capabilities that provide transparency into access patterns and policy enforcement.
• Drive release planning and go-to-market for new EDAC capabilities, including stakeholder communications, enablement materials, and adoption campaigns.
• Ensure every release is tied to a measurable outcome — not just "shipped" but "adopted and delivering value".
• Partner with Data Governance, Security, and Compliance teams to ensure EDAC policies align with enterprise standards.
• Collaborate with the API Orchestration Product Manager to ensure EDAC integrates cleanly as the authorization layer within the API gateway.
• Work with domain teams across divisions to pilot new access models, gather feedback, and iterate before broader rollout.
• Create enablement materials, training programs, and office hours that build access control competency across the organization.
• Contribute to the inner-source community model, enabling developers across divisions to extend EDAC capabilities through well-defined contribution workflows.

Qualifications, Skills & Experience Required

• Bachelor's or Master's degree in Computer Science, Information Security, Software Engineering, or related technical field.
• 5+ years of product management or product ownership experience in access control, identity management, data security, or data platform products.
• Deep, hands-on expertise in access control domains including RBAC, ABAC, PBAC, and dynamic/contextual authorization models.
• Hands-on experience with 2+ industry-leading access control or data security platforms such as:Immuta, Privacera, or Collibra Data Access GovernanceSailPoint, Saviynt, or equivalent IGA platformsOpen Policy Agent (OPA), Cedar, or XACML-based policy enginesApache Ranger, Trino security, or Databricks Unity Catalog access controls.
• Strong understanding of identity protocols and standards: OAuth 2.0, OpenID Connect, SAML, SCIM, JWT, mutual TLS.
• Demonstrated experience driving product adoption and usage growth — not just building features but ensuring they are actively used and valued.
• Experience with AI/ML-driven automation in product workflows — either building AI-powered features or leveraging GenAI to improve product operations, user experience, or governance automation.
• Proven track record of outcome-driven product delivery — defining success metrics, measuring business impact, and iterating based on data.
• Strong user-centric thinking — experience with design thinking, user research, journey mapping, and translating user pain points into product improvements.
• Experience translating security and compliance requirements into product features in regulated industries.
• Proven ability to operate in a dual Product Manager / Product Owner capacity — comfortable with both strategic roadmapping and hands-on backlog management.
• Strong technical background with ability to read architecture diagrams, understand data flows, and engage deeply with engineering teams.
• Excellent stakeholder management skills with ability to influence technical and business audiences across organizational boundaries.
• Proficiency with agile methodologies (Scrum/Kanban), backlog prioritization frameworks, and release management.

Nice to have

• Hands-on development or engineering experience with access control systems, policy engines, or identity platforms.
• Experience building GenAI-powered product features (e.g., LLM-based policy generation, natural language interfaces, intelligent recommendations).
• Experience with MuleSoft Anypoint Platform or equivalent API management/orchestration platforms (Apigee, Kong, AWS API Gateway).
• Knowledge of data mesh / data fabric architectures and federated data governance models.
• Familiarity with service mesh architectures (Istio, Envoy) and zero-trust networking principles.
• Experience with Collibra (data catalog/governance) and metadata-driven policy automation.
• Background in pharmaceutical, healthcare, or highly regulated industries (GxP, HIPAA, GDPR).
• Certifications in identity/access management (CISSP, CISM) or relevant platform certifications (Immuta, SailPoint, OPA).
• Experience building or contributing to inner-source / open-source communities.
• Understanding of event-driven architectures and real-time access decision patterns.
• Experience with product-led growth (PLG) strategies and self-service adoption models

What we offer

• Exciting work in a great team, global projects, international environment.
• Opportunity to learn and grow professionally within the company globally.
• Hybrid working model, flexible role pattern (e.g., even 80% full-time is possible in justified cases).
• Pension and health insurance contributions.
• Internal reward system plus referral programme.
• 5 weeks annual leave, 5 sick days, 15 days of certified sick leave paid above statutory requirements annually, 40 paid hours annually for volunteering activities, 12 weeks of parental contribution.
• Cafeteria for tax free benefits according to your choice (meal vouchers, sport, culture, health, travel, etc.), Multisport Card.
• Vodafone, Raiffeisen Bank and Foodora discount programmes.
• Up-to-date laptop and iPhone.
• Parking in the garage, showers, refreshments, massage chairs, library, music corner.
• Competitive salary, incentive pay, and many more.

Ready to take up the challenge? Apply now!
Know anybody who might be interested? Refer this job!

Required Skills:

Asset Management, Attribute-Based Access Control, Backlog Management, Benefits Management, Collibra Data Governance, Data Stewardship, Information Security, Management System Development, Mulesoft Anypoint Platform, Mulesoft Anypoint Platform Architecture, Operational Excellence, Product Management, Product Strategies, Product Vision, Requirements Management, Sprint Planning, Stakeholder Communications, Stakeholder Relationship Management, Strategic Planning, System Designs

Preferred Skills:

Current Employees apply HERE

Current Contingent Workers apply HERE

Search Firm Representatives Please Read Carefully
Merck & Co., Inc., Rahway, NJ, USA, also known as Merck Sharp & Dohme LLC, Rahway, NJ, USA, does not accept unsolicited assistance from search firms for employment opportunities. All CVs / resumes submitted by search firms to any employee at our company without a valid written search agreement in place for this position will be deemed the sole property of our company. No fee will be paid in the event a candidate is hired by our company as a result of an agency referral where no pre-existing agreement is in place. Where agency agreements are in place, introductions are position specific. Please, no phone calls or emails.

Employee Status:

Regular

Relocation:

Domestic

VISA Sponsorship:

No

Travel Requirements:

No Travel Required

Flexible Work Arrangements:

Hybrid

Shift:

Not Indicated

Valid Driving License:

No

Hazardous Material(s):

n/a

Job Posting End Date:

06/30/2026

*A job posting is effective until 11:59:59PM on the day BEFORE the listed job posting end date. Please ensure you apply to a job posting no later than the day BEFORE the job posting end date.