Systems Administrator - Tier II

Yield Solutions Group, LLC
Englewood, United States of America
4 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior
Compensation
$ 100K

Job location

Englewood, United States of America

Tech stack

Multitier Architecture
Microsoft Windows
Microsoft Active Directory
Amazon Web Services (AWS)
Business Software
Software as a Service
Configuration Management
Computer Security
Databases
Data Recovery
DevOps
Identity and Access Management
Virtual Private Networks (VPN)
PostgreSQL
MariaDB
Networking Basics
Operational Databases
Software Vulnerability Management
Datadog
Spring-boot
Firewalls (Computer Science)
Gitlab
Microsoft InTune
Deployment Automation
User Accounts

Job description

RefiJet processes thousands of auto loan refinancing applications every month across 30+ lending partners. That volume runs on Java Spring Boot services, AWS infrastructure, PostgreSQL and MariaDB databases, and a regulatory environment - FCRA, GLBA, SOC 2 - that requires every change to be documented, every endpoint to be compliant, and every access decision to be defensible.

The Systems Administrator, Tier II is the operational layer that holds all of that together. This is a senior individual contributor role, not a generalist help desk function. Tier I handles first-contact triage. Tier II owns what Tier I cannot resolve: stuck MFA enrollments, IAM role misconfigurations in AWS, permission conflicts in GitLab, and anything else that requires genuine diagnosis before escalation. At the same time, Tier II owns several operational domains outright - identity and access management, endpoint compliance, backup verification, monitoring response, and the documentation that survives a SOC 2 audit.

The person in this role needs to be technically grounded, documentation-disciplined, and comfortable working in a regulated environment where "I'll document that later" is not an option.

What You'll Do - Key Responsibilities

Identity & Access Management

Provision and deprovision user accounts across Active Directory, AWS IAM, and the full RefiJet SaaS stack. When a new employee onboards you build out the complete access profile, not just the basic account.

Resolve Tier I escalations in this domain: stuck MFA enrollments, IAM role misconfigurations, permission conflicts in GitLab, and access inconsistencies that require actual investigation to diagnose.

Maintain access documentation that reflects current state at all times. In a SOC 2 environment, access records are audit evidence.

Endpoint & Device Management

Image, configure, and manage workstations across the organization using Microsoft Intune and Autopilot. Own the full device lifecycle from Autopilot enrollment and provisioning profile assignment through Intune configuration policy application, compliance policy enforcement, and patch cycle execution - scheduling, documentation, and remediation included.

Verify endpoint compliance against SOC 2 control requirements using Intune's compliance reporting. When a gap surfaces - and SOC 2 audits surface them - you own the remediation and the written record of what you did. Troubleshoot Autopilot enrollment failures and Intune policy conflicts before they require escalation.

Coordinate with the Director of IT/InfoSec on endpoint policy standards and any findings that require a policy-level response.

Server & Infrastructure Operations

Monitor on-prem and AWS resources on a routine basis: health checks, capacity monitoring, performance baselines.

Execute maintenance windows, including OS patching, disk management, and scheduled restarts. Coordinate with DevOps before touching anything that sits under the Java Spring Boot services running in AWS.

Document all infrastructure changes in a change log that can be reviewed without your presence to explain it.

Network & Connectivity

Manage DNS and DHCP configurations. Troubleshoot VPN issues at the routing and configuration level, not just the client level. Review Firewall ACLs when connectivity issues require it.

When an issue requires DevOps or InfoSec escalation, hand it off with a clear, specific problem statement - what you've ruled out, what you believe the root cause is, what you've already tried.

Security Operations

Participate in vulnerability remediation cycles under the direction of the Director of IT/InfoSec. This means executing the operational work: patching, configuration changes, verification, and documentation.

Work with the DevOps team to respond to Datadog alerts that are security-adjacent with the same operational rigor as any other alert: acknowledge, work the runbook, escalate with context when the runbook doesn't resolve it.

Enforce endpoint compliance policies in a way that holds up against FCRA, GLBA, and SOC 2 requirements. The Director of IT/InfoSec owns the strategy; this role is the operational execution arm.

Application & SaaS Administration

Administer the full productivity and collaboration stack at the admin level: GitLab, AWS console access management, and the line-of-business applications that support the loan processing pipeline.

Handle Back End configuration changes that end users never see - permission structures, integration settings, SSO configurations, license management - and document every change.

Serve as the internal subject matter contact for admin-level issues on the platforms you own. When something breaks in a way users cannot fix themselves, it comes here.

Backup & Recovery

Verify that backup jobs completed successfully across all covered systems. Identify and respond to failures before they become recovery events.

Work with the DevOps team to run scheduled restore tests against PostgreSQL and MariaDB instances connected to live lender data. Document the results in a format that demonstrates the test was actually performed and the restore was actually validated.

Maintain recovery documentation that is current and tested, not aspirational.

Monitoring & Alerting

Own the operational response side: acknowledging alerts, working through established runbooks, and escalating with full context when escalation is warranted.

Contribute to runbook maintenance when gaps or inaccuracies are identified. You are not building the observability stack - that is DevOps - but you are its primary operational consumer, and that means you have standing to flag when it needs improvement.

Documentation

Maintain runbooks, SOPs, and change logs for every operational domain you own. This is not supplemental work - it is a core deliverable in a SOC 2 environment.

Write documentation that a colleague or auditor can follow independently, without asking you clarifying questions. Ambiguous documentation in a regulated environment is a liability.

Escalation Triage

Receive everything Tier I cannot resolve. Diagnose it accurately. Either resolve it or escalate it - to DevOps, InfoSec, or a vendor - with a specific, well-documented problem statement.

The standard here is clean handoff, not necessarily full resolution. Passing a vague ticket upward is not an acceptable outcome at any escalation level.

Requirements

3+ years in a systems administration role, with clear Tier II or higher responsibilities (not just Tier I volume with a different title)

Active Directory administration: user and group management, group policy, troubleshooting authentication and access issues in Windows-based environments

Microsoft Intune: configuration policy management, compliance policy enforcement, device enrollment, and the compliance reporting that SOC 2 audits require

Microsoft Autopilot: deployment profile creation and assignment, enrollment troubleshooting, and hardware provisioning workflows for new and replacement devices

AWS IAM at an operational level: creating and managing roles, policies, and users; identifying and resolving access misconfigurations; understanding how IAM interacts with services running in the environment

Datadog or equivalent monitoring platform: alert acknowledgment, runbook execution, escalation workflows, and enough observability literacy to know when an alert is noise versus signal

Network fundamentals applied in practice: DNS and DHCP configuration management, VPN troubleshooting beyond the client layer, Firewall ACL review, routing concepts sufficient to diagnose and describe connectivity issues accurately

Backup and recovery: hands-on experience verifying job completion, executing restore tests, and documenting results for production database environments

GitLab or equivalent DevOps platform administration at the admin level - not just as a user

SOC 2 operational familiarity: what documentation compliance looks like in practice, what an auditor expects, and how to build habits that hold up under review

Written communication that produces clear, self-contained runbooks and change logs - not notes that only make sense if you wrote them

Nice to Have

The following are not requirements, but candidates who bring any of these will have a shorter ramp to full operational impact.

Experience with auto lending, auto refinancing, or consumer credit products.

Familiarity with loan origination systems (LOS), credit decisioning, or lending infrastructure.

Experience working with external partners or B2B clients in a product-led organization.

Benefits & conditions

Base Salary: $80,000 - $100,000 annually, commensurate with experience

Bonus: Performance-based incentives tied to company and individual goals

Benefits: Comprehensive benefits including health, dental, vision, life insurance, 401(k), PTO, career development opportunities, and the chance to join Denver's Best Place to Work (2024 & 2025) with a dynamic culture focused on internal promotion and employee growth.

Equal Opportunity Statement

Yield Solutions Group is an Equal Opportunity Employer. We are committed to creating an inclusive environment for all employees and applicants.

Apply for this position