Document Upload / Download Architecture
Controlled document flow showing user actions through the secured
frontend path, BFF request admission, backend authorization, document
management handling, metadata persistence in Azure DocumentDB, binary
storage in Azure Storage Account (Blob Storage), virus scanning and
upload validation controls, document generation through RX Document
Service, and secure time-limited retrieval paths.
:contentReference[oaicite:0]{index=0}
:contentReference[oaicite:1]{index=1}
USER ENTRY & SECURED FRONTEND PATH
All document operations start from the user interface and pass
through the approved secured frontend entry path before reaching
backend services.
CMS User
Initiates upload, download, list, or export actions from the
application interface
React SPA
Captures document actions, displays progress, and calls
frontend-facing APIs
Akamai
Public edge entry with WAF, DDoS protection, bot filtering, and
controlled routing
Azure Application Gateway
Protected origin ingress with WAF before traffic reaches private
AKS entry points
IBM API Connect
API exposure, governance, and controlled forwarding for document
APIs
BFF Service
Validates Azure AD token, performs request admission, and routes
document operations
secured frontend path
BACKEND REQUEST HANDLING & DOCUMENT CONTROL
After the BFF admits the request, backend document services apply
authorization, request validation, routing, and operation-specific
control.
AUTH
Backend Authorization
RBAC + ABAC checks determine whether the user may upload,
generate, link, read, or download a document
VAL
Request Validation
Checks request shape, target entity, document intent, file
rules, metadata completeness, and operation type
DOC
Document Management Service
Central backend control point for upload-init, upload-commit,
listing, secure retrieval, and lifecycle handling
UP / DL
Upload / Download Control
Issues signed upload or download access only after validation
and authorization succeed
LIFE
Document Lifecycle Control
Maintains linkage, status, workflow relationship, ownership, and
availability state
UPLOAD / GENERATION / DOWNLOAD PATHS
Different document operations reuse the same control model but
follow different backend actions depending on whether the file is
uploaded, generated, or retrieved.
UP
Upload Path
Backend prepares a pending document record, issues short-lived
signed upload access, verifies uploaded object existence, then
runs upload validation and virus scanning controls before final
activation.
RX
RX Document Service
When export or generated document output is requested, backend
invokes
RX Document Service to create PDF / CSV / Excel
outputs, then stores the generated file in Blob Storage and
records metadata in DocumentDB.
:contentReference[oaicite:2]{index=2}
DL
Download Path
Backend resolves metadata, validates access, and returns a
short-lived signed retrieval link so the browser downloads
directly from Blob Storage without unrestricted direct access.
storage + scan + validation boundaries
METADATA, BINARY STORAGE, AND VIRUS SCANNING BOUNDARIES
CMS separates operational metadata from binary file storage and
applies upload monitoring, malware controls, and validation before
activation.
Azure DocumentDB
Stores document metadata, status, workflow linkage, ownership,
checksums, upload state, and references to binary content.
Azure Storage Account (Blob Storage)
Stores uploaded files, generated documents, exports,
attachments, and downloadable artifacts as binary objects.
CASB
CASB Monitoring
Monitors uploaded files and may block or quarantine malicious
content before document activation.
:contentReference[oaicite:3]{index=3}
OPS
OPSWAT (Future State)
Planned future-state deep file scanning service for stronger
virus scanning, malware inspection, and document validation.
:contentReference[oaicite:4]{index=4}
SEP
Separation of Responsibility
Metadata remains in DocumentDB while binary persistence remains
in Blob Storage, keeping operational state separate from file
objects.
SECURITY, IDENTITY, AUDIT, AND CONTROL
Document operations remain controlled by backend authorization,
identity context, signed access control, and operational monitoring.
Azure AD Context
Authenticated identity and token claims are used by the BFF and
backend services
RBAC
RBAC / ABAC Enforcement
Policies determine whether the user may upload, generate, read,
link, or retrieve a document
SAS
Short-Lived Signed Access
Uploads and downloads use time-limited signed URLs instead of
unrestricted direct storage access
Datadog / Audit
Receives observability signals, logs, traces, retry outcomes,
and audit visibility for document operations
end-to-end outcomes
END-TO-END OUTCOMES
OK
Upload Successful
File stored in Blob Storage and metadata finalized in DocumentDB
after required validation and virus scanning steps
GEN
Generated Document Ready
RX Document Service output stored in Blob Storage and linked to
metadata for secure retrieval
RET
Download Returned
Authorized user receives a controlled short-lived retrieval path
for the requested file
DENY
Blocked / Quarantined / Denied
Policy failure, invalid state, expired link, or virus-scan
result prevents access or activation
Upload, generation, and download all remain backend-controlled. The
browser never receives unrestricted permanent storage access, and
document activation occurs only after required validation, malware
monitoring, and scanning steps are completed.
:contentReference[oaicite:5]{index=5}
Secured frontend path
Backend request handling
Document management logic
Metadata & storage boundaries
Security & control model
Virus scanning / validation
Observability / audit
End-to-end outcomes