Dynamic Sequence – SailPoint User Retrieval & Access Sync

Crew Management System – end-to-end SailPoint user retrieval and access sync sequence through the secured frontend API path, BFF token validation and request admission, backend authorization, secure user information retrieval from SailPoint IdentityIQ, optional CMS-side user reference / sync update in Azure DocumentDB, observability / audit capture through Datadog, and final user profile / status response returned to the React Single Page Application.

User

Authenticated user or admin opens a user-related CMS screen such as profile, user details, or user administration

Browser / React SPA

Sends secured user retrieval request and displays the returned profile, status, or lifecycle information

Akamai

Public edge entry applying WAF, DDoS protection, bot filtering, and secure routing

Azure Application Gateway

Protected origin ingress with WAF before traffic reaches private AKS-hosted application entry points

IBM API Connect

API exposure, governance, and controlled forwarding for frontend-facing user APIs

BFF Service

Validates Azure AD access token, admits the request, and routes user-retrieval requests to backend services

USR

User Management Service

Enforces backend authorization, calls SailPoint IdentityIQ, maps user data, and prepares CMS response payload

SailPoint IdentityIQ

Authoritative enterprise system for user information, user status, lifecycle state, and governed identity data

Azure DocumentDB

Optional CMS-side storage for user reference, sync marker, role mapping support, or cached linkage metadata when required

Datadog / Audit

Captures logs, traces, user sync visibility, access audit, and integration outcomes

Returned Result

User profile, status, lifecycle response, or access-related result returned to the UI

1. User opens user-related screen

User opens a profile, user-detail, or user-administration screen in CMS

2. Frontend sends secured request

React SPA sends secured user retrieval request with Azure AD access token

3. Protected frontend API path

Request passes through Akamai → Azure Application Gateway → IBM API Connect

4. BFF receives request

BFF receives the secured user retrieval request

5. Token validation and request admission

BFF validates token signature, issuer, audience, expiry, claims, and request admissibility

6. Route to User Management Service

BFF forwards the request to User Management Service

7. Enforce backend authorization

User Management Service enforces backend RBAC + ABAC before performing the user lookup

8. Request user data from SailPoint

User Management Service sends secure API request to SailPoint IdentityIQ for user information, status, and lifecycle data

9. SailPoint returns governed identity data

SailPoint IdentityIQ returns user profile, status, lifecycle state, and governed identity attributes

10. Optional CMS-side reference update

User Management Service optionally writes or updates CMS-side user reference / sync marker in Azure DocumentDB when needed

11. Storage acknowledgement

Azure DocumentDB confirms user reference or sync-state persistence when used

12. Emit observability and audit

User retrieval, integration response, sync outcome, and audit trace data are sent to Datadog / audit path

13. Build final CMS response

User Management Service returns mapped CMS user response to the BFF

14. Return final payload to frontend

BFF returns user profile, status, and lifecycle response to the React SPA

15. Render user information

React displays the returned user information and current access-related status

Authoritative user source: SailPoint IdentityIQ is the authoritative enterprise system for user information, user status, and lifecycle governance, while CMS consumes user-related data through backend services rather than exposing identity systems directly to the frontend.

Secured access model: Frontend-facing requests follow the protected path through Akamai, Azure Application Gateway, IBM API Connect, and the BFF. Token validation and request admission happen at the BFF, while business authorization remains enforced in backend services.

CMS-side reference handling: Azure DocumentDB can be used for CMS-owned user reference data, sync markers, or linkage information when required, but SailPoint remains the source of truth for enterprise user identity and lifecycle state.

          User action
          Frontend / browser
          Edge security
          Ingress / API gateway
          BFF processing
          User service logic
          SailPoint identity source
          CMS-side storage
          Observability / audit
          Returned result
        

This SailPoint user retrieval and access sync sequence reflects the HLD-approved direction: the React SPA sends a secured request through Akamai, Azure Application Gateway, IBM API Connect, and the BFF, User Management Service validates authorization and retrieves user information from SailPoint IdentityIQ, optional CMS-side reference or sync data may be stored in Azure DocumentDB, Datadog captures observability and audit, and the final user profile / lifecycle response is returned to the UI.