Technology Architecture Diagram
CMS technology layers showing the protected user access path,
separately deployed frontend, secured backend service landscape, data
platforms, identity controls, and operational support technologies
👥
CMS Users / Browser Access
PRESENTATION LAYER
Separate frontend deployable delivered to users through the
protected edge path
UI
Shared UI Components
Layout, widgets, filters, tables, forms, reusable cards, and
common user interaction components
React SPA
Web client for CMS dashboards, workflows, alerts, documents, and
operational user actions
NAV
Navigation & Routing
Screen access, module switching, URL routing, and page flow
control
SCR
Screen Modules
Profile, roster, attendance, events, leave, trainings,
qualifications, recruitment, productivity, and overview
User traffic is protected before it reaches the application platform,
and the browser consumes secured CMS backend APIs rather than calling
internal services or data stores directly.
SECURITY & ACCESS TECHNOLOGIES
Zscaler
Enterprise-controlled access path and zero-trust access
enforcement
Akamai
WAF, DDoS protection, bot mitigation, edge security, and
internet-facing routing
Azure Application Gateway
Protected ingress, origin-level routing, and controlled entry to
private AKS-hosted backend services
TLS
Secure Transport
HTTPS / TLS-protected communication path from browser to
protected application endpoints
APPLICATION SERVICE LAYER
Secured backend APIs and multiple backend services running as
independently deployable application components
API
CMS Backend APIs
Frontend-facing secured API layer for UI requests, workflow
actions, document operations, and notification reads with no
dedicated BFF
DOM
Domain Services
Profile, roster, attendance, events, leave, trainings,
qualifications, recruitment, and productivity service
capabilities
WF
Workflow Management Service
Workflow state, routing, approvals, transitions, escalation, and
lifecycle coordination
NT
Notification Service
In-app notification generation, delivery state tracking, retry
handling, and outbound trigger coordination
DOC
Document Management Service
Controlled upload, metadata handling, secure retrieval, and file
lifecycle management
Application services consume enterprise and operational data through
controlled backend access paths. The browser does not directly access
Fabric, DocumentDB, or ADLS.
DATA PLATFORM & STORAGE LAYER
Microsoft Fabric
Read-only enterprise analytical datasets used by backend
services for dashboards, summaries, and insight-driven views
Azure DocumentDB
Operational application store for workflow state, notification
state, preferences, audit records, and file metadata
Azure Storage Account (Blob Storage)
Binary file storage for documents, attachments, generated
exports, and downloadable artifacts
IDENTITY & AUTHORIZATION TECHNOLOGIES
Azure AD
SSO, token issuance, authentication, and identity context for
secured CMS access
RBAC
RBAC + ABAC
Authorization enforced directly in backend services for
protected APIs, workflows, notifications, and document access
EXTERNAL & SUPPORT TECHNOLOGIES
Datadog
Logs, metrics, traces, dashboards, monitoring, and operational
observability
Infobip
Email and outbound notification delivery integration for
asynchronous communication flows
OBS
Observability
Operational visibility across services, failures, retries, and
application health behavior
OPS
Support Controls
Cross-cutting support capabilities for runtime operations,
monitoring, governance, and service support
Presentation layer
Security & access technologies
Application service layer
Data platform & storage layer
Identity & authorization
External & support technologies