Technology Architecture Diagram

CMS technology layers, protected entry path, separate frontend delivery, secured backend APIs and services, governed data platforms, identity controls, and operational support technologies

👥

CMS Users

PRESENTATION LAYER (REACT SPA)

Separate frontend deployable delivered to users through the protected access path

Shared UI Components

Layout, routing, widgets, tables, filters, forms, and reusable user interface elements

React SPA

Web client for CMS modules, dashboards, workflows, documents, notifications, and user actions

NAV

Navigation & Routing

Screen access, module switching, and page flow control

SCR

Screen Modules

Profile, roster, attendance, events, leave, trainings, qualifications, recruitment, productivity, and overview

Protected requests pass through enterprise and edge access controls before reaching the private CMS application platform.

SECURITY & ACCESS LAYER

Zscaler

Enterprise-controlled access path and zero-trust access enforcement

Akamai

WAF, DDoS protection, bot mitigation, and internet-facing edge routing

Azure Application Gateway

Protected ingress and controlled routing into private AKS-hosted backend services

TLS

Secure Transport

HTTPS / TLS-protected communication path across the protected access flow

The frontend uses secured CMS backend APIs directly. There is no dedicated BFF layer in the updated HLD.

APPLICATION LAYER

Secured frontend-facing APIs and independently deployable backend services with orchestration handled within backend service logic

API

CMS Backend APIs

Frontend-facing secured APIs for UI requests, workflow actions, document operations, and notification reads

DOM

Domain Services

Profile, roster, attendance, events, leave, trainings, qualifications, recruitment, and productivity services

Workflow Service

Workflow state, routing, approvals, transitions, escalation, and lifecycle management

Notification Service

Internal notifications, delivery-state tracking, retry handling, and outbound trigger coordination

DOC

Document Management Service

Controlled upload, secure retrieval, metadata handling, and file lifecycle management

Backend services access enterprise and operational data through controlled server-side paths only. The browser never directly accesses Fabric, DocumentDB, or ADLS.

DATA LAYER

Microsoft Fabric

Read-only enterprise analytical datasets consumed by backend services for dashboards, summaries, and insight-driven reads

Azure DocumentDB

Operational application data for workflow state, notification state, preferences, audit records, and file metadata

Azure Storage Account (Blob Storage)

Binary file storage for documents, attachments, generated exports, and downloadable artifacts

Authentication is centralized through Azure AD, while authorization is enforced directly inside trusted backend services.

IDENTITY & AUTHORIZATION

Azure AD

SSO, token issuance, authentication, and identity context for secured CMS access

RBAC

RBAC + ABAC

Authorization enforced directly in backend services for protected APIs, workflows, documents, and notification access

EXTERNAL & SUPPORT TECHNOLOGIES

Datadog

Logs, metrics, traces, monitoring, and operational observability

Infobip

Email and outbound notification delivery integration for asynchronous communication flows

OBS

Observability

Operational insight across backend services, failures, retries, and integrations

OPS

Support Controls

Cross-cutting operational controls, governance, and runtime support capabilities

          Presentation / user-facing layer
          Security & access technologies
          Core application services
          Data layer
          Identity & authorization
          External & support technologies
        