Data Architecture Diagram

Separation of enterprise analytical data, operational application data, file storage, and the controlled backend services that access each data domain
🗂️
Application Services / Data Consumers
APPLICATION DATA ACCESS LAYER
BFF
BFF / Orchestration
Aggregates data for UI scenarios through controlled backend paths
DOM
Domain Services
Consume enterprise datasets and expose business-specific reads and actions
WF
Workflow / Notification Services
Store and read application-owned operational state
DOC
Document Service
Coordinates metadata persistence and file/object access
The CMS does not use one store for everything. Data responsibilities are deliberately separated by purpose and access pattern.
ENTERPRISE ANALYTICAL DATA DOMAIN
Read-only source of curated enterprise information used by the CMS for views, dashboards, and insight-driven screens
FAB
Microsoft Fabric
Enterprise analytical platform exposing curated datasets to CMS backend services as a read-only data source
READ
Read-Only Access Pattern
Consumed by backend services for roster, attendance, training, recruitment, productivity, and reporting-related reads
INS
System of Insight
Not used as the CMS operational transaction store for workflow, notifications, or file state
OPERATIONAL APPLICATION DATA DOMAIN
DDB
Azure DocumentDB
Primary operational document store for application-owned data records and lifecycle state
OPS
Stored Operational Records
Workflow state, request records, notification state, user preferences, audit-related app records, and file metadata
APP
System of Operation
This store belongs to CMS-owned application processes and persists live state changes under backend control
FILE / OBJECT DATA DOMAIN
ADLS
ADLS Gen2
Stores binary file content and object-based artifacts rather than workflow or application-state metadata
FILE
Stored File Content
Uploaded files, linked attachments, exports, generated documents, and downloadable artifacts
SEP
Separated from Metadata
File metadata remains in the operational store while binary content is stored in the object layer
Access to each data domain is controlled by backend services. The browser does not directly access enterprise analytics, operational records, or object storage.
DATA ACCESS CONTROL & GOVERNANCE
AAD
Azure AD Context
User identity context is propagated to trusted backend paths before protected data access occurs
RBAC
RBAC / ABAC
Policies determine whether reads, writes, file access, and record visibility are allowed
CTRL
Backend-Only Access
Services mediate access to Fabric, DocumentDB, and ADLS instead of exposing stores directly to the client
DD
Datadog / Auditability
Data access paths, failures, and operational events remain traceable for monitoring and review
WHY THIS DATA SPLIT EXISTS
1
Separate Insight from Operations
Fabric supports analytical consumption while DocumentDB supports live application-owned state
2
Keep Files Outside Operational Records
ADLS stores binary objects while DocumentDB keeps only metadata and references
3
Protect Backend Boundaries
Data access is enforced through trusted backend services rather than through direct client paths
4
Support Clear Ownership
Each storage technology serves a clear responsibility aligned to architecture and governance needs
Application data access layer Enterprise analytical data Operational application data File / object data Data governance & controls Why the split exists
This data architecture diagram shows how the CMS separates analytical reads, operational state, and binary file storage, while keeping all access governed through backend services and security controls.