Dynamic Sequence – Document Download

End-to-end download sequence showing file request, BFF coordination, authorization, metadata lookup, file retrieval, and observability
USER
User
Initiates document download from the CMS screen
Browser / React SPA
Requests file retrieval and receives the download response
BFF
BFF / Orchestration
Receives download request and forwards to document service
DOC
Document Management Service
Validates, authorizes, resolves metadata, and coordinates file retrieval
DDB
Azure DocumentDB
Stores metadata, ownership, references, and document linkage
ADLS
ADLS Gen2
Stores the binary file / object that will be returned
DD
Datadog / Audit
Tracks logs, metrics, traces, and download audit events
DL
Returned File
Authorized file response is delivered back to the user
1. Request file
User clicks download for a stored document
2. Send download request
React sends document download request to BFF
3. Forward to document service
BFF forwards file reference and context to Document Service
4. Validate request
Document service validates requested file reference and intent
5. Authorize access
RBAC / ABAC check confirms download permission
6. Resolve metadata
Document service queries DocumentDB for metadata and file reference
7. Metadata returned
DocumentDB returns file metadata and storage reference
8. Retrieve file content
Document service requests binary file from ADLS Gen2
9. File returned
ADLS returns authorized file content / object stream
10. Emit logs & audit
Download event, status, and trace data are sent to Datadog / audit path
11. Build final response
Document service returns file response to BFF
12. Return file payload
BFF returns final download response to the frontend
13. Deliver file to user
UI starts the authorized file download for the user
Controlled download path: The browser never reads storage directly. Download actions are mediated through the BFF and Document Management Service.
Separated resolution path: Metadata is resolved from DocumentDB first, then binary content is retrieved from ADLS Gen2 using the backend-controlled reference.
Auditable access: Download events, failures, and success outcomes are observable through Datadog and audit-oriented backend logging.
User action Frontend / returned file BFF orchestration Document service logic Metadata lookup File retrieval Observability / audit
This dynamic sequence shows how a CMS document download is validated, authorized, resolved through metadata, retrieved from object storage, and returned to the user through a controlled backend flow.