Appearance
Data Flow Diagrams
Visual reference for how data moves through the Microtec ERP platform — from browser to storage, tenant database isolation, async message flows, and attachment handling.
Primary Request Data Flow
Every user action follows this path from browser to database and back.
Tenant Database Isolation
Each tenant operates in an entirely separate SQL database. There is no shared table or row-level isolation — complete database separation.
DataProtection Note
Connection strings in the AdminDB are encrypted using ASP.NET Core DataProtection. Keys are machine-specific. Migrating encrypted connection strings to a new server requires key migration — see Runbook: DataProtection Key Migration.
Database naming:
| Database | Purpose |
|---|---|
MicrotecAdmin | Tenant registry, global config, subscription management |
Tenant_{tenantId} | All ERP data for one tenant |
Microtec_Hangfire | Background job storage (shared across tenants) |
Azure Service Bus Message Flow
Async inter-service communication uses Azure Service Bus topics with fan-out subscriptions.
Message envelope (all ASB messages):
json
{
"messageId": "uuid",
"correlationId": "request-correlation-id",
"tenantId": "tenant-uuid",
"occurredAt": "2026-05-30T10:00:00Z",
"eventType": "InvoiceCreatedEvent",
"payload": { "invoiceId": 42, "number": "INV-2026-001" }
}Retry policy: 5 retries with exponential backoff (10s, 20s, 40s, 80s, 160s). After 5 failures, messages go to the dead-letter queue. The Platform team is alerted when DLQ count > 10.
Attachment Data Flow
Documents and files are handled by Attachment.Apis and stored in Azure Blob Storage — never in SQL.
Blob container structure:
{storage-account}/
└── attachments/
└── {tenantId}/
├── invoices/{entityId}/{guid}.pdf
├── products/{entityId}/{guid}.png
└── hr/{entityId}/{guid}.docxCache Data Flow
Redis sits in front of SQL for all read-heavy operations.
Cache key conventions:
| Pattern | TTL | Example |
|---|---|---|
tenant:{id}:config | 1 hour | Tenant configuration |
tenant:{id}:dropdown:{name} | 5 minutes | Currency/country dropdowns |
user:{id}:permissions | 15 minutes | RBAC permission set |
rate:{ip}:{endpoint} | 1 minute | Rate limiting counter |
session:{token-hash} | 30 minutes | Session data |
Keycloak Token Flow
Authentication uses OIDC Authorization Code + PKCE flow.
Data Import Flow
Bulk data import (e.g., migrating customer records, opening balances) uses a dedicated async pipeline.
Observability Data Flow
All observability signals are collected and routed to environment-appropriate backends.
Summary: Data Store Responsibilities
| Data Store | What is stored | Access pattern | Isolation |
|---|---|---|---|
| Azure SQL (per-tenant DB) | All ERP business data | EF Core + Dapper | Database-per-tenant |
| Azure SQL (AdminDB) | Tenant registry, encrypted conn strings | EF Core (AdminUoW) | Shared — admin only |
| Azure Cache for Redis | Config cache, session, rate limits | IDistributedCache | Keyed by tenantId |
| Azure Blob Storage | File attachments, SBOM archives, reports | Blob SDK + SAS | Namespaced by tenantId |
| Azure Service Bus | In-flight async messages | MassTransit | Topic per domain event |
| MongoDB / Cosmos DB | Workflow engine state (flexible schema) | MongoDB driver | Namespaced by tenantId |
| Azure Key Vault | Secrets, connection strings, certs | Managed identity | Per-environment |