Five core functions every enterprise platform needs
Five capabilities that define a platform
Data Management & Integration
A platform that can't move data reliably between systems is just a silo with a login screen. This layer handles ingestion, transformation, storage, and synchronization across internal tools, third-party services, and legacy systems.
Workflow Automation
Manual handoffs between teams are where processes break down. Workflow automation encodes business logic into repeatable, auditable flows — from approval chains to multi-step provisioning sequences.
Identity & Access Control
Every enterprise platform becomes a security surface. This function manages authentication, authorization, role hierarchies, and audit trails — ensuring the right people access the right resources at the right time.
Reporting & Analytics
Platforms generate data. The question is whether anyone can use it. This layer turns operational data into dashboards, scheduled reports, and real-time alerts that drive decision-making.
API-First Extensibility
Platforms that can't be extended become the bottleneck. An API-first architecture lets teams build integrations, automate workflows from external tools, and adapt the platform to new use cases without core changes.
How the five functions connect
Data Management
Raw data enters the platform through integrations and is normalized into a consistent schema.
Workflow Automation
Business processes consume normalized data to trigger actions, approvals, and cross-system orchestration.
Identity & Access
Every workflow step enforces permissions — who can initiate, approve, and audit each action.
Reporting & Analytics
Completed workflows and data changes flow into analytics, creating visibility across operations.
API Extensibility
External systems connect via APIs to consume data, trigger workflows, and extend platform capabilities.
Build vs. buy for each function
Data Management
Build: When your data model is highly domain-specific and off-the-shelf connectors don't exist for your legacy systems.
Buy: When standard connectors cover 80%+ of your integrations. Tools like Fivetran, Airbyte, or Mulesoft handle the plumbing.
Workflow Automation
Build: When workflows require deep integration with proprietary business logic that no-code tools can't express.
Buy: When most flows are approvals, notifications, and data routing. Temporal, n8n, or Power Automate cover these well.
Identity & Access
Build: Almost never. Custom auth is a security liability. Build only if regulatory requirements demand fully on-premise identity.
Buy: Default choice. Auth0, Okta, or Keycloak provide battle-tested identity with SSO, MFA, and compliance out of the box.
Reporting & Analytics
Build: When you need embedded analytics tightly coupled to your platform's UI and data model for end-user consumption.
Buy: When internal teams are the primary audience. Metabase, Grafana, or Looker deliver faster than custom dashboards.
API Extensibility
Build: Always build your own APIs — they are your platform's contract with the outside world. Own the interface.
Buy: Use API gateway products (Kong, AWS API Gateway) for rate limiting, auth, and versioning on top of your custom APIs.
Does your platform have these?
How the five functions communicate in practice
Event-Driven Backbone
The most resilient integration pattern is an event bus (Kafka, RabbitMQ, or a managed equivalent) that every function publishes to and subscribes from. When the data management layer normalizes a new record, it emits an event. The workflow engine picks it up and initiates a process. The analytics layer consumes the same event for real-time dashboards. No function calls another directly — they communicate through events. This decoupling means you can replace or upgrade any single function without cascading failures across the platform.
In practice, this requires a well-defined event schema registry. Every event needs a versioned contract — field names, types, and semantics documented so that consumers do not break when producers evolve. Apache Avro or JSON Schema with a schema registry (Confluent or Apicurio) is the standard approach. Without it, your event bus becomes a different kind of silo.
Synchronous APIs for User-Facing Operations
Not everything can be eventual. When a user submits a form that triggers a workflow and needs an immediate acknowledgment, you need synchronous request-response APIs between functions. The key is keeping these synchronous paths narrow — only for operations where the user is waiting. Bulk data synchronization, report generation, and audit log aggregation should always be asynchronous.
A common mistake is routing all inter-function communication through REST APIs, creating tight coupling between services. If your workflow engine directly calls the data management API, the analytics API, and the identity API in sequence, you have a distributed monolith. The rule of thumb: synchronous for user-blocking paths, events for everything else.
Shared Identity Context
Identity and access control is the one function that every other function must call synchronously — or, more precisely, every other function must carry identity context. This is where JWT tokens with embedded claims become essential. When a workflow engine triggers an action, it propagates the user's identity token so the data layer can enforce row-level security, the API layer can check permissions, and the audit log captures who initiated the action. Without this propagation, you end up with “system user” entries in audit logs that are useless for compliance investigations.
Platform maturity model
Point Solutions
Each function is handled by a separate tool with no integration. Data lives in spreadsheets and email threads. Workflows are manual. Access control is per-application. Reports are generated by exporting CSVs and pasting into slide decks. This is where most organizations start, and many stay here far longer than they should.
Connected Tools
Functions are handled by dedicated tools connected through APIs or integration middleware. Data flows between systems, but there is no single source of truth. Workflows exist but require manual intervention at boundaries between tools. SSO provides unified login, but permissions are still managed per-application. Reporting aggregates data from multiple sources with ETL jobs that run overnight.
Platform Cohesion
All five functions share a common data model, event bus, and identity layer. Workflows can span any function without custom integration code. Reporting is real-time, not batch. APIs are versioned and documented with a developer portal. This is the stage where the platform starts delivering compounding returns — each new feature benefits from the entire foundation.
Platform as Product
Business teams build their own workflows, dashboards, and integrations without engineering involvement. The platform provides guardrails — schema validation, policy enforcement, rate limiting — while enabling autonomy. Internal developers consume the platform through the same APIs as external partners. The platform team operates as an internal product team with SLAs, versioning, and a roadmap driven by adoption metrics.
Vendor evaluation criteria that actually matter
Data Portability
Can you export all your data in a standard format at any time? Vendors that make data export difficult are betting you will never leave. Ask for a documented data export API and test it during evaluation — not after you have migrated production data. The gold standard is full database-level export (not just CSV reports) with schema documentation.
API Completeness
If the vendor's UI can do something that the API cannot, you will hit a wall when automating. Evaluate API coverage by listing your top ten workflows and verifying that every step can be automated through the API. Pay attention to whether the API supports bulk operations — single-record CRUD is insufficient for enterprise data volumes.
Multi-Tenancy and Isolation
For enterprise platforms serving multiple business units or clients, understand the isolation model. Is it logical isolation (shared database, row-level filtering) or physical isolation (separate databases per tenant)? Logical isolation is cheaper but carries data leakage risk if the filtering has bugs. For regulated industries — finance, healthcare, government — physical isolation is often a compliance requirement.
Upgrade and Migration Path
How does the vendor handle major version upgrades? Is it a forklift migration or a rolling upgrade? What is their breaking change policy? The best vendors provide long-term support branches, deprecation notices months in advance, and automated migration tooling. The worst surprise you to find is a breaking API change in a minor release.
Operational Transparency
Does the vendor publish a status page with historical uptime data? Do they provide post-incident reports? Can you access audit logs for actions taken by their support team on your account? Operational transparency is a proxy for engineering maturity. Vendors who hide behind vague “we experienced a service disruption” notices are not partners you want for critical infrastructure.