Operational and Predictive Intelligence - Ideas Portal
Add a new idea Subscribe
Status Not Approved
Categories Reliability and Observability
Created by Andrzej Grudniak
Created on May 21, 2024

RELATED IDEAS

DataDog AD groups nesting possibility request

Dear Team,

We use DataDog in Roche for Patients Safety area - not a single service but a number of applications in the scope.

Currently we need to add the specific individuals to AD groups in order to grant them access to our DataDog organization.

As the team members are constantly changing we need to add/remove individuals manually every time.

Would that be possible to add the specific AD groups per system to the general DataDog(Admin, standard, Read) groups and let them inherit the access privileges from the core DataDog groups?

Also some of these groups are the distribution groups used for sending the communication so it would help us sending the message to the whole distribution groups and not miss anyone from the radar.

That would significantly simplify the way of managing the access management of DataDog organization for Patients Safety.


  • Admin
    Raul Torres Ramiro
    May 20, 2025

    Answer provided last 21 of May 2024:

    Hello Andrzej,


    The issue with not being able to use nested groups for the SSO mappings is well known and goes back a very long time.Unfortunately, this is not a limitation on the datadog side but on the identity provider (ping federate) and it affects all of our SSO integrated tools. Ping is out of our control as it's managed by the identity team, and they have confirmed that these limitations are due to performance concerns, as allowing nested queries to the active directory has too much of an impact to allow it.Sadly, this is not something that we can overcome at the moment or in the foreseeable future.


    Best regards.

    Reply
  • Admin
    Raul Torres Ramiro
    May 21, 2024

    Hello Andrzej,


    The issue with not being able to use nested groups for the SSO mappings is well known and goes back a very long time.Unfortunately, this is not a limitation on the datadog side but on the identity provider (ping federate) and it affects all of our SSO integrated tools. Ping is out of our control as it's managed by the identity team, and they have confirmed that these limitations are due to performance concerns, as allowing nested queries to the active directory has too much of an impact to allow it.Sadly, this is not something that we can overcome at the moment or in the foreseeable future.


    Best regards.

    Reply