Stack: Datadog
Okta disaster recovery for SREs running Datadog through Okta
When Okta federates Datadog authentication, the on-call rotation depends on the Okta-side configuration to reach the observability stack. A single bad policy push can blind the team during exactly the incident the team needed observability to debug.
Butterfly captures versioned snapshots of the Okta configuration governing Datadog access — the SAML / OIDC app, the SCIM feed, assigned groups, sign-on policies, and Workflows automations. Restore preview shows the diff before any revert.
What you get
How Butterfly fits Datadog
Datadog SSO app is versioned
Every backup captures the Okta-side Datadog app integration — SAML signing certificate, attribute mapping (including the Datadog role attribute), assigned groups, and sign-on policy.
SCIM provisioning into Datadog teams
The Okta-to-Datadog SCIM connection is part of every snapshot. Team and role mappings are versioned.
Group rules drive Datadog role assignment
Group rules are how most teams scale who-has-which-Datadog-role. Butterfly versions every rule.
What goes wrong
Three incidents you have already seen variations of
Sign-on policy change blocks SRE from Datadog mid-incident
A device-trust tightening caught the SRE group expression. The on-call rotation could not reach Datadog during a production incident. Restore preview surfaces the policy diff.
SCIM role-mapping change strips dashboard edit rights
A SCIM attribute mapping change moved a population from Admin to Standard right before a runbook update. Restore preview surfaces the mapping diff.
Group rule cleanup drops engineers from Datadog
A directory cleanup removed a group rule that fed the datadog-engineers group. New hires onboarded without observability access.
Honest scope
What Butterfly captures — and what it does not
In scope
The Okta-side configuration governing Datadog access: the Datadog SAML / OIDC app integration, attribute mappings, SCIM provisioning configuration, assigned users and groups, group rules, sign-on policies, and Workflows automations.
Out of scope
We do not back up Datadog dashboards, monitors, SLOs, or any Datadog-side state. Datadog-side configuration backup is owned by Datadog's own tooling or Terraform.
Plans
Free, Standard, or Business
Free
$0 / forever
- 1 Okta connection
- 7-day retention
- 1 total backup
- No credit card
Standard
$1 / user / month — $99 minimum
- 2 Okta connections
- 90-day retention
- Restore preview + dry-run
- Audit Pack PDF (framework-filterable)
Business
$2 / user / month — $299 minimum
- Unlimited Okta connections
- Unlimited retention
- Continuity (warm standby)
- Priority restore support
Pricing reference: /upgrade. Provider coverage today: Okta, Okta Workflows, Auth0.
Regulatory shape
Compliance and audit angle
SOC 2 CC6 / CC7 (logical access + system operations) is the most common framework relevant to observability-platform identity continuity.
Butterfly's own SOC 2 Type II work is in progress; current status lives in the Trust Center.
Frequently asked
FAQ
Does Butterfly back up Datadog dashboards?
No. Butterfly backs up the Okta configuration governing Datadog access. Datadog-side backup is owned by Datadog tooling or Terraform.
Can we restore a single SCIM mapping?
Yes. Restore preview lets you pick the scope before committing.
How does this help during a Sev-1?
If an Okta-side change has blocked your on-call rotation from observability, restore preview shows the exact diff against the last known-good snapshot and you revert at the scope of your choice.
Recover your Okta org in minutes, not hours
Talk to Mick (the founder) for a 30-minute demo, or start the free trial. No credit card for the free tier.
More stacks
Okta DR for other stacks
Trust posture, subprocessors, and security details: Trust Center.