Document scope management and update Mobile and Third-Party Access

[nirrattner]

What does this PR do? What is the motivation?

This PR makes a few changes:

• Updates the Organization Settings OAuth App documentation by replacing references to "OAuth App" with "Mobile and Third-Party Access", which is the term now used in the application. This includes:
  • Replacing screenshots
  • Updating the names of the permissions which are now used for this page from org_management to org_authorized_apps_read and org_authorized_apps_write
• Introduces documentation for the Application Scope Management feature which will soon be available on the Mobile and Third-Party Access page

Merge instructions

Merge readiness:

• Ready for merge

AI assistance

Used Claude Code for initial draft.

[github-actions]

Preview links (active after the build_preview check completes)

New or renamed files

• https://docs-staging.datadoghq.com/nir.rattner/scope-management/account_management/org_settings/mobile_third_party_access

Removed or renamed files (these should redirect)

• https://docs-staging.datadoghq.com/nir.rattner/scope-management/account_management/org_settings/oauth_apps

Modified Files

• https://docs-staging.datadoghq.com/nir.rattner/scope-management/account_management/org_settings
• https://docs-staging.datadoghq.com/nir.rattner/scope-management/account_management/safety_center

[adityab-datadog]

There's reference to MCP clients here - would it be premature to release these docs before we migrate away from the singleton proxy being used now?

[nirrattner]

Yeah good point, updating this

[samanthasample]

Should we be wary of updating this URL? It could be referenced in other docs

[nirrattner]

Good catch, just updated the references within the documentation and also introduced an alias so that the old URL will redirect to the new page for any references outside of our control

[iadjivon]

Hi there, thanks for this PR. I've added some comments here. Please let me know once this is ready for re-review.

[iadjivon]

Should this be changed to Mobile Third Party Access?

[nirrattner]

Good catch, yes!

[iadjivon]

Suggested change

	Currently, only MCP applications have support for Application Scope Management.
	Only MCP applications support Application Scope Management.

[iadjivon]

Suggested change

	The allowed scopes for an application can be modified by enabling Application Scope Management. Adding or removing a scope will affect the access for this application for all users in your organization. When a scope is disabled, all existing authorizations in your organization for that application that have the scope granted will be revoked.
	Enable Application Scope Management to modify the allowed scopes for an application. Adding or removing a scope affects access to this application for all users in your organization. Disabling a scope revokes all existing authorizations in your organization for that application.

I modified this section to be in the active voice. Please let me know if this keeps the meaning.

[nirrattner]

Thanks! It mostly keeps the meaning, but there is some nuance that is lost in the last sentence. Only a subset of existing authorizations may be revoked, whereas the last sentence now indicates that all existing authorizations will be revoked. Specifically it is only the existing authorizations that would conflict with the new allowed scopes configuration that would be revoked. It's not clear to me if it's valuable to communicate that distinction in the documentation here?

[iadjivon]

That's a very fair point and important distinction. How about:

Disabling a scope revokes any existing authorization for that application where the scope was granted.

OR

Disabling a scope revokes any existing authorizations for applications that have the scope granted.

Or a focus on the user if applicable:

Disabling a scope revokes access for any user in your organization who was granted that scope for the application.

[nirrattner]

To me, this one seems cleanest:

Disabling a scope revokes any existing authorizations for applications that have the scope granted.

I can update that now, thanks!

[iadjivon]

Suggested change

	1. In the **Application Scope Management** view, use the **Allowed** checkbox for each scope to control whether the application can be granted that scope.
	{{< img src="account_management/mobile_third_party_access/scope-restrictions-enable.png" alt="Application Scope Management view with Enable and Restore to Full Access buttons" style="width:100%;">}}
	2. After making your changes, click **Enable** to save the scope configuration.
	1. On the **Mobile and Third-Party Access page**, click an application to open its detail view.
	2. Select the **Scopes** tab and use the **Allowed** checkbox for each scope to control whether to grant he application that scope.
	3. Click Enable to save the scope configuration.
	{{< img src="account_management/mobile_third_party_access/scope-restrictions-enable.png" alt="Application Scope Management view with Enable and Restore to Full Access buttons" style="width:100%;">}}

I'd recommend these steps. Let me know what you think.

[iadjivon]

Links [4] and [5] do not seem to be used in this file. Link [5] also still uses oauth-applications.

I'd recommend removing these links if they are not needed.

[iadjivon]

Suggested change

	The [**Mobile and Third-Party Access**][15] page allows you to view or manage Datadog Mobile and Third-Party applications in your organization.
	The [**Mobile and Third-Party Access**][15] page allows you to view and manage mobile and third-party applications in your organization.

[iadjivon]

I don't think this is used in the page. I'd recommend removing it so that is is not merged.

[nirrattner]

Good catch, thanks!

[iadjivon]

Suggested change

	There are two ways to disable an application from the Mobile and Third-Party Access page:
	To disable an application from the Mobile and Third-Party Access page:

Quick edit to the legacy content.