Okay so just watched that video (thanks) and tried the second method e.g. directly setting the Claim Type and Claim Value under Security > Roles > edit properties for the specific role.
The user who I am logging on with is in a group AD group called PUTEST and if I check View Claim Information when logged on as that user I can see the SID associated to that AD group.
But when I next logon I still have full access as that user to everything in PU and it doesn’t seem to have restricted my access to just the “Operator” role as it should.