When you create a new OAuth 2.0 configuration, you must map groups that your Splunk platform instance receives in tokens that come from the client application on the identity provider to roles on the Splunk platform. This procedure lets the Splunk platform provide the client application access to Splunk data.

1. From the OAuth 2.0 Configurations page, under Configuration Name, select the OAuth 2.0 configuration where you want to map groups from the IdP to Splunk roles. The configuration page for that configuration loads.
2. Under Role Mapping, select + New Mapping. The New Role Mapping page appears.
3. In the Group Name field, enter the name of the group to which this Splunk platform instance is to map Splunk roles. The Group comes from the IdP client application as part of the Group claim in the authorization request that the client application sends.
4. For each Splunk role that you want this group to map to, select it in the Available Roles column. You can map a group to one or more Splunk roles.
5. Note: Only select the roles that allow access to the Splunk data you want the client application to have.
   Select the > box between the Available Roles and Selected Roles columns to move the selected roles to the Selected Roles column.
6. Note: To remove Splunk roles from the group mapping, select the roles that you want to remove in the Selected Roles column then select the < box to remove the selected roles.
   Save the group-to-role mapping. If you want to save the current group-to-role mapping, but have more changes that you need to make, select Save and Add More. Otherwise, select Save and Close.