Policies & Roles

What is a policy?

Policies attach to resources and bind members to roles, with optional conditions.

{
  "bindings": [
    { "role": "roles/inventory.equipmentAdmin", "members": ["group:cedxadmins"] },
    {
      "role": "roles/inventory.equipmentViewer",
      "members": ["user:nancy@cedx.rail", "user:steven@cedx.rail"],
      "condition": {
        "description": "Only can view BNSF cars",
        "expression": "resource.equipmentInitial == 'BNSF'"
      }
    }
  ]
}

Roles

Predefined roles (examples):
- roles/inventory.equipmentViewer
- roles/inventory.equipmentAdmin
- roles/inventory.equipmentOrderer
Custom roles: create a role with the exact permissions your org needs

Inheritance

Grant at an organization/site/operator level → inherited by terminals, groups/tracks, and resources beneath. Grant at a terminal/group/track or a specific resource for fine‑grained control.

Getting started

Single Sign-On (SSO)

Identity & Access Management (IAM)

Trains & jobs

What is a policy?

Roles

Inheritance

Getting started

Single Sign-On (SSO)

Identity & Access Management (IAM)

Trains & jobs

​What is a policy?

​Roles

​Inheritance

What is a policy?

Roles

Inheritance