You can use export policies to restrict NFS access to volumes to clients that match specific parameters.
How export policies control client access to volumes
Export policies contain one or more export rules that process each client access request. The result of the process determines whether the client is denied or granted access and what level of access. An export policy with export rules must exist on a Vserver for clients to access data.
Default export policy for a Vserver with FlexVol volume
Each Vserver with FlexVol volume has a default export policy that contains no rules. An export policy with rules must exist before clients can access data on the Vserver, and each FlexVol volume contained in the Vserver must be associated with an export policy.
How export rules work
Export rules are the functional elements of an export policy. Export rules match client access requests to a volume against specific parameters you configure to determine how to handle the client access requests.
How to handle clients with an unlisted security type
When a client presents itself with a security type that is not listed in an access parameter of an export rule, you have the choice of either denying access to the client or mapping it to the anonymous user ID instead by using the option none in the access parameter.
How to handle superuser access requests
When you configure export policies, you need to consider what you want to happen if the storage system receives a client access request with user ID 0, meaning as a superuser, and set up your export rules accordingly.
Creating an export policy
Before creating export rules, you must create an export policy to hold them. You can use the vserver export-policy create command to create an export policy.
Adding a rule to an export policy
You can use the vserver export-policy rule create command to create an export rule for an export policy. This enables you to define client access to data.
Setting an export rule's index number
You can use the vserver export-policy rule setindex command to manually set an existing export rule's index number. This enables you to rearrange the order in which Data ONTAP processes export rules.