NetApp

ONTAP NFS Export Policy Rules Explained With CLI and REST API

Published May 25, 2026 | 10 min read

Export Policy Basics

ONTAP NFS access is controlled by export policies and export rules. The policy is attached to a volume or qtree, and the rules define client matching, protocol, read-only access, read-write access, superuser handling, and anonymous user mapping.

NetApp documents export rule management commands such as vserver export-policy rule create, show, modify, and delete: ONTAP commands for managing export rules.

Lab Example

This lab-style rule allows NFS clients from 192.168.200.0/24 to access an NFS volume using AUTH_SYS:

clientmatch: 192.168.200.0/24
protocol: nfs
rorule: sys
rwrule: sys
superuser: sys
anon: 65534

This is useful in a controlled lab. In production, scope clientmatch as narrowly as possible and avoid broad network ranges unless the operational model requires them.

CLI Process

Show the policy attached to a volume:

volume show -vserver svm_nfs01 -volume nfs_lab_vol01 -fields policy,junction-path

Show rules:

vserver export-policy rule show -vserver svm_nfs01 -policyname default

Create a dedicated policy:

vserver export-policy create \
  -vserver svm_nfs01 \
  -policyname nfs_lab_policy

Add a rule:

vserver export-policy rule create \
  -vserver svm_nfs01 \
  -policyname nfs_lab_policy \
  -ruleindex 1 \
  -protocol nfs \
  -clientmatch 192.168.200.0/24 \
  -rorule sys \
  -rwrule sys \
  -superuser sys \
  -anon 65534

Attach the policy to the volume:

volume modify -vserver svm_nfs01 -volume nfs_lab_vol01 -policy nfs_lab_policy

Validate from ONTAP:

vserver export-policy check-access \
  -vserver svm_nfs01 \
  -client-ip 192.168.200.50 \
  -volume nfs_lab_vol01 \
  -authentication-method sys \
  -protocol nfs3 \
  -access-type read-write

REST API Process

Discover export policies:

curl -k -u admin:'<password>' \
  "https://cluster.example.com/api/protocols/nfs/export-policies?svm.name=svm_nfs01&fields=uuid,name,rules"

Create a policy:

curl -k -u admin:'<password>' \
  -X POST \
  "https://cluster.example.com/api/protocols/nfs/export-policies" \
  -H "Content-Type: application/json" \
  -d '{ "svm": { "name": "svm_nfs01" }, "name": "nfs_lab_policy" }'

Create a rule:

curl -k -u admin:'<password>' \
  -X POST \
  "https://cluster.example.com/api/protocols/nfs/export-policies/<policy_uuid>/rules" \
  -H "Content-Type: application/json" \
  -d '{
    "clients": [{ "match": "192.168.200.0/24" }],
    "protocols": ["nfs"],
    "ro_rule": ["sys"],
    "rw_rule": ["sys"],
    "superuser": ["sys"],
    "anonymous_user": "65534"
  }'

Attach the policy to the volume:

curl -k -u admin:'<password>' \
  -X PATCH \
  "https://cluster.example.com/api/storage/volumes/<volume_uuid>" \
  -H "Content-Type: application/json" \
  -d '{ "nas": { "export_policy": { "name": "nfs_lab_policy" } } }'

Best Practices

Use dedicated policies for application volumes instead of overloading default.
Put the most specific rules first.
Avoid any unless the security requirement is explicit.
Validate access with vserver export-policy check-access before asking the client team to mount.
Keep old policy output in the change record before modifying rules.