Page 31 of the TR describes limiting access to the vsroot volume.

Page 37 covers export policy rule inheritance.

The vsroot (/)  export policy must allow read access to all clients to allow traversal. Data volumes must allow read access to clients that desire read access, as described on page 39:

the read-only attribute for the export policy rules needs to allow read access from the parent to allow mounts to occur. Setting rorule to “never” or not setting an export policy rule in the parent volume’s export policy at all (empty policy) will disallow mounts to volumes underneath that parent.

In the above, vsroot counts as a parent volume, as it’s in every path in a namespace.

From: Iluhes <iluhes@yahoo.com>
Date: Tuesday, November 11, 2014 at 11:39 PM
To: Justin Parisi <Justin.Parisi@netapp.com>
Cc: "Toasters@teaparty.net" <Toasters@teaparty.net>
Subject: Re: cdot NFS exports

Is there a way to avoid   0.0.0.0 ro is defult policy rule 

On Nov 11, 2014, at 10:12 PM, "Parisi, Justin" <Justin.Parisi@netapp.com> wrote:

TR-4067 covers all of these questions.


Exports are covered starting on page 21.


From: Iluhes <iluhes@yahoo.com>
Reply-To: Iluhes <iluhes@yahoo.com>
Date: Tuesday, November 11, 2014 at 9:51 PM
To: "Toasters@teaparty.net" <Toasters@teaparty.net>
Subject: cdot NFS exports

Hi toasters,
NFS export in CDOT (ouch)
I understand I have to have a default policy and a rule..
1. Must it have 0.0.0.0/0 read only? What if I dont want to give read-only to entire name space to all clients?
2. Qtrree exports: can I restrict qtree A to  host A, and qtree B to host B, but then what about volume and it is policy? Can qtree be more restrictive than volume (and why dont qtree show up in GUI?) 
3. Does showmount -e LIF of NFS filer still produce good information. It does not look like, so how do I check what my exports are?
4. What does it buy me with qtree exports, what? If I have to give access to server A and B to volume that has qtree A and B