viewpolicy modify

This command modifies a view policy.

Usage

viewpolicy modify --id ID
                  [--name NAME]
                  [--flavor NFS|SMB|MIXED_LAST_WINS|S3_NATIVE]
                  [--access-flavor NFS4|SMB|ALL]
                  [--auth-source RPC|PROVIDERS|RPC_AND_PROVIDERS]
                  [--path-length LCD|NPL]
                  [--allowed-characters LCD|NPL]
                  [--gid-inheritance linux|bsd]
                  [--atime-frequency ATIME_FREQUENCY]
                  [--nfs-read-write [HOSTS]]
                  [--nfs-read-only [HOSTS]]
                  [--nfs-no-squash [HOSTS]]
                  [--nfs-root-squash [HOSTS]]
                  [--nfs-all-squash [HOSTS]]                  
                  [--enable-nfs-return-open-permissions|--disable-nfs-return-open-permissions]
                  [--enable-nfs-posix-acl|--disable-nfs-posix-acl]
                  [--enable-32bit-fileid|--enable-32bit-fileid]
                  [--enable-expose-id-in-fsid|--disable-expose-id-in-fsid]
                  [--nfs-trash-access [HOSTS]]
                  [--nfs4-case-sensitive|--nfs4-case-insensitive]
                  [--enable-enforce-tls-cert|--disable-enforce-tls-cert]
                  [--enable-nfs-enforce-tls-relaxed|--disable-nfs-enforce-tls-relaxed]
                  [--smb-file-mode SMB_FILE_MODE]
                  [--smb-directory-mode SMB_DIRECTORY_MODE]
                  [--permission-per-vip-pool <pool ID 1>=RW|RO,<pool ID 2>=RW|RO,...]
                  [--nfs-minimal-protection-level NONE|SYSTEM|KRB_AUTH_ONLY|KRB_INTEGRITY|KRB_PRIVACY]
                  [--s3-visibility USERS]
                  [--s3-visibility-groups GROUPS]
                  [--enable-s3-default-policy|--disable-s3-default-policy]
                  [--s3-special-chars|--s3-special-chars-not-supported]
                  [--s3-read-write [HOSTS]]
                  [--s3-read-only [HOSTS]]
                  [--smb-read-write [HOSTS]]
                  [--smb-read-only [HOSTS]]
                  [--enable-apple-sid|--disable-apple-sid]
                  [--smb-is-ca|--smb-is-not-ca]
                  [--audit-protocols PROTOCOLS]
                  [--audit-operations OPERATIONS]
                  [--audit-options OPTIONS]
                  [--enable-audit-settings|--disable-audit-settings]
                  [--enable-access-to-snapshot-dir-in-subdirs|--disable-access-to-snapshot-dir-in-subdirs]
                  [--enable-visibility-of-snapshot-dir|--disable-visibility-of-snapshot-dir]
                  [--tenant-id ID]|[--serve-all-tenants]
                  [--disable-read-leases|--enable-read-leases]
                  [--disable-write-leases|--enable-write-leases]
                  [--disable-handle-leases|--enable-handle-leases]
                  [--s3-flavor-allow-free-listing|--s3-flavor-disallow-free-listing]
                  [--enable-s3-flavor-detect-full-pathname|--disable-s3-flavor-detect-full-pathname]
                  [--enable-inherit-parent-mode-bits|--disable-inherit-parent-mode-bits]

Required Parameters

--id ID

Specifies the view policy to modify.

General Options

`--name NAME`	Sets a unique name for the view policy.
`--flavor NFS\|SMB\|MIXED_LAST_WINS\|S3_NATIVE`	Sets a security flavor for the view policy: NFS. Treats NFS as a native protocol and other protocols as non-native protocols. Supports NFSv3, SMB and S3. Supports NFSv4.1 without support NFSv4.1 ACLs. Files and directories created by SMB clients receive a set of initial permission bits, configurable using the `--smb-file-mode` and `--smb-directory-mode` options. SMB. Treats SMB as a native protocol and other protocols as non-native protocols. Supports SMB, NFSv3, NFSv4.1 and S3. MIXED_LAST_WINS. Allows file and directory permissions to be set and modified by all clients. Includes support for NFSv4.1 clients to set NFSv4.1 ACLs. Supports SMB, NFSv3, NFSv4.1 and S3. See also `--access-flavor` for further control. S3_NATIVE. Treats S3 as a native protocol and NFS/SMB as a non-native protocol. Supports S3, NFSv3 and SMB. Supports NFSv4.1 without support for NFSv4.1 ACLs. For more information about security flavors, see Controlling File and Directory Permissions Across Protocols.
`--access-flavor NFS4\|SMB\|ALL`	Caution Changing this setting when already in effect on a view that is being used by clients could lead to unexpected behavior and is not advised. If `--flavor` is `MIXED_LAST_WINS`, this parameter can be used to control which protocols can set file permissions, including Access Control Lists (ACLs) and setting user-owner and group-owner of files. NFSv3 is unaffected by this setting. NFSv3 users can set permission mode bits in Mixed Last Wins security flavor regardless of this setting. Attempts by the blocked protocol fail silently. See Controlling File and Directory Permissions Across Protocols for details. Possible values: `NFS4`. Allows NFSv4.1 to set file permissions, and blocks SMB users from setting file permissions. `SMB`. Allows SMB users to set file permissions, and blocks NFSv4.1 users from setting file permissions. Note Linux super user cannot bypass this blockage. `ALL` (default). Allows both NFSv4.1 and SMB to set file permissions, as well as NFSv3.
`--auth-source RPC\|PROVIDERS\|RPC_AND_PROVIDERS`	Specifies which source is trusted for the user's group memberships, when users' access to the view is authorized. Possible values: `RPC`. For NFS only. The GIDs declared in the NFS request as the user's leading group and auxiliary groups are trusted and provider-sourced groups are not considered. Note This option is not supported for NFSv4.1. `PROVIDERS`. Group memberships retrieved from authorization providers are considered as the user's group memberships. The GIDs declared in the request are ignored. Note This option is required for views that have SMB enabled. `RPC_AND_PROVIDERS`. Both the GIDs declared in an NFS request and group memberships retrieved from authorization providers are considered. If the GID provided by the client does not match the GID retrieved from the authorization provider, the GID from the client is set. Note If Kerberos authentication is used by NFSv4.1 clients, the groups declared in the RPC are ignored.
`--permission-per-vip-pool <pool ID 1>=RW\|RO,<pool ID 2>=RW\|RO,...`	Grants read/write or read-only access to clients from certain virtual IP pools. Specify a comma-separated list of virtual IP pool IDs with indication of the access type (`RW` for read/write or `RO` for read-only) for each of the pools, for example: `--permission-per-vip-pool 1=RW,2=RW,3=RO`
`--tenant-id TENANT_ID`	Associates the view policy with a specific tenant.
`--serve-all-tenants`	Sets the view policy to serve all tenants (default setting).

Protocol Auditing Options

Note
Any audit settings that are enabled globally for the cluster are enabled for all views. Auditing settings in a view policy can only add more protocols, operations and/or options to the audit performed on views that use this view policy.

`--audit-protocols PROTOCOLS`	Lists access protocols for which you are enabling or disabling protocol auditing on views that use this view policy. Use this parameter together with `--enable-audit-settings` or `--disable-audit-settings` to enable or disable auditing of the specified protocols. When specifying `--audit-protocols` , you must also specify `--audit-operations` and/or `--audit-options`. Specify `PROTOCOLS` as a comma-separated list of values. Valid values: `NFSv3` `NFSv4.1` `SMB` `S3` `NDB` (Database)
`--audit-operations OPERATIONS`	Lists categories of protocol operations for which you are enabling or disabling protocol auditing on views that use this view policy. Use this parameter together with `--audit-protocols` and either `--enable-audit-settings` or `--disable-audit-settings` to enable or disable auditing of the specified protocol operations for views that use this view policy. Specify `OPERATIONS` as a comma-separated list of values, each of which specifies a category of operations being audited. Valid values:Audited Protocol Operations `create_delete_files_dirs_objects`. Operations that create or delete files, directories or objects. `modify_data`. Operations that modify data. `modify_data_md`. Operations that modify metadata. `read_data`. Operations that read data. `read_data_md`. Operations that read metadata. `session_create_close`. Session creation and closing operations for sessions that use Kerberos 5 authentication (`krb5` , `krb5i`, or `krb5p`).
`--audit-options OPTIONS`	Lists audit options to enable or disable on views that use this view policy. Use this parameter together with `--audit-protocols` and either `--enable-audit-settings` or `--disable-audit-settings` to enable or disable the specified options for the specified protocols. Specify `OPTIONS` as a comma-separated list of values. Valid values: `log_full_path`. If enabled (default for all protocols), audit records contain the full Element Store path to the requested resource. This may affect performance. When disabled, the view path is recorded. `log_username`. Disabled by default. If enabled, audit records contain the username (if a username can be retrieved from the auth provider).
`--enable-audit-settings`	Enables audit settings specified in the same command line by the `--audit-protocols`, `--audit-operations` and `--audit-options` parameters. Any auditing protocols, operations options that are already enabled in the policy remain enabled. Any audit settings (protocols, operations or options) that are already enabled in the view policy remain enabled.
`--disable-audit-settings`	Disables audit settings specified in the same command line by the `--audit-protocols`, `--audit-operations` and `--audit-options` parameters. Any audit settings (protocols, operations or options) that are already enabled in the view policy and that are not specified in the same command line remain enabled.

NFS Security Flavor Options

--smb-file-mode SMB_FILE_MODE

--smb-directory-mode SMB_DIRECTORY_MODE

For multiprotocol views, if the security flavor is NFS, specify default Unix permission bits for files (--smb-file-mode) and directories (--smb-directory-mode). These are applied as initial permissions to files and directories created by SMB or S3 clients.

Since these are initial permissions, changes to these values affect subsequently created files and directories and do not affect existing files and directories.

Specify SMB_FILE_MODE and SMB_DIRECTORY_MODE in three digit numeric notation, in which each digit represents a component of the permissions: user, group and others (in that order). Each digit is the sum of the following component bits:

If reading is permitted, the read bit adds 4 to the component.
If writing is permitted, the write bit adds 2 to the component.
If execution is permitted, the execute bit adds 1 to the component

Example

Supposing you want to set the following permissions for file mode:

	user	group	others
read	permitted	permitted	permitted
write	permitted	not permitted	not permitted
execute	not permitted	not permitted	not permitted

The user's read bit (4) and a write bit (2) total 6, the group and others each have a read bit only so that is 4 each. Therefore, you set the permission bits to 644:

--smb-file-mode 644

Defaults

SMB file mode permission bits: 644

SMB directory mode permission bits: 755

--enable-inherit-parent-mode-bits

If specified, permission mode bits for files/objects and directories/buckets created by protocols other than NFS on a view controlled with the NFS security flavor, inherit their permission mode bites from the parent directory.

--disable-inherit-parent-mode-bits

If specified, permission mode bits for files/objects and directories/buckets created by protocols other than NFS on a view controlled with the NFS security flavor, are taken from the view policy definition (instead of inheriting them from the parent directory).

S3 Options

`--s3-visibility USERS`	Specify users to enables those users to list buckets that are created using this policy even if they do not have permission to access those buckets. When an S3 user sends a bucket listing request, the command returns a list of all buckets the user owns and all buckets that they have this listing permission for, even if they do not have permission to access those buckets. Specify `USERS` as a comma separated list of user names. Example: `--s3-visibility jsmith,sjobs`
`--s3-visibility-groups GROUPS`	Specify groups to enable members of those groups to list buckets that are created using this policy even if they do not have permission to access those buckets. Specify `GROUPS` as a comma separated list of group names. Example: `--s3-visibility-groups interns,deptheads`
`--enable-s3-default-policy`	Specify this option to use this policy as the default view policy for new buckets created via VAST S3 API, where the user is not associated with an S3 endpoint.
`--disable-s3-default-policy`	Specify this option to stop using this policy as the default view policy for new buckets created via VAST S3 API.
`--s3-special-chars`	Allows S3 object names containing character combinations that are not compatible with other access protocols, such as names containing `//` or `/../`.
`--s3-special-chars-not-supported`	Prohibits S3 object names containing character combinations that are not compatible with other access protocols.
`--s3-flavor-allow-free-listing`	When this option is specified, NFS and SMB clients are allowed or denied access based on the full resource names specified in the identity policies. This means that the identity policy can refer to particular files and directories, rather than to the bucket as a whole.
`--s3-flavor-disallow-free-listing`	When this option is specified, NFS and SMB clients are allowed or denied access based on the bucket name in the identity policy, rather than on the full resource names.
`--enable-s3-flavor-detect-full-pathname`	When this options is specified, NFS and SMB clients are able to list bucket views and their subdirectories regardless of individual object permissions.
`--disable-s3-flavor-detect-full-pathname`	When this option is specified, listing a directory by an NFS or SMB client is allowed or denied based on the identity policies, rather than on individual object permissions.

S3 Host Access Options

These options set which S3 client hosts can access the view with which access types.

For each option, HOSTS can be specified as a comma separated series of any of the following:

A single IP.
A subnet indicated by CIDR notation. For example: 1.1.1.1/24.
A range of IPs indicated by an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.
A range of IPs where the starting and ending IPs are separated by a hyphen, for example: 192.0.2.3-22
A fully qualified domain name (FQDN).
Note
The following rules apply when specifying FQDNs:
- Maximum total length of an FQDN; 255 characters.
- Each domain name label is limited to 63 characters.
- Allowed characters: a-z, 0-9, hyphen (-).
- A label cannot start with a hyphen.

The access types comprise read/write and read-only access.

If a host is specified with multiple entries in mutually exclusive access types, the conflict is resolved as follows:

An IP overrides a CIDR, and a CIDR overrides a wildcard expression.
If a conflict remains after the previous rule is applied, the read-only setting overrides the read/write setting.

On new installations, if a view policy does not have any host-based access rules defined for a specific access protocol, access is denied for all hosts. On upgraded deployments, all hosts are allowed access if no host-based access rules are defined.

--s3-read-write [HOSTS]

Controls which S3 client hosts have read/write access to the view.

By default, all hosts have read/write access.

To remove all hosts from read/write access, include this option without any values.

To restrict read/write access to specific hosts, specify HOSTS according to the format description above this table.

For example: --s3-read-write 98.51.100.1,98.51.100.2

--s3-read-only [HOSTS]

Specifies which S3 client hosts have read-only access to the view.

Specify HOSTS according to the format description above this table.

SMB Options

`--enable-apple-sid`	For use when connecting from Mac clients to SMB shares, this option enables Security IDs (SIDs) to be returned in Apple compatible representation.
`--disable-apple-sid`	Disables `--enable-apple-sid`.
`--smb-is-ca`	When specified, the SMB share exposed by the view is set as continuously available, which allows SMB 3.0 clients to request use of persistent file handles and keep their connections to this share in case of a failover event. Note This option requires that the client uses SMB 3.0. By default, continuous availability is disabled.
`--smb-is-not-ca`	Stops exposing the view path as a continuously available SMB 3.0 share.
`--disable-read-lease`	Disables SMB client read leases so that SMB clients cannot cache data read from the server.
`--enable-read-lease`	Enables SMB client read leases to let SMB clients cache data read from the server.
`--disable-write-lease`	Disables SMB client write leases so that SMB clients cannot cache data written to the server or set byte-range locks on files and directories.
`--enable-write-lease`	Enables SMB client write leases to let SMB clients cache data written to the server and set byte-range locks on files and directories.
`--disable-handle-lease`	Disables handle leases so that SMB clients cannot delay closing handles on files or directories. Note Disabling handle leases may impact client resiliency to network and server failures.
`--enable-handle-lease`	Enables SMB client handle leases to let SMB clients delay closing of handles files or directories.

SMB Host Access Options

These options set which SMB client hosts can access the view with which access types.

For each option, HOSTS can be specified as a comma separated series of any of the following:

A single IP.
A subnet indicated by CIDR notation. For example: 1.1.1.1/24.
A range of IPs indicated by an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.
A range of IPs where the starting and ending IPs are separated by a hyphen, for example: 192.0.2.3-22
A fully qualified domain name (FQDN).
Note
The following rules apply when specifying FQDNs:
- Maximum total length of an FQDN; 255 characters.
- Each domain name label is limited to 63 characters.
- Allowed characters: a-z, 0-9, hyphen (-).
- A label cannot start with a hyphen.

The access types comprise read/write and read-only access.

If a host is specified with multiple entries in mutually exclusive access types, the conflict is resolved as follows:

An IP overrides a CIDR, and a CIDR overrides a wildcard expression.
If a conflict remains after the previous rule is applied, the read-only setting overrides the read/write setting.

--smb-read-write [HOSTS]

Controls which SMB client hosts have read/write access to the view.

By default, all hosts have read/write access.

To remove all hosts from read/write access, include this option without any values.

To restrict read/write access to specific hosts, specify HOSTS according to the format description above this table.

For example: --smb-read-write 98.51.100.1,98.51.100.2

--smb-read-only [HOSTS]

Specifies which SMB client hosts have read-only access to the view.

Specify HOSTS according to the format description above this table.

Advanced Multi-Protocol Options

--path-length LCD|NPL

Specifies the policy for limiting file path component name length.

Possible values:

LCD (default) (=Lowest Common Denominator). Imposes the lowest common denominator file path component length limit of all VAST Cluster-supported protocols, regardless of the specific protocol enabled on a specific view.
NPL. (=Native Protocol Limit). Imposes no limitation beyond that of the client protocol.
Caution
If you select this mode in a view policy and then in the future expose a view using this policy to a previously not exposed protocol, that view might contain files that won't be accessible by the newly added protocol, due to the limitations of that protocol.

--allowed-characters LCD|NPL

Specifies the policy for which characters are allowed in file names.

Possible values:

LCD (default). Allows only characters allowed by all VAST Cluster-supported protocols, regardless of the specific protocol enabled on a specific view.
NPL. (=Native Protocol Limit). Imposes no limitation beyond that of the client protocol.
Caution
If you select this mode in a view policy and then in the future expose a view using this policy to a previously not exposed protocol, that view might contain files that won't be accessible by the newly added protocol, due to the limitations of that protocol.

--gid-inheritance linux|bsd

Specifies how files receive their owning group when they are created.

Possible values:

linux (default). Each new file inherits its owning group from the group ID of the user who creates the file.
bsd. Each new file inherits its owning group from the group ID of the parent directory.

Advanced NFS Options

`--atime-frequency ATIME_FREQUENCY`	atime is a metadata attribute of NFS files that represents the last time the file was updated. atime is updated on read operations if the difference between the current time and the file's atime value is greater than the configured atime frequency. Consider that a very low value might have a performance impact if high numbers of files are being read. Specify ATIME_FREQUENCY as an integer followed by a unit of time (s = seconds, m= minutes, h=hours, d=days). Example: 1h
`--enable-nfs-return-open-permissions`	Sets the NFS server to unilaterally return open (777) permission for all files and directories when responding to client side access checks. This setting works around a permissions issue that occurs with Windows clients. Windows clients perform NFSv3 access checks before executing read/write requests. This client side check uses the UID and the primary GID of the user without taking into account secondary GIDs. If the check fails, requests are not executed. This means that some permissions may not be honored as they should be, such as those based on secondary groups. When return open permissions is enabled, VAST Cluster returns open permissions for client side access checks, so that the Windows client allows access rights and executes read/write requests. VAST Cluster does a proper permission check when the request is executed. Caution Use this feature with caution if Windows client systems are shared by more than one user, since the following security breach could occur: While a user is accessing a file with correct permissions and the file is cached in memory on the Windows system, if another user tries to access the same file, access is incorrectly allowed. No proper access check is done for the second user. By default, `enable-nfs-return-open-permissions` is enabled and honored with all security flavors.
`--disable-nfs-return-open-permissions`	Disables the NFS return open permissions setting. See `--nfs-return-open-permissions`.
`--enable-nfs-posix-acl`	Enables full support of extended POSIX Access Control Lists (ACL). By default, VAST Cluster supports the traditional POSIX file system object permission mode bits, (minimal ACL mode) in which each file has three ACL entries defining the permissions for the owner, owning group, and others, respectively. To learn more about POSIX ACL, see https://linux.die.net/man/5/acl. Note The `setfacl` Linux command is blocked if this option is not enabled.
`--disable-nfs-posix-acl`	Disables support for extended POSIX ACLs, restoring default minimal ACL mode.
`--enable-32bit-fileid`	Sets the VAST Cluster's NFS server to use 32-bit file IDs. This setting supports legacy 32-bit applications running over NFS.
`--disable-32bit-fileid`	Disables 32-bit file IDs (default).
`--nfs-minimal-protection-level NONE\|SYSTEM\|KRB_AUTH_ONLY\| KRB_INTEGRITY\|KRB_PRIVACY`	Set the Kerberos Authentication Minimal protection level to accept from NFSv4.1 client RPCs: `KRB_PRIVACY`. Allows client mounts only if they use Kerberos 5 authentication with privacy checking (krb5p), the highest level Kerberos security mode. `KRB_INTEGRITY`. Allows client mounts only if they use either Kerberos 5 authentication with privacy checking (krb5p) or Kerberos 5 authentication with integrity (krb5i). `KRB_AUTH_ONLY`. Allows client mounts with Kerberos authentication only and allows any of the three Kerberos security modes (krb5, krb5i, or krb5p).. `SYSTEM`. Allows client mounts using either the AUTH_SYS RPC security flavor (the traditional default NFS authentication scheme) or with any of the three Kerberos security modes (krb5, krb5i, or krb5p). `NONE`. Allows client mounts with the AUTH_NONE (anonymous access), or AUTH_SYS RPC security flavors, or with any of the three Kerberos security modes (krb5, krb5i, or krb5p).
`--nfs4-case-sensitive`	When this option is specified, VAST Cluster honors case in the names of files or directories accessed through NFSv4.1. This is the default behavior. Caution Changing the NFSv4.1 case insensitivity setting for an existing view may have unpredictable results.
`--nfs4-case-insensitive`	When this option is specified, VAST Cluster does not honor case in the names of files or directories accessed through NFSv4.1. Caution Changing the NFSv4.1 case insensitivity setting for an existing view may have unpredictable results.
`--enable-enforce-tls-cert`	Enforces TLS encryption between the NFS client and the cluster. When this setting is enabled, the Kerberos Authentication Minimal protection level for NFSv4 must be set to System or None. Note TLS encryption requires further setup in addition to this view policy setting. For details, see Configuring TLS Encryption with NFSv4.1.Configuring TLS Encryption with NFSv4.1
`--disable-enforce-tls-cert`	Disables enforcing of TLS encryption between the NFS client and the cluster.
`--enable-nfs-enforce-tls-relaxed`	Applicable only if `--enable-enforce-tls-cert` is enabled, this setting allows non-TLS connections on auxiliary NFSv3 subprotocols such as MOUNT, NLM, NSM and RQUOTA.
`--disable-nfs-enforce-tls-relaxed`	Disables `--enable-nfs-enforce-tls-relaxed`.

NFS Host Access Options

These options determine which NFS client hosts can access the view with which access types.

The hosts (HOSTS) can be specified including any of the following items separated by commas:

A single IP.
A fully qualified domain name (FQDN).
Note
The following rules apply when specifying FQDNs:
- Maximum total length of an FQDN; 255 characters.
- Each domain name label is limited to 63 characters.
- Allowed characters: a-z, 0-9, hyphen (-).
- A label cannot start with a hyphen.
A subnet indicated by CIDR notation. For example: 1.1.1.1/24.
A subset of IPs specified as an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.
A range of IPs where the starting and ending IPs are separated by a hyphen, for example: 192.0.2.3-22
A netgroup, prefixed with an '@'. For information about using netgroups, see Using Netgroups to Authorize Hosts.Using Netgroups to Authorize Hosts

The access types include read/write or read-only access, the squash policy, and trash folder access.

If the configuration specifies that a host has mutually exclusive access types, the conflict is resolved as follows:

An IP overrides a netgroup, a netgroup overrides a netmask, and a netmask overrides a wildcard expression.
If a conflict remains after the previous rule is applied, then:
- --nfs-read-only overrides --nfs-read-write.
- --nfs-all-squash overrides --nfs-root-squash.
- --nfs-root-squash overrides --nfs-no-squash.

`--nfs-read-write [HOSTS]`	Determines which NFS client hosts have read/write access to the view. By default, all hosts have read/write access. To restrict read/write access to specific hosts, specify `HOSTS` as shown above the table. For example: `--nfs-read-write 98.51.100.1,98.51.100.2` To prohibit read/write access for all hosts, specify this option without any values. To create a reversed rule, e.g. a rule that allows read/write access from all IPs except the one specified, prepend the IP address with a tilde, for example: ~192.0.2.0
`--nfs-read-only [HOSTS]`	Determines which NFS client hosts have read-only access to the view. Specify `HOSTS` as shown above the table.
`--nfs-no-squash [HOSTS]`	Determines which hosts have no squash access. With no squash, all operations are supported. Use this option if you trust the root user not to perform operations that will corrupt data. This option is not relevant for NFSv4.1 users if Kerberos is used, since Active Directory does not include the 'root' user principal by default and since the handling of credentials for the user with UID 0 depends on configuration of the rpc.gssd service. Specify `HOSTS` as shown above the table.
`--nfs-root-squash [HOSTS]`	Determines which hosts have root squash access. With root squash, the root user is mapped to nobody for all file and folder management operations on the export. This enables you to prevent the strongest super user from corrupting all user data on the VAST Cluster. This option is not relevant for NFSv4.1 users if Kerberos is used, since Active Directory does not include the 'root' user principal by default and since the handling of credentials for the user with UID 0 depends on configuration of the rpc.gssd service. By default, all hosts have root squash access. To restrict root squash to specific hosts, specify `HOSTS` according to the format description above this table. To remove root squash access for all hosts, include this option without values.
`--nfs-all-squash [HOSTS]`	Determines which hosts have all squash access. With all squash, all client users are mapped to nobody for all file and folder management operations on the export. Specify `HOSTS` as shown above the table.
`--nfs-trash-access [HOSTS]`	Determines which hosts have access to the trash folder, if the trash folder is enabled for the cluster. Granting this permission gives hosts the ability to delete files by moving them into the trash folder, from which they are automatically deleted. Requires that the host is listed as No Squash (`--nfs-no-squash`). Note This option is applicable for NFSv3 only. The Trash folder feature is not supported for NFSv4.1 clients. Specify `HOSTS` as shown above the table.

Snapshot Options

`--enable-access-to-snapshot-dir-in-subdirs`	Enables accessible .snapshot directories under all directories in the view. In subdirectories of protected paths, these .snapshot directories will provide links to any existing snapshots of parent directories even if there is no protected path on the subdirectory itself. This provides easier access from each directory to snapshots of parent directories. This setting is enabled by default.
`--disable-access-to-snapshot-dir-in-subdirs`	Disables `--enable-access-to-snapshot-dir-in-subdirs` (enabled by default). Access to a .snapshot directory under each directory is then only enabled if the directory has a protected path on it.
`--enable-visibility-of-snapshot-dir`	If `--enable-access-to-snapshot-dir-in-subdirs` is also enabled, this setting enables listing of a snapshot directory in every directory in the view, even if there is no protected path on the specific directory. As with all snapshot directories, these are hidden directories that will appear in directory listings only for SMB clients.
`--disable-visibility-of-snapshot-dir`	Disables `--enable-visibility-of-snapshot-dir` if enabled. (Disabled by default).

Example

This example modifies some of the NFS host access rules of an existing view policy.

vcli: admin> viewpolicy modify --id 4 --nfs-read-write 10.0.0.2,10.0.0.3,10.0.0.4  --nfs-read-only 10.0.0.* --nfs-trash-access 10.0.0.4