diff --git a/files/rootwrap.d/volume.filters b/files/rootwrap.d/volume.filters
index 47d679bf..1826fc21 100644
--- a/files/rootwrap.d/volume.filters
+++ b/files/rootwrap.d/volume.filters
@@ -122,8 +122,9 @@ rm: CommandFilter, rm, root
 # cinder/volume/drivers/remotefs.py
 mkdir: CommandFilter, mkdir, root
 
-# cinder/volume/drivers/netapp/nfs.py:
+# cinder/volume/drivers/netapp/dataontap/nfs_base.py:
 netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+
+netapp_nfs_touch: CommandFilter, touch, root
 
 # cinder/volume/drivers/glusterfs.py
 chgrp: CommandFilter, chgrp, root
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
index 6a651220..a32ad1cc 100644
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -93,6 +93,10 @@
     "backup:update": "rule:admin_or_owner",
     "backup:backup_project_attribute": "rule:admin_api",
 
+    "volume:attachment_create": "",
+    "volume:attachment_update": "rule:admin_or_owner",
+    "volume:attachment_delete": "rule:admin_or_owner",
+
     "snapshot_extension:snapshot_actions:update_snapshot_status": "",
     "snapshot_extension:snapshot_manage": "rule:admin_api",
     "snapshot_extension:snapshot_unmanage": "rule:admin_api",