diff --git a/CHANGELOG.md b/CHANGELOG.md
index 89d2241..74f274b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Default access policy for resources without replication layer is now "local only".
+
 ### Fixed
 
 - Do not try to create diskless resource if there is no compatible diskless layer (DRBD or NVMe) available.
diff --git a/go.mod b/go.mod
index 9196032..da50424 100644
--- a/go.mod
+++ b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/pborman/uuid v1.2.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.8.4
+	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a
 	golang.org/x/sys v0.16.0
 	golang.org/x/time v0.5.0
 	google.golang.org/grpc v1.60.1
diff --git a/go.sum b/go.sum
index 0071377..4982629 100644
--- a/go.sum
+++ b/go.sum
@@ -122,6 +122,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
+golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
diff --git a/pkg/volume/parameter.go b/pkg/volume/parameter.go
index a7933a5..9b68ab8 100644
--- a/pkg/volume/parameter.go
+++ b/pkg/volume/parameter.go
@@ -11,6 +11,7 @@ import (
 	"github.com/LINBIT/golinstor/devicelayerkind"
 	"github.com/pborman/uuid"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 
 	"github.com/piraeusdatastore/linstor-csi/pkg/linstor"
 	"github.com/piraeusdatastore/linstor-csi/pkg/topology"
@@ -108,13 +109,12 @@ var DefaultRemoteAccessPolicy = RemoteAccessPolicyAnywhere
 func NewParameters(params map[string]string, topologyPrefix string) (Parameters, error) {
 	// set zero values
 	p := Parameters{
-		LayerList:               []devicelayerkind.DeviceLayerKind{devicelayerkind.Drbd, devicelayerkind.Storage},
-		PlacementCount:          1,
-		DisklessStoragePool:     DefaultDisklessStoragePoolName,
-		Encryption:              false,
-		PlacementPolicy:         topology.AutoPlaceTopology,
-		AllowRemoteVolumeAccess: DefaultRemoteAccessPolicy,
-		Properties:              make(map[string]string),
+		LayerList:           []devicelayerkind.DeviceLayerKind{devicelayerkind.Drbd, devicelayerkind.Storage},
+		PlacementCount:      1,
+		DisklessStoragePool: DefaultDisklessStoragePoolName,
+		Encryption:          false,
+		PlacementPolicy:     topology.AutoPlaceTopology,
+		Properties:          make(map[string]string),
 	}
 
 	for k, v := range params {
@@ -260,6 +260,14 @@ func NewParameters(params map[string]string, topologyPrefix string) (Parameters,
 		p.ResourceGroup = "sc-" + uuid.NewSHA1(namespace, encoded).String()
 	}
 
+	if p.AllowRemoteVolumeAccess == nil {
+		if slices.Contains(p.LayerList, devicelayerkind.Drbd) || slices.Contains(p.LayerList, devicelayerkind.Nvme) {
+			p.AllowRemoteVolumeAccess = DefaultRemoteAccessPolicy
+		} else {
+			p.AllowRemoteVolumeAccess = RemoteAccessPolicyLocalOnly
+		}
+	}
+
 	// User has manually configured deployments, ignore autoplacing options.
 	if len(p.NodeList)+len(p.ClientList) != 0 {
 		p.PlacementCount = 0