I hadn't tried that yet. I'll look into that, although will not really do what I want to achieve.
In my above case what I did find worked was changing the main volume qtree type to multi. I then saw the security tab and unix qtrees had everyone with a special permission (unix permission) while ntfs qtrees had everyone with full permissions, which was grand.
I was confused as to why all my subfolders continued to have everyone "full" permissions, but I just realized that it was being inherited from the NTFS qtree.
I want to keep the top level shares pretty generic, and minimal (apps/users/groups/secure/public).. and below each get granular with security/permissions.
groups/secure would be the only ones I can see needing NTFS permissions.. for the rest unix is fine. I'm wondering if it would be better to just create separate volumes for each one and have them either ntfs or unix.
The issue I think is most of the people accessing groups will do so from unix accounts, and I'm not sure if NTFS will really work out well in terms of the broad security requirements they may need... or how that really even translates.
For example...
unix uid = joe
unix gid = eng
If there is no AD group similar to eng (and from what I've read) netapp can't do unix group to windows group mapping... I'm not sure how he would be able to get access to shares using his gid, which in that case the groups share could not be NTFS permission... it would have to be unix or mixed.
My concern with mixed is from the sounds of it, if ntfs permissions get applied to a folder containing unix permissions, the unix permissions essentially get tossed away? That could leave a huge hole open for mistakes.