Art,
"We have a whole list of those already that they're not happy with ;-)"
What are they not happy about? This is the standard, out-of-the-box OpenVMS configuration that has passed C2 and even (for SEVMS) B1 security. If they're not happy, what would they like them changed to? Are they comfortable with the potential risks?
As Steve has pointed out, the group identifier SYSTEM cannot be created automatically as there is already a username identifier SYSTEM. I've seen people create group identifier "SYS", but I don't know if it was a help or hinderance.
From an auditing perspective, there is no practical distinction between any UICs below MAXSYSGROUP, except to identifiy different users in audit logs (but then any of them has sufficient privilege to forge audit records...) Since there is no user [1,1] it can be thought of as indicating something owned by "the system", but not by the username "SYSTEM".
Jan's suggestion of creating an identifier may help the uninitiated comprehend it better, but it has no real impact on the security of the system. The risk is there may be (poorly written) software which assumes it will see ownership as the string "[1,1]" for system objects, which might be broken by such a change.
Remember, all this stuff dates back to V1.0 and beyond to prior operating systems. The broader security framework, including identifiers and ACLs was introduced in V4, WAY too late to change the historical baggage, so we're stuck with it.
A crucible of informative mistakes
