There are many hardcoded checks for a username "system" or "Administrator" (depending on places).
- "system" should never be seen from the outside, it's an internal marker for unrestricted sessions, if needed it can be replaced with a string we're sure can never be used as an actual login name,
- "Administrator" should be replaced by the use of NuxeoPrincipal.isAdministrator().