In order to support automation of scripts and reports that access private data in Hadoop, we need to grant access to files owned by analytics-privatedata-users to non-human user accounts. See T174110.
We met with Chase to talk about options, and decided that we definitely don't want to manage system users in admin's data.yaml. Instead, we'd create the ability for admin::groupmembers to take a supplementary list(s) of users that should be included in a group, in addition to the usual group membership as specified in data.yaml. This would allow admin::groupmembers to ensure that specified system users are in user groups, such as analytics-privatedata-users.