To access the user management open the settings and select the Security section.
You should now see an overview of the existing users and their currently assigned roles (1). You can edit and delete (2) existing users or create a new one with the Add new button (3). Please note that Administrator and Anonymous are system users and you should not delete them.
The amount of data you can edit on this page depends on the login type(1) of the user. E.g. if the user login type is LDAP, then you cannot modify username or password and the display name and email address are usually synchronized with LDAP automatically. If the login type is internal DB you can modify all data.
To define access rights, switch to the Roles tab(2) to assign roles to the user.
The image in the upper right corner (3) is retrieved from Gravatar by using a hash of the supplied email address of the user.
You can also generate a new API token or delete an existing one by pressing the respective button (4). Please note that you have to click the Submit button in order to persist the new token. API tokens can be used as an alternative login means (instead of providing username and password). If a user logs in by API token he gets the same permissions as through a regular login.