The users are most importantly used to configure the system. There is actually only one way to interface with the system from outside; by authenticating as a valid user over the backend's SOAP API. The web administration and console program is only front-end applications, that forwards the login credentials with each request they make over the API.
If no access level (flags) are set, the user has full access. You may combine all flags as you like. A user cannot change his own flags.
|w||Write (privileged) access|
External authentication and scripting
There's almost no limit what can be achieved using the authentication scripts, which enables TACACS+, RADIUS and LDAP authentication, custom access rights, etc.