The concept of an
Identity and a User is distinct in Cloud CMS. They are separate things. Essentially, a User holds the name, email address and other properties about a user and an Identity holds the password. A User may optionally have an identity associated with it but this isn't required.
For any users that you want to give the ability to log in, you'll need to have an identity created and associated for them. This is as easy as editing the user and setting their password. When a password is saved along with a user, the user's identity is automatically created (if it doesn't already exist) and associated.
There are use cases where you might want to have a User object without a password. For example, you might use a Domain to store Users, Groups and Memberships for a social graph (say, one you sync from Facebook). Or maybe to store an organizational hierarchy that your app uses internally but has nothing to do with user logins.
Also, the concept of an Identity being separate is very powerful because it lets multiple users share a single identity. We call this Identity Policies. For example, some clients have built apps which offer different courses (classrooms). Each classroom operates independently and has it's own Domain of users. However, a shared Identity policy allows students to login once and jump back and forth between classrooms. Their multiple user objects are chained together, effectively.