Do I set these all up in Manage Security?
Or can they be records in a User table?
As part of an account management system you create, yes.
Or is there a better way?
Well that acount management system could be your better way. You can set up a table where you have one record for each account. You can then devise scripts that create new accounts, reset passwords etc using this table to track each account by name and privilege set. Open the script editor in Manage Scripts and check out the steps in the Accounts category. (And these scripts can be set to run with "full access privileges" so that someone with a less than full access privilege set can run them.)