I think the main confusion is a bit about naming:
IdentityType - parent interface for Identity and Group
Identity aka user
Group aka group...
This is covered in the "API" part of the design doc: http://www.jboss.org/community/docs/DOC-13261
The decision to use the name "Identity" and not simply "User" was mainly because "Identity" in some authentication/authorization scenarios can be also machines... Now I'm a bit afraid that it will confuse people.
So for the methods:
will return all Identity objects (so all users if you prefer such naming)
identitySession.getPersistenceManager(). findGroup(groupType, null)
all Group objects for a given group type.
Then controls only let to narrow or order/sort results.
With RelationshipManager you can get all Group objects associated with a given Identity regardless of the GroupType.
To follow some "real life" scenario with the API look at this API test case:
One of the tests map small part of the structure of jboss.org projects so should let to understand API concepts better.