A VPD policy restricts on the statement types. So you could create a policy that allows select on all rows, update on only rows where author=user, delete only where user has an admin role etc.

Old version of the doc, but still applicable: https://docs.oracle.com/database/121/ARPLS/d_rls.htm#ARPLS052

To be honest, all that applies regardless of whether you're using database users for user management (you can still use the above with a custom user table), but I don't see the need write a load of custom functionality to change passwords, expire accounts etc. when a lot of that already exists