1. You can add hooks to logging / compliance from an authn interception script.
2. Password change is not a feature of oxAuth. WE don't recommend use of the password reset feature in oxTrust, except for small deployments.
3. We certainly don't have any kind of delegated admin features in the Gluu Server. An admin can hypothetically edit users in oxTrust, but this is not a good idea. The Gluu Server is not meant for this. You can shut off the admin's ability to edit any specific attribute. The Gluu Server is **not** an IDM tool. This is absolutely not on the roadmap. Use Evolveum Midpoint, Wren IDM, or Syncope if you need IDM.