I now have a fully-operational system that uses ORCID to log a user in (so no passwords are stored in the DB) and restricts them to sections of the site that their role demands. For example, if a user logs in and the role they have is 'editor' they will not be able to see the 'publish' page or the contributor manager. There are some niceties to add (proper messages when ACL redirects user, etc.), but the functionality is all there.
I've also written a groovy user management system (groovy because it uses an editable table). Contributors can be added or edited, but for the time being, they cannot be deleted using this manager. Instead of deletion, the lowest level is 'de-activated'. They can still log in but all they will see is the regular information page about their CGWP account and any messages we provide.
When a contributor logs in and runs a search, they will now see a link in the quick-view that will open an editor page for that record.