Since this is an OOTB authorization policy, it can't be edited in the OIM UI nor overridden. By creating another policy we were able to add attributes to edit, but not disallow those already permitted. In looking around we located where the OOTB policies are defined and the ant scripts that load the policies into the embedded OES server. By commenting out the unwanted attributes and running the appropriate ant target we were able to remove the ability to self modify the attributes.
This is not a supported solution and you will need to be careful each time you patch the server to ensure the policy is updated correctly. (FYI: We have filed an enhancement request to have this changed to be the default policy.)
With that caution here goes:
In the ORACLE_HOME/server/seed_data/Seed/OESPolicies directory, you can locate the SelfServiceUserManagementPolicies.xml file. Make a copy of this for posterity and open it for editing in your favorite tool.
The offending section is right at the top, simply comment out the attributes you don't want to be editable.
Next, setup your environment as you would for patching by exporting the WL_HOME, ANT_HOME, OIM_ORACLE_HOME, and ORACLE_HOME paths.
In the ORACLE_HOME/server/bin directory make a copy of the weblogic.profile and patch_weblogic.sh files. Edit your copies and change the profile to that of your copy and the ant target to update-oes-ootb-polices. I had to add an additional entry to the profile for the OIM DB password in order to get it to work, hence the copy. So in your profile copy add the entry OIM.DBPassword=
