I hope you have/will have front end application which takes users information and finally submits information to system. Also i assume that you are handling that request using servlet/service and creating users in repository (preferably inside /home/users).
You can write workflow on creation of user (node type rep:user) node and assigning of previleges will be triggered when approval happens for that node. You have to write a custom processor componet which will be executed when approval happen and update the ACL information to corresponding "rep:policy" node under user node.
I hope above will help you to get some idea.
Some thoughts ....
You can create a event handler (Or workflow Launcher) to trigger a workflow on cq:User create node. Event handler will also disable that user on sign ups through some custom proeprty. Then workflow script will enable that property after approval. This will require some custom implemetation.