Seb service function "core_user_update_users" is restricted to "moodle/user:update" permission. It should check "moodle/user:editownprofile" if editing own profile.

Here is solution, what i did in user/externallib.php:

public static function update_users($users) {
global $CFG, $DB, $USER;
require_once($CFG->dirroot."/user/lib.php");
require_once($CFG->dirroot."/user/profile/lib.php"); //required for customfields related function

$params = self::validate_parameters(self::update_users_parameters(), array('users'=>$users));

$transaction = $DB->start_delegated_transaction();

$context = context_system::instance();
foreach ($params['users'] as $user) {

// Ensure the current user is allowed to run this function
// if editing own profile
if ($user['id'] == $USER->id)

{ require_capability('moodle/user:editownprofile', $context); }

else

{ require_capability('moodle/user:update', $context); }

self::validate_context($context);

user_update_user($user);