As long as you are not opening TDI HTTP Server Connector into a 'public' domain, then it seems the requirement is a normal requirement. (Note: I wonder, when you said public url, you do not mean really 'public' url, where the whole world can access to the TDI server, right?)
The AL is not that easy, but it is doable, but here is my take:
1. Yes, use TDI HTTP Server Connector
2. Then you need to have some sort of data manipulation to map which request means add/remove a role. Notes: Protection against incorrect requests are troublesome by itself.
3. Yes, we can use addRolesToPerson and removeRolesFromPerson services on the ISIM WS to add/remove ISIM roles, but probably there is a trade-off between having ISIM WS session control within the AL versus a script to add/remove role using ISIM_JNDI connector.
4. You probably need to construct your own return message against various types of outcome.