Depending on your overall needs, @KathyApplebaum’s solution is probably better, but another option that works well in some circumstances is to create an additional user source that includes only the roles you want available. Then setup soft fail-over between user sources.
As an example, an Active Directory user source could soft fail over to an internal user source that is managed by a local manager to create local users. This user source would only have roles you want the manager to assign. This in turn can soft fail over to the default user source with admin user for access if something goes wrong with Active Directory (where other admin users are located).