To limit your users who to add as a manager/contibutor/reader or "no access" (read more about roles here) simply go to the SEP MC (Management Console)/Policies/highlight your policy/Editor
tab/ Application settings/Secured eUSB/Security go to Secured eUSB Protection Method (read more about Protection Methods)/Find the tickbox "Let the user select who to secure for" and click "Limit.."
A new window will appear called Choose Members - this is a part of the role system in SEP. If you have a default policy you will see "All users" to the left under Name and a tickbox to the right called: "Include subentities".
To remove the possibility completely for your users that has this policy assigned to them simply right click in the "Include subentities" box and click on the Remove button.
Please note that this will not affect existing eUSB devices, since they are designed to be "autonomous" - it will however effect all Secured eUSB devices that you encrypt from now on.