Hi Ben,
I understand your need and your setup, I worked on a project with a similar setup. I am afraid this is not something that Mendix offers out of the box so it will be something you have to build on your own.
The way we did it was that only the secondary level user roles are assignable (from a dropdown) and then on save we would check and automatically add the relevant primary level roles. This way there was no danger that an admin forgets to assign a primary role.
Hope this helps!