The repository:ONLY privilege should be created when you do the initial load if you use one of the SAP templates. If not, you can manually create it.
On the repository, set the master privilege to be SAP:repository:ONLY (note, it can be anything but changing it would make life hard for anyone following you).
Create a task called 'Assign Master Privilege' which has:
MSKEYVALUE %mskeyvalue%
MXREF_MX_PRIVILEGE PRIV:$rep.$Name:ONLY
Ensure that the repository is set to 'inherited'
Assign your new task as the 'No Master Task' on all repositories.
When a user gets a privilege in a back end system, it will check to see if they have an 'ONLY' priv for that repository. If not, it triggers the 'No Master Task' which assigns it and then it will assign the backend privilege.
Peter