Thanks Levi..

We have 5 users are root admin. 

Out of that one user should not be able to modify existing connections. That user can create connections and edit connections that user has created.

Is it possible to create an admin with less privilege's than an root admin?

Thanks

Sure. The default roles (AuditAdmin, ContentAdmin, DeploymentAdmin, RootAdmin, SecurityAdmin) are just the defaults. You can enter any value in the rule for roles like so:

And now it's an option for a role:

It sounds like you're after a rule which is similar to ContentAdmin but only having read access to data connections.

So here is my content admin security rule and resource filter

Stream_*,App*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*

As long as I remove update and delete from the actions from the above content admin security rule and If I assign this content admin role to the admin user (remove root admin role) then that user won't be able to delete the existing connections? Does that work?

Thanks

Assuming that you want the users to be able to change / remove / etc all content except for modifying data connections, I would do the following:

Name: ContentAdmin2-Content
Filters: Stream_*,App*,ReloadTask_*,ExternalProgramTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*
Actions: Create+Read+Update+Delete+Export+Publish+ChangeOwner+Duplicate+Approve
Conditions: ((user.roles="ContentAdmin2"))
Context: QMC

Name: ContentAdmin2-DataConnections
Filters: DataConnection_*,
Actions: Create+Read
Conditions: ((user.roles="ContentAdmin2"))
Context: QMC

Name: ContentAdmin2QmcSections
Filters: License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_DataConnection,QmcSection_Tag,QmcSection_User,QmcSection_CustomPropertyDefinition,QmcSection_Task,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension,QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary,QmcSection_Audit,QmcSection_AnalyticConnection,QmcSection_SystemNotification,QmcSection_SystemNotificationPolicy,QmcSection_DeploymentSetup
Actions: Read
Conditions: ((user.roles="ContentAdmin2"))
Context: QMC

Name: ContentAdmin2RulesAccess
Filters: SystemRule_*
Actions: Create+Read+Update+Delete
Conditions: user.roles = "ContentAdmin2" and (resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}") or (resource.category = "Generic" and resource.subcategory = "SystemNotification"))
Context: QMC

Thank you Levi so much,

I had default all the security rules except ContentAdmin-DataConnections

So I created that rule as well. Then I tested with some one as content admin and that person is able to edit and save existing connections. Can you please advice what might be wrong here?

Thanks