Yes, you can do it.
First, you need to create these Connections. They will be produced with default set of rules, most of them generic (applicable to all Connectors):
As you can see Security Admins and Content Admins have full ability to modify/add/delete these Connectors.
So, just make sure that your BA will not be set as these Admins....
I would recommend to create a Custom Property for your BAs. For example, this is how I've done it for my team:
So, for "Consumers" you can create a New Rule in Connections that will give then Read Only access:
And of course you can do it for all Connectors (like above) or you can do different approach for different Connectors (just update the property in Resource Filter line):
I hope it will help!