You can restrict access to app settings using Access Control List See Admin area. Manage App Setting So create two levels of Admin user Basic Admin and SuperAdmin Only provide SuperAdmin with access to - Admin area. Manage App Setting and - Admin area. Manage ACL
Encryption of the connection string is not supported out of the box. There's an old GitHub issue about it, but they "decided not to implement it out of the box."