Endevor 

As per the IBM "Application discovery" documentation, the application requires RETRIEVE authorizaion.   

Based on the information provided,  the C1ACTNS RETRIEVE is defined in level SAFAUTH=UPDATE but you have authorized the IBM "Application discovery" API at SAFAUTH=READ, the RETRIEVE action is not authorized.

You need to give UPDATE access to IBM "Application discovery"
or
You can code an auth value of NONE for DISPLAY and move RETRIEVE in the auth value of READ. In this case a security check (a RACROUTE request) is not issued for the c1access functions it covers(i.e. C1ACTNS DISPLAY) but a security check (a RACROUTE request) is issued for the c1access functions RETRIEVE.
Note: Omitting C1ACTN from the definitions results in a default assignment of NONE. Use NONE when a security check is not desired.
For example, the following code results in no security with DISPLAY.

FUNCEQU SAFAUTH=(NONE),                                     X  
        C1ACTNS=(DISPLAY)

 
If you can't change your current  setup, you can create an exit 2 that control the action performed and could fail the action if Action is not a single RETRIEVE, without options "SIGnout Override" and "Signout" as well
 
We recommend to trace ESI and alternate user id activities with Traces:

//EN$TRESI DD SYSOUT=*
//EN$TRAUI DD SYSOUT=*
//BSTERR DD SYSOUT=*

Also trace //EN$TROPT DD SYSOUT=* is interesting to know your Endevor options.

You can also activate SMF recording (In C1DEFLTS) to trace activities performed in Endevor.

 

Endevor Setting up Functional Security (ESSI) 

Endevor SMF Recording