When accessing  Endevor resources via an STC using the ENA$NDVR program :

1- The IBM AD (Application Discovery) tool invokes Endevor using the ENA$NDVR program.

2- AD is configured to only access the Endevor environment named PRODUCT (TSS rule).

3- However, the Endevor ESI Security Trace shows access attempts on other Endevor environments:  DTUASS / INTEGR / HOMOLOG / ARCHIV

          (Example : TSS7251E Access Denied to $ENDEVOR <DNDV.US.ENVIRON.DTUASS>)

4- AD has no way of knowing that these other environments exist since they are not in the configuration.

Why does the ENA$NDVR program, try to access all the Endevor environments defined on the system when AD is only configured to access PRODUCT?

Is there a way that the ENA$NDVR program can only access the desired environment?

Release : 18.1 

Component : CA Endevor Software Change Manager

What is being seen is expected.  Whenever a user accesses Endevor, the first check is to see what Endevor Environments the user has access to.  When you access Endevor it reads the C1DEFLTS Table to obtain the Environments - then ESI is called to determine what Environments the user has access to - then Endevor builds the environment access for the individual that has access the product.  For more information on the Endevor Security Access Flow Logic  please reference:  https://techdocs.broadcom.com/us/en/ca-mainframe-software/devops/ca-endevor-software-change-manager/19-0/securing/esi-logic-flow-diagrams.html

If there is a need that only the IBM AD group is only to access 1 application and the security team and/or Endevor Admin choose, the site may want to consider putting in place a seperate C1DEFLTS table for its use and only have Environment PRODUCT in the table. For more information on this reference ENUSXITE:  https://techdocs.broadcom.com/us/en/ca-mainframe-software/devops/ca-endevor-software-change-manager/19-0/reference/api-and-user-exits-reference/exits-reference/enuxsite.html