When accessing  Endevor resources via an STC using the ENA$NDVR program :

1- The IBM AD (Application Discovery) tool invokes Endevor using the ENA$NDVR program.

2- AD is configured to only access the Endevor environment named PRODUCT (TSS rule).

3- However, the Endevor ESI Security Trace shows access attempts on other Endevor environments:  env1 / env2 / env3 / env4

          (Example : TSS7251E Access Denied to $ENDEVOR <iprfx.iqual.ENVIRON.env5>)

4- AD has no way of knowing that these other environments exist since they are not in the configuration.

Why does the ENA$NDVR program, try to access all the Endevor environments defined on the system when AD is only configured to access PRODUCT?

Is there a way that the ENA$NDVR program can only access the desired environment?

What is being seen is expected.  Whenever a user accesses Endevor, the first check is to see what Endevor Environments the user has access to.  When accessing Endevor it reads the C1DEFLTS table to obtain the Envirnoments - then ESI is called to determine what Environments the user has access to - then Endevor builds the Environment access for the individual that is accessing the product. 

More infomation on the Endevor Security Access Flow Logic

If there is a need for a group of developers to only access 1 application, the security team along with the Endevor Administration may want to consider putting in place a seperate C1DEFLTS table for its use and only have 1 that 1 Environment in the table.  This can be done by implementing the Enuxsite.