Tried to follow Configure ACF2 to setup Endevor web services security. 

Step 5: Create a FACILITY resource rule record with the name ENDEVOR and grant users access to this resource by issuing the following commands:

ACF
SET RESOURCE(FAC)
COMPILE */pds.name
$KEY(ENDEVOR) TYPE(FAC)
UID(user1 uid string) ALLOW
UID(user2 uid string) ALLOW
.......
STORE

Noticed that developers who have not been added to ENDEVOR key are still able to use Explorer to Endevor vscode extension to perform element actions. 

How to restrict user access to Explorer for Endevor? 

All supported Endevor release

Web Services

ACF2

Documentation error - Adding a resource to the ENDEVOR  FACILITY class is unnecessary as Endevor Web Services do not use that class for validation.

The Endevor documentation needs to be updated to remove step 5 from the web services configuration for ACF2, as it is misleading.

Under ACF2, If a user has access to classic Endevor, they also have access to Endevor Web Services by default, Explorer for Endevor vscode extension is based on Endevor web services. 

The following option can be used to restrict user access to web services:
 
1. User Program Pathing: Restrict specific users from calling the top-level program for the Endevor backend STC (BC1PAPI0). This prevents them from accessing Endevor via Web Services.
2. PassTickets: Implement PassTickets in the APPL class to limit access to authorized users.
3. C1DEFLTS Alternative: Maintain a second copy of C1DEFLTS in the WSEWSSTC started task that points to a separate ESI table with different security rules.