We are currently testing the Application Collection functionality, but it seems that creating an Application Collection means it's available for everyone in the entire organization, even if the Access Queries would deny access to all applications.
It would be much preferred to only show the Application Collection to the user that created it, or to users that already have access to all applications that are listed in the Application Collection.
Is there any way to configure this?
Unfortunately, there might be no way to configure this. All application collections defined will be available for request to all users in the org.
It's logically bundling applications and enterprise roles to enable users and superiors to raise requests of that bundle.
If the endpoint access query does not provide a user access to raise requests for a particular application, it should also ideally not allow that application to be requested as a part of the application collection.
Better to raise an idea for this (Saviynt Ideas Portal) or a fd ticket as it violates the purpose of the endpoint access query.