We have an odd situation where one user is able to get data from the CFILE command,  but another user does not return any data.

I created a profile for USER1, which is a non-expiring userID, and I am still unable to return data from the CFILES command for example.  It appears to display the correct headings, but not the data.   

For comparison USER2 id has no problems returning the CFILE command data.

Comparing the two userIDs in SYSVIEW security they are part of the same Group and have the same command privileges.   Our external security team has also verified that both userIDs are set up the same.   

How can we debug this?

You can set Debug on by user ID in SYSVIEW security.  However, when you are setting Debug on for SYSVIEW internal security it will only generate records for the ID when it fails a request.  In order to debug SAF calls, use the command SET DEBUG4 X10 to turn on message logging for those requests that get failed by external security.  To stop the tracing you will then need to issue SET DEBUG4 X00. 

Refer to the section Implement External Security in the SYSVIEW documentation for more information.