ESF796 messages with reason UNKNOWN are issued in the ESFLOG when files are written to SPOOL.

Messages ESF796 can be issued when processing internal security checks and a file is being written to CA Spool, a user tries to access a file or a printer, or after a REINIT.  If a SAFUID has been removed and there are files in Spool associated with the user the message will occur

The message has two formats:

ESF796  USER(USER01 ) UNKNOWN
Which means user USER01 does not match a SAFUID definition.

ESF796  USER(USER01 )                                                 
ESF796    RESOURCE(ESFSECU.NOGR10.G0000777                     ) UNKNOWN
Which means resource ESFSECU.NOGR10.G0000777 does not have a matching SAFAT definition.

Using internal and/or external security is defined on the SAFDEF statement, and can be overridden individually on SAFTYPEs.
For example:

SAFDEF  INT,NOEXT,CLASS=DATASET

SAFTYPE 5,'ESFSECU.FIGRGRP',INT,EXT                   
SAFTYPE 6,'ESFSECU,NOCONTROL',NOINT,EXT             
SAFTYPE 7,'ESFSECU.NOGR&REQ(6,2).G&GRP(1,7)',EXT,INT 
SAFTYPE 8,'ESFSECU.NONO&REQ(6,2).&NOD(0,8)',NOINT,NOEXT
SAFTYPE 9,'ESFSECU.CMND.&CMD(0,8)',EXT,NOINT         

When both internal and external security are active, Spool first checks internal definitions for authorization; if access is not allowed with internal security then Spool issues SAF calls to the external security products (Top Secret, ACF2, or IBM RACF).