ESF796 messages with reason UNKNOWN are issued in the ESFLOG; what should I check to prevent these messages to be issued ?

Messages ESF796 can be issued when processing internal security checks and a file is being written to CA Spool, or a user tries to access a file or a printer, or after a REINIT in case a SAFUID has been removed and there are files in Spool associated with the user for some examples.

They can be one of the two following formats:

ESF796  USER(USER01 ) UNKNOWN

which means user USER01 does not match a SAFUID definition

ESF796  USER(USER01 )                                                 
ESF796    RESOURCE(ESFSECU.NOGR10.G0000777                     ) UNKNOWN

which means resource ESFSECU.NOGR10.G0000777 does not have a matching SAFAT definition

Using internal and/or external security is defined on the SAFDEF statement, and can be overriden individually on SAFTYPEs; for example:

SAFDEF  INT,NOEXT,CLASS=DATASET

SAFTYPE 5,'ESFSECU.FIGRGRP',INT,EXT                   
SAFTYPE 6,'ESFSECU,NOCONTROL',NOINT,EXT             
SAFTYPE 7,'ESFSECU.NOGR&REQ(6,2).G&GRP(1,7)',EXT,INT 
SAFTYPE 8,'ESFSECU.NONO&REQ(6,2).&NOD(0,8)',NOINT,NOEXT
SAFTYPE 9,'ESFSECU.CMND.&CMD(0,8)',EXT,NOINT         

When both internal and external security are active, CA Spool first checks internal definitions for authorization; if access is not allowed with internal security then CA Spool issues SAF calls to the external security tool (CA Top Secret, CA ACF2 or IBM RACF).