Providing secondary authorization IDs for a CICS region

When a CICS region connects to Db2®, it can provide one or more secondary authorization IDs to Db2, in addition to the primary authorization ID. You can use the name of the RACF group, or list of groups, to which the CICS region is connected, as secondary authorization IDs. This enables you to grant Db2 privileges and authority to RACF groups, and then connect multiple CICS regions to the same groups, instead of granting Db2 privileges to all the possible primary authorization IDs for each CICS region.

1. Specify SEC=YES as a system initialization parameter for the CICS region, to ensure that CICS uses RACF.
2. Connect the CICS region to the appropriate RACF group or list of groups.
   See RACF group profiles.
3. Replace the default Db2 connection exit routine DSN3@ATH.
   This exit routine is driven during connection processing. The default connection exit routine does not support secondary authorization IDs, so you need to replace it with the sample connection exit routine DSN3SATH, which is provided with Db2, or with your own routine. DSN3SATH is shipped in source form in the Db2 SDSNSAMP library, and you can use it as a basis for your own routine. DSN3SATH passes the names of the RACF groups to which the CICS region is connected, to Db2 as secondary authorization IDs. If the RACF list of groups option is active, DSN3SATH obtains all the group names to which the CICS region is connected, and uses these as secondary authorization IDs. If the RACF list of groups option is not active, DSN3SATH uses the name of the CICS region's current connected group as the only secondary authorization ID.