Using secondary IDs for connection requests
If you want to use Db2 secondary authorization IDs, you must replace the default connection exit routine. If you want to use RACF® group names as Db2 secondary IDs, the easiest method is to use the IBM®-supplied sample routine.
About this task
The following table lists the difference between the default and sample connection exit routines.
| Default connection exit routine | Sample connection exit routine |
|---|---|
| Supplied as object code. | Supplied as source code. You can change the code. |
| Installed as part of the normal Db2 installation procedure. | Must be compiled and placed in the Db2 library. |
| Provides values for primary IDs and SQL IDs, but does not provide values for secondary IDs. | Provides values for primary IDs, secondary IDs, and SQL IDs. |
The sample connection exit routine has the following effects:
- The sample connection exit routine sets the Db2 primary ID in the same way that the default
routine sets the Db2 primary
ID, and according to the following rules:
- If the initial primary ID is not blank, the initial ID becomes the Db2 primary ID.
- If the initial primary ID is blank, the sample routine provides the same default value as does the default routine.
- If the sample routine cannot find a nonblank primary ID, Db2 uses the default ID (UNKNOWN AUTHID) from the DSNTIPP installation panel. In this case, no secondary IDs are supplied.
- The sample connection exit routine sets the SQL ID based on the
following criteria:
- The routine sets the SQL ID to the TSO data set name prefix in
the TSO user profile table if the following conditions are true:
- The connection request is from a TSO-managed address space, including the call attachment facility, the TSO foreground, and the TSO background.
- The TSO data set name prefix is equal to the primary ID or one of the secondary IDs.
- In all other cases, the routine sets the SQL ID equal to the primary ID.
- The routine sets the SQL ID to the TSO data set name prefix in
the TSO user profile table if the following conditions are true:
- The secondary authorization IDs depend on RACF options:
- If RACF is not active, no secondary IDs exist.
- If RACF is active but its
list of groups
option is not active, one secondary ID exists (the default connected group name) if the attachment facility supplied the default connected group name. - If RACF is active and the
list of groups
option is active, the routine sets the list of Db2 secondary IDs to the list of group names to which the RACF user ID is connected. Those RACF user IDs that are in REVOKE status do not become Db2 secondary IDs. The maximum number of groups is 1012. The list of group names is obtained from RACF and includes the default connected group name.
If the default connection exit routine and the sample connection exit routine do not provide the flexibility and features that your subsystem requires, you can write your own exit routine.