AUTH EXIT CHECK (AUTHEXIT_CHECK subsystem parameter)

The AUTHEXIT_CHECK subsystem parameter specifies whether the owner or the primary authorization ID is used for authorization checks when the access control authorization exit (DSNX@XAC) is active.

Acceptable values: PRIMARY, DB2
Default: PRIMARY
Update: No
DSNZPxxx: DSN6SPRM.AUTHEXIT_CHECK
Data sharing scope: Group
Security parameter: Security-related
PRIMARY
Specifies that Db2 provides the ACEE of the primary authorization ID to perform all authorization checks. The primary authorization ID must be permitted access to the resources in RACF®. This is the default value for the field.
DB2
Specifies that Db2 provides the ACEE of the package or plan owner to perform authorization checking when processing the autobind, BIND and REBIND commands and, if needed, during the execution of the package or plan. Start of changeDb2 also provides the ACEE of the authorization ID, as determined by the DYNAMICRULES option with bind behavior, to perform dynamic SQL authorization checking at run time. The access control authorization exit uses the ACEE for XAPLUCHK for authorization checking. The XAPLUCHK authorization ID can be a user or a group in RACF. End of change
To ensure successful authorization checks with the owner ACEE, the owner authorization ID in XAPLUCHK must be permitted access to the resources in RACF. If the owner is a group in RACF, you need to permit the group access to the resource associated with the connection in the RACF DSNR class. You can issue the PERMIT command to grant a group access to subsystem.BATCH in the DSNR class, as follows:
PERMIT DSN.BATCH CLASS(DSNR) ID(DB2GRP) ACCESS(READ)