Providing authorization IDs to Db2 for a CICS region

When the CICS Db2 attachment facility creates the overall connection between a CICS region and Db2, the process goes through the Db2 connection processing. The CICS region can provide:

• A primary authorization ID. The primary authorization ID becomes the CICS region's primary ID in Db2. For the connection between a CICS region and Db2, you cannot choose the primary authorization ID that is initially passed to the Db2 connection processing; it is the user ID for the CICS region. However, it is possible to change the primary ID that Db2 sets during connection processing, by writing your own connection exit routine. If RACF®, or an equivalent external security manager, is active, the user ID for the CICS region must be defined to it. Providing a primary authorization ID for a CICS region tells you about the possible primary authorization IDs for a CICS region.
• One or more secondary authorization IDs. You can use the name of a RACF group, or list of groups, as secondary authorization IDs for the CICS region. If you do this, you need to replace the default Db2 connection exit routine DSN3@ATH, which only passes primary authorization IDs to Db2. The sample Db2 connection exit routine DSN3SATH passes the names of RACF groups to Db2 as secondary authorization IDs. Alternatively, you can write your own connection exit routine that sets secondary IDs for the CICS region. Providing secondary authorization IDs for a CICS region tells you how to set up secondary authorization IDs for a CICS region.