A change to ZPARM was made changing from: AUTHEXIT_CHECK=PRIMARY to AUTHEXIT_CHECK=DB2. This change is in an ACF2 environment where ACF2 for DB2 is used. 

After the change, an OWNER ID is getting an access error on the web when doing SQL:

SQLCODE = -551, ERROR:  ownerid DOES NOT HAVE THE PRIVILEGE TO PERFORM OPERATION EXECUTE PACKAGE ON OBJECT objectname

When checking the ACF2/DB2 rules for the privileges it was found that the ID has all of the access it needs to connect and execute the package. However, other messages were found like the one below in the SYSLOG:

DSNX238I  -DB2T RACROUTE AUTH REQUEST FOR ownerid 497               
FAILED FOR OPERATION EXECUTE PACKAGE ON objectname               
SYSTEM AUTHORIZATION FACILITY RETURN CODE 00000008               
SECURITY SERVER RETURN CODE 00000010                             
SECURITY SERVER REASON CODE 00000014                             
SECURITY SERVER AUTHORIZATION CHECK FAILED FOR DSNR CLASS RESOURCE resourcename

Is there a reason why these messages occur for only this one ID, but it is working for everything else?

When the AUTHEXIT_CHECK ZPARM is changed from PRIMARY to DB2 there is a situation where plan and package behavior changes as far as access is concerned. Instead of the PRIMARY ID being passed to the ACEE for access checking, the plan/package OWNER ID being passed to the ACEE.

In addition, the GROUP name at logon matters:

1. If the OWNER ID belongs to a GROUP different from the Primary ID then the access error will occur.
2. If the OWNER ID belongs to the same GROUP as the primary ID then the access error does not occur.
3. If the OWNER ID does not have a GROUP name specified then the access error does not occur.