The Batch Processor EXIT01 (the .AUTH command) uses IBM System Authorization Facility (SAF) based security administration for authorization.
SAF provides an interface that can direct control to all external security products (ACF2, Top Secret, and IBM RACF). 
In Database Management for Db2 for z/OS tools r20 the EXITS are in CDBASAMP and called BPAEXIT1, BPAEXIT2 etc.

When a connection request is received, DB2 obtains the initial primary authorization ID, and the external security product is called through
SAF to verify that the ID is authorized to use the defined DB2 resource class, subsystem, and connection type.

Following are examples of statements in ACF2, RACF and Top Secret to define the CADB2 resource and permit .AUTH usage.

Instructions:

Note: These are SAMPLES of security statements to assist in the SAF security setup to allow the .AUTH command.
Please consult with your security administrator for details specific to your site.

RACF:
====

• DEFINE the CADB2 Resource class
  
  RDEFINE CDT CADB2 -
  CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA) MAXLENGTH(246) -
  OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) -
  POSIT(20) OPER(NO) RACLIST(REQUIRED))
  SETROPTS RACLIST(CDT)REFRESH
  
  
• DEFINE the Entity

         RDEF CADB2 CONNECT.AUTH.userxxxx UACC(NONE) OWNER(SECURITY)
         RALT CADB2 CONNECT.AUTH.userxxxx AUDIT(FAILURES(READ))
         SETROPTS RACLIST(CDT) REFRESH
         SETROPTS CLASSACT(CADB2) RACLIST(CADB2) 
         SETROPTS RACLIST(CADB2) GENERIC(SERVER) REFRESH

• Permit to the user
  PE CONNECT.AUTH.user2 CLASS(CADB2) ID(userxxxx) ACCESS(READ) - userxxxx has permit to switch to user2 only

         PE CONNECT.AUTH.* CLASS(CADB2) ID(userxxxx) ACCESS(READ) - userxxxx has permit to switch to any id

         SETROPTS RACLIST(CADB2) GENERIC(SERVER) REFRESH 

 
        userxxxx = the user ID being permitted
        user2 = example ID to be switched to

Top Secret:
========

• TSS ADD(RDT) RESCLASS(CADB2) MAXLEN(256) -
  ATTR(LONG,DEFPROT,GENERIC,MASK) -
  ACLST(READ)
  
  (Adds the resource class to the security file)
  
  
• Defining the CADB2 Resources
  TSS ADD(owningacid) CADB2(CONNECT)
  ( the owningacid can be a department or group)
  
  
• Grant access to the newly defined resource:
  TSS PERMIT(userxxxx) CADB2(CONNECT.AUTH.user2) ACCESS(READ)
  
  userxxxx = the user ID being permitted
  user2      = example ID to be switched to.

ACF2:
======

• The CLASMAP for the CADB2 resource class is predefined as RSRCTYPE(CDB) RESOURCE(CADB2) ENTITYLEN(256) .
  If a local modification to a different resource type is required, issue the following ACF2 command. 
  
  SET CONTROL(GSO)
  INSERT CLASMAP.CADB2 ENTITYLN(256) RESOURCE(CADB2) RSRCTYPE(xxx)
  
  
• Grant access to the logon ID userxxxx using the following TSO ACF command:
  
  SET RESOURCE(CDB)
  RECKEY CONNECT ADD( AUTH.user2 UID(UID string for user2) -
  SERVICE(READ) ALLOW)
  
  userxxxx = the user ID being permitted
  user2      = example ID to be switched to

Please review the documentation: Sample Security Exits