Typically one would use SYSIBM.USERNAMES to translate the inbound userid to the desired userid (STCOPCA in this case). RACF (ACF/2 TSS) surrogate processing wouldn't be involved.
You need to be careful about passwords - so they are not sent in the clear. If you do need to supply a mainframe password (which you obviously cannot do with a protected userid), you'll probably want to use DSNLEUSR.
An alternative, which I am merely mentioning - not recommending (because I've never done this), would be to modify the connection exit so that when user FRED connects, the primary auth-id and secondary auth-ids are replaced by STCOPCA's. (I do know of sites that replace the primary auth-id based on connected RACF groups - something like that perhaps.)
Finally, you could raise an Aha! to suggest that Db2 handles this.
https://www.ibm.com/support/pages/how-submit-request-enhancement James Campbell
------------------------------
James Campbell
------------------------------
Original Message:
Sent: Oct 18, 2022 06:33 AM
From: JOSE ANGEL SANTAMARIA
Subject: DB2 AND RACF PROTECTED USERID FAILURE
By using a PROTECTED userid to connect to run a SQL command we are receiving the following:
How must we proceed to fix the issue?
------------------------------
JOSE ANGELSANTAMARIAarcelormittal
------------------------------