You install the Group plug-in,
centrifydc_db2group, to retrieve the list of groups to which a user belongs for authorization. The group plug-in is called automatically after user authentication by DB2. The group info retrieved is used by DB2 to check a user’s access rights and determine whether the user has privilege to do specific tasks; for example, connect, query, perform database management, and so on.
The Group plug-in queries Active Directory first for the groups to which the user belongs, and then it looks in the local groups on the host. The two lists are then merged, with duplicates removed and returned to DB2.