Let's take an example to illustrate how it works:
If an user called MYUSER wants to access to DB2 to access to DB2 resource.
He has to be signed on onto a third address space first, i.e. TSO, CICS, IMS, other.
This user is known as the Primary AuthID for DB2, because he initiates the connection to the DB2 subsystem.
So, a security check is done against him for resource DB2(DSNR.whatever), if it is ok, then the access/connection to DB2 subsystem is allowed.
Then he tried to access to a DB2 resource, if he is not allowed to access to this DB2 resource but he has got an IBMGROUP which is allowed to access to this DB2 resource, then the access will be allowed.
This IBMGROUP is known as Secondary AuthID for DB2.
This IBMGROUP doesn't need to be permitted to DB2(DSNR.whatever) , this check is made against a primary ID only.
Note: With TSS for DB2 the IBMGROUPs are signed on.