Assuming that the user fails RACF check and not get to DB2, then this scenario is just some cleanup.
Carefully consider revoking a user’s DB2 authorizations just because they are expired in RACF. Expired in RACF simply means they have not logged on in a while. Maybe they only logon once per year and when they do they will want their old auths back.
Keeping DB2 auths tidy is a pain. The RACF folks need to keep the DBA folks in the loop on who they are removing from RACF.
Consider using secondary authids (RACF groups) rather than granting DB2 auths to USERIDs. It helps keep things easier to manage (IMO).
Hope this helps.