Background
OpenRegister's rbac-scopes change (decision 2026-05-02) lands custom action verbs declared via configuration.actions: [{name, description?}]. To let consuming apps contribute verdicts for their own action verbs without forking the permission handler, OpenRegister will dispatch a CustomScopeEvaluatingEvent (and a paired CustomScopeEvaluatedEvent) during permission evaluation. The first listener to return a non-null verdict wins; the static rule chain decides otherwise.
What needs to change in procest
The ZGW autorisaties code in this repository currently calls into OpenRegister's permission machinery directly (or duplicates the dispatch). Once OpenRegister ships the custom-scope event hook, procest's ZGW code MUST be refactored to:
- Register an event listener that subscribes to
CustomScopeEvaluatingEvent
- Translate the event's
(register, schema, action, user, object?) payload into the ZGW autorisatie lookup
- Return a non-null verdict (allow / deny / abstain) when the action belongs to the ZGW vocabulary; return null otherwise so the static rule chain can take over
- Remove any direct calls into OpenRegister's
PermissionHandler for ZGW-specific verbs — they belong inside the listener now
- Add unit tests for the listener using the standard
IEventDispatcher mock pattern already in use across procest
Why
- One write path / one validation surface (per the OpenRegister long-term-app principle).
- ZGW is the canonical example of a domain whose action vocabulary doesn't fit OpenRegister's five core verbs (
read, create, update, delete, list) — verbs like besluit_nemen, dossier_archiveren, behandelaar_toewijzen belong here as custom action verbs.
- Without the refactor, ZGW autorisaties stay duplicated against OpenRegister's group-based RBAC and drift over time.
References
- OpenRegister change:
openregister/openspec/changes/rbac-scopes/tasks.md (Custom Scope Definitions decision 2026-05-02)
- Auth ownership:
openregister/openspec/specs/auth-system/spec.md (token boundary lives in auth-system)
- Cross-referenced spec:
openregister/openspec/specs/rbac-scopes/spec.md
Background
OpenRegister's
rbac-scopeschange (decision 2026-05-02) lands custom action verbs declared viaconfiguration.actions: [{name, description?}]. To let consuming apps contribute verdicts for their own action verbs without forking the permission handler, OpenRegister will dispatch aCustomScopeEvaluatingEvent(and a pairedCustomScopeEvaluatedEvent) during permission evaluation. The first listener to return a non-null verdict wins; the static rule chain decides otherwise.What needs to change in procest
The ZGW autorisaties code in this repository currently calls into OpenRegister's permission machinery directly (or duplicates the dispatch). Once OpenRegister ships the custom-scope event hook, procest's ZGW code MUST be refactored to:
CustomScopeEvaluatingEvent(register, schema, action, user, object?)payload into the ZGW autorisatie lookupPermissionHandlerfor ZGW-specific verbs — they belong inside the listener nowIEventDispatchermock pattern already in use across procestWhy
read,create,update,delete,list) — verbs likebesluit_nemen,dossier_archiveren,behandelaar_toewijzenbelong here as custom action verbs.References
openregister/openspec/changes/rbac-scopes/tasks.md(Custom Scope Definitions decision 2026-05-02)openregister/openspec/specs/auth-system/spec.md(token boundary lives in auth-system)openregister/openspec/specs/rbac-scopes/spec.md