Modern business IT applications pose, due to their complexity and their integration into various business processes, several formerly unknown issues and problems. In particular, the need to ensure that the new business processes are in line with implemented software functions, arises. Appropriately defined controls need to be in place in order to protect against unauthorized modification or usage of both, critical data and sensitive programs. This paper outlines, how a tailored authorization concept can provide support in reaching these targets. It relates to the standard ERP application SAP R/3. A framework which allows for the definition of detailed access controls within R/3 is described. In general, this paper focuses on a 10-step methodology to define and implement an authorization concept which is based on a workplace-approach to meet current security, business and legal requirements.