The predominant strategy in restricting permissions in information systems is to limit users on the basis of the ‘need-to-know’ principle. Although appropriate in highly security-sensitive contexts, this culture of protection will, in other contexts, often reduce users' productivity and is seen as a hassle because the everyday exceptions to the routine tasks can be severely hindered. This paper proposes a more flexible authorization model, policy override, which allows end users to override authorization in a controlled manner. In this article, I describe the authorization model and its implementation in a medium enterprise's business application. I evaluated policy override use over a period of 1 year through quantitative and qualitative analysis to identify challenges and offer advice on the implementation of policy override in practice. One important challenge is the setting of adequate bounds for policy override. To overcome this obstacle, I propose and evaluate a qualitative risk-based calculus that offers decision support to balance additional risks of policy override with the benefits of more flexible authorization. Copyright © 2012 John Wiley & Sons, Ltd.