An extended authorization system and method implementing a second layer of access authorization. The first layer of access authorization corresponds to conventional access authorization processing such as, for example, validating an entered user identifier and password. The second layer of access authorization determines if the user has a valid contractual or other business relationship with an information system provider. The status and type of contractual or other business relationship may determine user access privileges which allow the user to access services provided by an information system. When a user has a valid contractual or other business relationship with an information system provider, first layer authorization login data such as, for example, a user identifier and password may be generated for the user.