Managing access to an extranet for an extended service provider (xSP) includes decentralizing the role of access management by using cached access control list (ACL) information, and synchronizing decentralized access management roles using an authentication and authorization (AA) server. Insufficiency of session management is overcome by adopting authentication/authorization based on a web browser cookie.