In a user hierarchy we say that a security class is subordinate to another security class if the former has a lower security privilege than the latter. To implement such a hierarchical structure, it is often desirable to allow the user of each security class to derive the keys of its subordinating classes. This problem has been extensively studied but the existing solutions have various drawbacks. In this paper, we present a practical solution to this problem, which is an efficient key management scheme that needs only a reasonable amount of extra storage. It is secure because illegal key derivations are prevented, and key replacements do not reveal information about the relationship between the old key and the new key. It is also very flexible in that it supports convenient topological changes and membership updates. Furthermore, it provides a solution to the exmember problem, that has been ignored in many existing research works.