Key management is performed to generate a single key allowing of the decoding of all authorized levels of a plurality of access types within a scalable codestream. An access node set is derived from sets representing access types having hierarchies representable by fully ordered sets, such as resolution and layer levels, and hierarchies representable by partially ordered sets, such as tile and precinct levels. The access node set derived is a partially ordered set representing the combinations of levels of the access types included within the codestream. A hierarchical key management system is applied to the access node set to assign a key to each of the access nodes, generate content encryption keys, and encrypt the codestream. A client receiving the codestream, access node set, and other public information uses the key to derive additional keys to decrypt the codestream.