This paper addresses the problem of key assignment for controlling access of encrypted data in access hierarchies. We propose a hierarchical key assignment (HKA) scheme RW-HKA that supports dynamic reading and writing privilege enforcement simultaneously. It not only provides typical confidentiality guarantee in data encryption, but also allows users to verify the integrity of encrypted data. It can be applied to cloud-based systems for providing flexible access control on encrypted data in the clouds. For security, we define the extended key indistinguishable (EKI) security for RW-HKA schemes. An EKI-secure RW-HKA scheme is resistant to collusion such that no subset of users can conspire to distinguish a data decryption key, that is not legally accessible, from random strings. In this paper, we provide a generic construction of EKI-secure RW-HKA schemes based on sID-CPA secure identity-based broadcast encryption (IBBE) and strong one-time signature schemes. Furthermore, we provide a new IBBE scheme that is suitable in constructing an efficient RW-HKA scheme with a constant number of user private keys, constant size of encrypted data, and constant computation cost of a user in deriving a key for decryption. It is the first HKA scheme that achieves the aforementioned performance while supporting dynamic reading and writing privilege enforcement simultaneously.