Making friends by publishing and sharing personal data in a special interest group has become popular in online social networks. Data security is a major concern, as digital content can be easily accessed from all over the Internet, and the online social network service provider is often for profit and semi-trusted. The standard solution to data security is encryption, but sharing of encrypted data then becomes a challenging task. In this paper, employing attribute-based encryption (ABE), we propose Masque+, a novel hierarchical and fine-grained access control mechanism. On the basis of key policy ABE, the service provider manages users on the system level, but without being able to access their sensitive data. On the basis of ciphertext policy ABE, members of an interest group may customize their own access policies specifically. Masque+ features pragmatic functionalities like user revocation on the system level and the group level, respectively. We also build a prototype to validate the cryptographic algorithms involved in Masque+ and evaluate their performances. Real experimental data show that Masque+ incurs fairly reasonable costs even in cases where the access control policy is significantly complex. Copyright © 2013 John Wiley & Sons, Ltd.