diff --git a/Makefile.am b/Makefile.am
@@ -114,6 +114,8 @@ lib_libcommon_a_SOURCES = \
     lib/tpm2_errata.c \
     lib/tpm2_errata.h \
     lib/tpm2_header.h \
+    lib/tpm2_hierarchy.c \
+    lib/tpm2_hierarchy.h \
     lib/tpm2_nv_util.h \
     lib/tpm2_openssl.c \
     lib/tpm2_openssl.h \
@@ -203,7 +205,8 @@ check_PROGRAMS = \
     test/unit/test_tpm2_password_util \
     test/unit/test_tpm2_errata \
     test/unit/test_tpm2_session \
-    test/unit/test_tpm2_policy
+    test/unit/test_tpm2_policy \
+    test/unit/test_tpm2_hierarchy
 
 test_unit_tpm2_rc_decode_unit_CFLAGS  = $(AM_CFLAGS) $(CMOCKA_CFLAGS)
 test_unit_tpm2_rc_decode_unit_LDADD   = $(CMOCKA_LIBS) $(LIB_COMMON)
@@ -263,6 +266,10 @@ test_unit_test_tpm2_policy_LDFLAGS  = -Wl,--wrap=Tss2_Sys_StartAuthSession \
 test_unit_test_tpm2_policy_LDADD    = $(CMOCKA_LIBS) $(LIB_COMMON) $(LDADD)
 test_unit_test_tpm2_policy_SOURCES  = test/unit/test_tpm2_policy.c
 
+test_unit_test_tpm2_hierarchy_CFLAGS   = $(AM_CFLAGS) $(CMOCKA_CFLAGS)
+test_unit_test_tpm2_hierarchy_LDADD    = $(CMOCKA_LIBS) $(LIB_COMMON)
+test_unit_test_tpm2_hierarchy_SOURCES  = test/unit/test_tpm2_hierarchy.c
+
 endif
 
 EXTRA_DIST = $(top_srcdir)/man \

diff --git a/lib/tpm2_hierarchy.c b/lib/tpm2_hierarchy.c
@@ -0,0 +1,112 @@
+//**********************************************************************;
+// Copyright (c) 2018, Intel Corporation
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice,
+// this list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// 3. Neither the name of Intel Corporation nor the names of its contributors
+// may be used to endorse or promote products derived from this software without
+// specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+// THE POSSIBILITY OF SUCH DAMAGE.
+//**********************************************************************;
+
+#include <stdbool.h>
+
+#include <sapi/tpm20.h>
+
+#include "log.h"
+#include "tpm2_hierarchy.h"
+#include "tpm2_util.h"
+
+/**
+ * Parses a hierarchy value from an option argument.
+ * @param value
+ *  The string to parse, which can be a numerical string as
+ *  understood by strtoul() with a base of 0, or an:
+ *    - o - Owner hierarchy
+ *    - p - Platform hierarchy
+ *    - e - Endorsement hierarchy
+ *    - n - Null hierarchy
+ * @param hierarchy
+ *  The parsed hierarchy as output.
+ * @param flags
+ *  What hierarchies should be supported by
+ *  the parsing.
+ * @return
+ *  True on success, False otherwise.
+ */
+bool tpm2_hierarchy_from_optarg(const char *value,
+        TPMI_RH_PROVISION *hierarchy, tpm2_hierarchy_flags flags) {
+
+    if (!value) {
+        return false;
+    }
+
+    bool is_o = !strcmp(value, "o");
+    if (is_o) {
+        if (!(flags & TPM2_HIERARCHY_FLAGS_O)) {
+            LOG_ERR("Owner hierarchy not supported by this command.");
+            return false;
+        }
+        *hierarchy = TPM2_RH_OWNER;
+        return true;
+    }
+
+    bool is_p = !strcmp(value, "p");
+    if (is_p) {
+        if (!(flags & TPM2_HIERARCHY_FLAGS_P)) {
+            LOG_ERR("Platform hierarchy not supported by this command.");
+            return false;
+        }
+        *hierarchy = TPM2_RH_PLATFORM;
+        return true;
+    }
+
+    bool is_e = !strcmp(value, "e");
+    if (is_e) {
+        if (!(flags & TPM2_HIERARCHY_FLAGS_E)) {
+            LOG_ERR("Endorsement hierarchy not supported by this command.");
+            return false;
+        }
+        *hierarchy = TPM2_RH_ENDORSEMENT;
+        return true;
+    }
+
+    bool is_n = !strcmp(value, "n");
+    if (is_n) {
+        if (!(flags & TPM2_HIERARCHY_FLAGS_N)) {
+            LOG_ERR("NULL hierarchy not supported by this command.");
+            return false;
+        }
+        *hierarchy = TPM2_RH_NULL;
+        return true;
+    }
+
+    bool result = tpm2_util_string_to_uint32(value, hierarchy);
+    if (!result) {
+        LOG_ERR("Incorrect hierarchy value, got: \"%s\", expected [o|p|e|n]"
+                "or a number",
+            value);
+    }
+
+    return result;
+}
diff --git a/lib/tpm2_hierarchy.h b/lib/tpm2_hierarchy.h
@@ -0,0 +1,53 @@
+//**********************************************************************;
+// Copyright (c) 2018, Intel Corporation
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice,
+// this list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// 3. Neither the name of Intel Corporation nor the names of its contributors
+// may be used to endorse or promote products derived from this software without
+// specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+// THE POSSIBILITY OF SUCH DAMAGE.
+//**********************************************************************;
+
+#ifndef TOOLS_TPM2_HIERARCHY_H_
+#define TOOLS_TPM2_HIERARCHY_H_
+
+#include <stdbool.h>
+
+#include <sapi/tpm20.h>
+
+typedef enum tpm2_hierarchy_flags tpm2_hierarchy_flags;
+
+enum tpm2_hierarchy_flags {
+    TPM2_HIERARCHY_FLAGS_NONE = 0,
+    TPM2_HIERARCHY_FLAGS_O    = 1 << 0,
+    TPM2_HIERARCHY_FLAGS_P    = 1 << 1,
+    TPM2_HIERARCHY_FLAGS_E    = 1 << 2,
+    TPM2_HIERARCHY_FLAGS_N    = 1 << 3,
+    TPM2_HIERARCHY_FLAGS_ALL  = 0x0F
+};
+
+bool tpm2_hierarchy_from_optarg(const char *value,
+        TPMI_RH_PROVISION *hierarchy, tpm2_hierarchy_flags flags);
+
+#endif /* TOOLS_TPM2_HIERARCHY_H_ */
diff --git a/man/tpm2_createprimary.1.md b/man/tpm2_createprimary.1.md
@@ -27,6 +27,7 @@ will create and load a Primary Object. The sensitive area is not returned.
       * **p** for **TPM_RH_PLATFORM**
       * **e** for **TPM_RH_ENDORSEMENT**
       * **n** for **TPM_RH_NULL**
+      * **`<num>`** where a raw number can be used.
 
   * **-P**, **--pwdp**=_PARENT\_KEY\_PASSWORD_:
     Optional authorization string if authorization is required to create object under the specified hierarchy.

diff --git a/man/tpm2_evictcontrol.1.md b/man/tpm2_evictcontrol.1.md
@@ -18,9 +18,11 @@ be evicted.
 # OPTIONS
 
   * **-A**, **--auth**=_AUTH_:
-    The authorization used to authorize the commands. Valid choices are:
-    *  **o** for **TPM_RH_OWNER**
-    *  **p** for **TPM_RH_PLATFORM**
+    The authorization used to authorize the commands.
+    Supported options are:
+      * **o** for **TPM_RH_OWNER**
+      * **p** for **TPM_RH_PLATFORM**
+      * **`<num>`** where a raw number can be used.
 
   * **-H**, **--handle**=_HANDLE_:
     The handle of a loaded transient or a persistent object.

diff --git a/man/tpm2_nvdefine.1.md b/man/tpm2_nvdefine.1.md
@@ -19,10 +19,12 @@
   * **-x**, **--index**=_NV\_INDEX_:
     Specifies the index to define the space at.
 
-  * **-a**, **--auth-handle**=_SECRET\_DATA\_FILE_:
-    specifies the handle used to authorize:
-    * **0x40000001** for **TPM_RH_OWNER**
-    * **0x4000000C** for **TPM_RH_PLATFORM**
+  * **-a**, **--auth-handle**=_AUTH_:
+    specifies the handle used to authorize.
+    Supported options are:
+      * **o** for **TPM_RH_OWNER**
+      * **p** for **TPM_RH_PLATFORM**
+      * **`<num>`** where a raw number can be used.
 
   * **-s**, **--size**=_SIZE_:
     specifies the size of data area in bytes. Defaults to MAX_NV_INDEX_SIZE

diff --git a/man/tpm2_nvread.1.md b/man/tpm2_nvread.1.md
@@ -19,10 +19,12 @@
   * **-x**, **--index**=_NV\_INDEX_:
     Specifies the index to define the space at.
 
-  * **-a**, **--auth-handle**=_SECRET\_DATA\_FILE_:
-    specifies the handle used to authorize:
-    * **0x40000001** for **TPM_RH_OWNER**
-    * **0x4000000C** for **TPM_RH_PLATFORM**
+  * **-a**, **--auth-handle**=_AUTH_:
+    specifies the handle used to authorize.
+    Supported options are:
+      * **o** for **TPM_RH_OWNER**
+      * **p** for **TPM_RH_PLATFORM**
+      * **`<num>`** where a raw number can be used.
 
   * **-f**, **--out-file**=_FILE_:
     file to write data

diff --git a/man/tpm2_nvrelease.1.md b/man/tpm2_nvrelease.1.md
@@ -20,10 +20,12 @@ defined with tpm2_nvdefine(1).
   * **-x**, **--index**=_NV\_INDEX_:
     Specifies the index to release.
 
-  * **-a**, **--auth-handle**=_SECRET\_DATA\_FILE_:
-    specifies the handle used to authorize:
-    * **0x40000001** for **TPM_RH_OWNER**
-    * **0x4000000C** for **TPM_RH_PLATFORM**
+  * **-a**, **--auth-handle**=_AUTH_:
+    specifies the handle used to authorize.
+    Supported options are:
+      * **o** for **TPM_RH_OWNER**
+      * **p** for **TPM_RH_PLATFORM**
+      * **`<num>`** where a raw number can be used.
 
   * **-s**, **--size**=_SIZE_:
     specifies the size of data area in bytes.

diff --git a/man/tpm2_nvwrite.1.md b/man/tpm2_nvwrite.1.md
@@ -23,10 +23,12 @@ If _FILE_ is not specified, it defaults to stdin.
   * **-o**, **--offset**=_OFFSET_:
     The offset within the NV index to start writing at.
 
-  * **-a**, **--auth-handle**=_SECRET\_DATA\_FILE_:
-    specifies the handle used to authorize:
-    * **0x40000001** for **TPM_RH_OWNER**
-    * **0x4000000C** for **TPM_RH_PLATFORM**
+  * **-a**, **--auth-handle**=_AUTH_:
+    specifies the handle used to authorize.
+    Supported options are:
+      * **o** for **TPM_RH_OWNER**
+      * **p** for **TPM_RH_PLATFORM**
+      * **`<num>`** where a raw number can be used.
 
   * **-P**, **--handle-passwd**=_HANDLE\_PASSWORD_:
     specifies the password of authHandle. Passwords should follow the