diff --git a/radicale/rights.py b/radicale/rights.py
index 8241c405..d8e3228a 100644
--- a/radicale/rights.py
+++ b/radicale/rights.py
@@ -21,6 +21,18 @@
 """
 Rights management.
 
+Rights are based on a regex-based file whose name is specified in the config
+(section "right", key "file").
+
+Authentication login is matched against the "user" key, and collection's path
+is matched against the "collection" key. You can use Python's ConfigParser
+interpolation values %(login)s and %(path)s. You can also get groups from the
+user regex in the collection with {0}, {1}, etc.
+
+Section names are only used for naming the rule.
+
+Leading or ending slashes are trimmed from collection's path.
+
 """
 
 import re
diff --git a/rights b/rights
new file mode 100644
index 00000000..4473853c
--- /dev/null
+++ b/rights
@@ -0,0 +1,38 @@
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Rights management file for Radicale - A simple calendar server
+#
+# Default path for this kind of files is ~/.config/radicale/rights
+
+# This means all users starting with "admin" may read any collection
+[admin]
+user: ^admin.*\|.+?$
+collection: .*
+permission: r
+
+# This means all users may read and write any collection starting with public.
+# We do so by just not testing against the user string.
+[public]
+user: .*
+collection: ^public(/.+)?$
+permission: rw
+
+# A little more complex: give read access to users from a domain for all
+# collections of all the users (ie. user@domain.tld can read domain/*).
+[domain-wide-access]
+user: ^.+@(.+)\..+$
+collection: ^{0}/.+$
+permission: r
+
+# Allow authenticated user to read all collections
+[allow-everyone-read]
+user: .*
+collection: .*
+permission: r
+
+# Give write access to owners
+[owner-write]
+user: .*
+collection: ^%(login)s/.+$
+permission: w