diff --git a/programs/server/config-example.yaml b/programs/server/config.yaml.example
similarity index 100%
rename from programs/server/config-example.yaml
rename to programs/server/config.yaml.example
diff --git a/programs/server/users.yaml.example b/programs/server/users.yaml.example
new file mode 100644
index 00000000000..76aee04c19b
--- /dev/null
+++ b/programs/server/users.yaml.example
@@ -0,0 +1,107 @@
+# Profiles of settings.
+profiles:
+    # Default settings.
+    default:
+        # Maximum memory usage for processing single query, in bytes.
+        max_memory_usage: 10000000000
+
+        # How to choose between replicas during distributed query processing.
+        # random - choose random replica from set of replicas with minimum number of errors
+        # nearest_hostname - from set of replicas with minimum number of errors, choose replica
+        # with minimum number of different symbols between replica's hostname and local hostname (Hamming distance).
+        # in_order - first live replica is chosen in specified order.
+        # first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
+        load_balancing: random
+
+        # Profile that allows only read queries.
+    readonly:
+        readonly: 1
+
+# Users and ACL.
+users:
+    # If user name was not specified, 'default' user is used.
+    default:
+        # Password could be specified in plaintext or in SHA256 (in hex format).
+        #
+        # If you want to specify password in plaintext (not recommended), place it in 'password' element.
+        # Example: password: qwerty
+        # Password could be empty.
+        #
+        # If you want to specify SHA256, place it in 'password_sha256_hex' element.
+        # Example: password_sha256_hex: 65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5
+        # Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
+        #
+        # If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
+        # Example: password_double_sha1_hex: e395796d6546b1b65db9d665cd43f0e858dd4303
+        #
+        # If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
+        # place its name in 'server' element inside 'ldap' element.
+        # Example: ldap:
+                       # server: my_ldap_server
+        #
+        # If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
+        # place 'kerberos' element instead of 'password' (and similar) elements.
+        # The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+        # You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
+        # whose initiator's realm matches it.
+        # Example: kerberos: ''
+        # Example: kerberos:
+                       # realm: EXAMPLE.COM
+        #
+        # How to generate decent password:
+        # Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
+        # In first line will be password and in second - corresponding SHA256.
+        #
+        # How to generate double SHA1:
+        # Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+        # In first line will be password and in second - corresponding double SHA1.
+
+        password: ''
+
+        # List of networks with open access.
+        #
+        # To open access from everywhere, specify:
+        #    - ip: '::/0'
+        #
+        # To open access only from localhost, specify:
+        #    - ip: '::1'
+        #    - ip: 127.0.0.1
+        #
+        # Each element of list has one of the following forms:
+        # ip: IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
+        # 2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
+        # host: Hostname. Example: server01.yandex.ru.
+        # To check access, DNS query is performed, and all received addresses compared to peer address.
+        # host_regexp: Regular expression for host names. Example, ^server\d\d-\d\d-\d\.yandex\.ru$
+        # To check access, DNS PTR query is performed for peer address and then regexp is applied.
+        # Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
+        # Strongly recommended that regexp is ends with $ and take all expression in ''
+        # All results of DNS requests are cached till server restart.
+
+        networks:
+            ip: '::/0'
+
+        # Settings profile for user.
+        profile: default
+
+        # Quota for user.
+        quota: default
+
+        # User can create other users and grant rights to them.
+        # access_management: 1
+
+# Quotas.
+quotas:
+    # Name of quota.
+    default:
+        # Limits for time interval. You could specify many intervals with different limits.
+        interval:
+            # Length of interval.
+            duration: 3600
+
+            # No limits. Just calculate resource usage for time interval.
+            queries: 0
+            errors: 0
+            result_rows: 0
+            read_rows: 0
+            execution_time: 0