<!ENTITY % PERMISSION "CDATA">

<!-- The issuer CA for the user's X509-certificate if any. -->
<!ELEMENT certificate-issuer (#PCDATA)>

<!-- A defined user. -->
<!ELEMENT user (description?, (certificate-issuer, certificate-serial-id)?, group-membership*)>
<!ATTLIST user deactivated (true|false) "false"
locked (true|false) #IMPLIED
password CDATA #IMPLIED
realname CDATA #IMPLIED
username CDATA #IMPLIED
>

<!-- A defined group. -->
<!ELEMENT group (description?, permission*)>
<!ATTLIST group name CDATA #IMPLIED
>

<!-- The defined groups. -->
<!ELEMENT groups (group*)>

<!-- A group that this user is a member of. -->
<!ELEMENT group-membership (#PCDATA)>
<!ATTLIST group-membership group CDATA #IMPLIED
>

<!-- The defined users. -->
<!ELEMENT users (user*)>

<!-- A short description, use etc. -->
<!ELEMENT description (#PCDATA)>

<!-- A server-specific permission-type, "administration" for instance. -->
<!ELEMENT permission (#PCDATA)>
<!ATTLIST permission name %PERMISSION; #IMPLIED
>

<!-- This file contains the definition of a set of users/groups. -->
<!ELEMENT principals (groups?, users?)>

<!-- The serial ID of the user's X509-certificate if any. -->
<!ELEMENT certificate-serial-id (#PCDATA)>