The following security rule sets access rights to objects that belong to domain example.com for the Windows user account named domainuser1.

Security rule entry

<Entry AccounType="1" Account="domainuser1" SidStr="S-1-5-21-821798554-1223697094-3523996037-1043" Path="[HTTPD_VHOSTS_D]" SubPath="example.com" AceFlags="FilesOnly" AccessMask="Read" EntryFlags="0x140" Tag="DomainUser" Tag2="" />

Explanation

Because the name domainuser1 is not a standard system account name, it has to be resolved in the system (hence, AccounType="1"). The optional SidStr attribute is defined to improve Plesk stability. The HTTPD_VHOSTS_D component path in the Path attribute specifies the common part of the path to the domain root folder where the example.com folder is located. The SubPath attribute sets the specific domain root folder to which the rule will be applied. AceFlags="FilesOnly" specifies that, according to this rule, an ACE with permission defined by AccessMask="Read" will be created and added only to the example.com folder and all files contained within that folder. EntryFlags="0x140" enables (i) creation of the domain root folder (which is necessary during domain creation) and (ii) strict enforcement of the access permissions defined by the AccessMask="Read" permission mask. Tag="DomainUser" designates the security rule as pertaining to a domain hosting account and is used by Plesk to properly organize the processing of security metadata.