I was wondering which security domain has to be added to give access to the control panel for a user/user group ?
By default users have access to all plugins via the rule:
but there is an extra bit here:
So access to the Admin Perspective is explicitly removed. Admins get access via another rule that basically gives them access to everything. If you remove the exclude-admin rule, you will give everyone access to the admin perspective, which you really do not want. You could add a new rule giving access to specific user/group.
Having said that, be careful what you are trying to achieve here. The admin panel gives access to some powerful tools that should not be used by people without technical knowledge. You need to restrict the access to the minimum required for the user to do his job. Additionally, users should not be able to assign roles they do not themselves have.