Creating access control entries for registry keys follows exactly the same pattern as for filesystem rights. The rights are defined in the System.Security.AccessControl.RegistryRights enumeration.

PowerShell is able to list these rights, but the descriptions on MSDN are more useful: https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights(v=vs.110).aspx.

A rule is created in the same way as a filesystem rule:

$ace = [System.Security.AccessControl.RegistryAccessRule]::new( 
    'DOMAINUser',                      # Identity reference 
    'FullControl',                      # RegistryRights 
    'ContainerInherit, ObjectInherit',  # InheritanceFlags 
    'None',                             # PropagationFlags 
    'Allow'                             # ACE type (allow or deny) 
) 

The rule can be applied to a key (in this case, a newly created key):

$key = New-Item HKCU:TestKey -ItemType Key -Force 
$acl = Get-Acl $key.PSPath 
$acl.AddAccessRule($ace) 
Set-Acl $key.PSPath -AclObject $acl