Abstract: According to the characteristics of the productive information system,this paper presents a policy-based management mechanism for the sub-domain separation.The mechanism is based on the least privileges and separation of duty.Super-user privileges are divided into collections that are granted to the system administrator,the security administrator,and the auditor,respectively.Through the establishment of mutual collaboration between managers,mutual constraints,and inter-domain isolation mechanisms,the problem of the excessive privileges super-user in the information system is solved and the system security is enhanced.