According　to　the　characteristics　of　the　productive　information　system,　this　paper　presents　a　policy-based　management　mechanism　for　the　sub-domain　separation.　The　mechanism　is　based　on　the　least　privileges　and　separation　of　duty.　Super-user　privileges　are　divided　into　collections　that　are　granted　to　the　system　administrator,　the　security　administrator,　and　the　auditor,　respectively.　Through　the　establishment　of　mutual　collaboration　between　managers,　mutual　constraints,　and　inter-domain　isolation　mechanisms,　the　problem　of　the　excessive　privileges　super-user　in　the　information　system　is　solved　and　the　system　security　is　enhanced.