By collaboration, domains share resources effectively. To maintain security properties of individual domains during collaboration is a key issue. When domains employing heterogeneous RBAC policies collaborate via crossdomain role-role mappings, their locally-defined separation of duty constraints face the risk of breaching. We present the requirements for constraint-secure interoperation, prohibiting implicit authorizations that break constraints from other member domains. We propose a trust-based framework to implement constraint-secure interoperation with differential trust relations between member pairs in open collaborative scenarios. The framework introduces cross-domain migration and remote assurance of constraints to maximize interoperability between mutually trusted domains, ensures separation of constraint conflicts to minimize security risk between distrusted domains. We provide algorithms of a fully distributed implementation, security proofs and demonstrative usage cases for the proposed solution.