diff --git a/manifests/service_credentials.pp b/manifests/service_credentials.pp
index f012d9ae..f6ef4e90 100644
--- a/manifests/service_credentials.pp
+++ b/manifests/service_credentials.pp
@@ -3,47 +3,50 @@
 #
 # == Parameters
 #
-#  [*password*]
-#    the keystone password for aodh services
-#    Required.
+# [*password*]
+#  (Required) the keystone password for aodh services
 #
-#  [*auth_url*]
-#    the keystone public endpoint
-#    Optional. Defaults to 'http://localhost:5000/v3'
+# [*auth_url*]
+#  (Optional) the keystone public endpoint
+#  Defaults to 'http://localhost:5000/v3'
 #
-#  [*region_name*]
-#    the keystone region of this node
-#    Optional. Defaults to 'RegionOne'
+# [*region_name*]
+#  (Optional) the keystone region of this node
+#  Defaults to 'RegionOne'
 #
-#  [*username*]
-#    the keystone user for aodh services
-#    Optional. Defaults to 'aodh'
+# [*username*]
+#  (Optional) the keystone user for aodh services
+#  Defaults to 'aodh'
 #
-#  [*project_name*]
-#    the keystone tenant name for aodh services
-#    Optional. Defaults to 'services'
+# [*project_name*]
+#  (Optional) the keystone tenant name for aodh services
+#  Defaults to 'services'
 #
-#  [*project_domain_name*]
-#    the keystone project domain name for aodh services
-#    Optional. Defaults to 'Default'
+# [*project_domain_name*]
+#  (Optional) the keystone project domain name for aodh services
+#  Defaults to 'Default'
 #
-#  [*user_domain_name*]
-#    the keystone user domain name for aodh services
-#    Optional. Defaults to 'Default'
+# [*user_domain_name*]
+#  (Optional) the keystone user domain name for aodh services
+#  Defaults to 'Default'
 #
-#  [*auth_type*]
-#    An authentication type to use with an OpenStack Identity server.
-#    The value should contain auth plugin name.
-#    Optional. Defaults to 'password'.
+# [*system_scope*]
+#  (Optional) Scope for system operations.
+#  Defaults to $::os_service_default
 #
-#  [*cacert*]
-#    Certificate chain for SSL validation.
-#    Optional. Defaults to $::os_service_default
+# [*auth_type*]
+#  (Optional) An authentication type to use with an OpenStack Identity server.
+#  The value should contain auth plugin name.
+#  Defaults to 'password'.
 #
-#  [*interface*]
-#    Type of endpoint in Identity service catalog to use for
-#    communication with OpenStack services.
-#    Optional. Defaults to $::os_service_default.
+# [*cacert*]
+#  (Optional) Certificate chain for SSL validation.
+#  Defaults to $::os_service_default
+#
+# [*interface*]
+#  (Optional) Type of endpoint in Identity service catalog to use for
+#  communication with OpenStack services.
+#  Optional. Defaults to $::os_service_default.
 #
 class aodh::service_credentials (
   $password,
@@ -53,6 +56,7 @@ class aodh::service_credentials (
   $project_name        = 'services',
   $project_domain_name = 'Default',
   $user_domain_name    = 'Default',
+  $system_scope        = $::os_service_default,
   $auth_type           = 'password',
   $cacert              = $::os_service_default,
   $interface           = $::os_service_default,
@@ -60,13 +64,22 @@ class aodh::service_credentials (
 
   include aodh::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   aodh_config {
     'service_credentials/auth_url'            : value => $auth_url;
     'service_credentials/region_name'         : value => $region_name;
     'service_credentials/username'            : value => $username;
     'service_credentials/password'            : value => $password, secret => true;
-    'service_credentials/project_name'        : value => $project_name;
-    'service_credentials/project_domain_name' : value => $project_domain_name;
+    'service_credentials/project_name'        : value => $project_name_real;
+    'service_credentials/project_domain_name' : value => $project_domain_name_real;
+    'service_credentials/system_scope'        : value => $system_scope;
     'service_credentials/user_domain_name'    : value => $user_domain_name;
     'service_credentials/cacert'              : value => $cacert;
     'service_credentials/interface'           : value => $interface;
diff --git a/releasenotes/notes/system_scope-all-3a97b232bc4955a1.yaml b/releasenotes/notes/system_scope-all-3a97b232bc4955a1.yaml
new file mode 100644
index 00000000..45af3084
--- /dev/null
+++ b/releasenotes/notes/system_scope-all-3a97b232bc4955a1.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The ``aodh::service_credentials::system_scope`` parameter has been added.
diff --git a/spec/classes/aodh_service_credentials_spec.rb b/spec/classes/aodh_service_credentials_spec.rb
index 95f2f76a..20533479 100644
--- a/spec/classes/aodh_service_credentials_spec.rb
+++ b/spec/classes/aodh_service_credentials_spec.rb
@@ -3,11 +3,8 @@ require 'spec_helper'
 describe 'aodh::service_credentials' do
 
   let :params do
-    { :auth_url     => 'http://localhost:5000/v3',
-      :region_name  => 'RegionOne',
-      :username     => 'aodh',
-      :password     => 'password',
-      :project_name => 'services',
+    {
+      :password => 'password',
     }
   end
 
@@ -17,9 +14,8 @@ describe 'aodh::service_credentials' do
       is_expected.to contain_aodh_config('service_credentials/auth_url').with_value('http://localhost:5000/v3')
       is_expected.to contain_aodh_config('service_credentials/region_name').with_value('RegionOne')
       is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('Default')
-      is_expected.to_not contain_aodh_config('service_credentials/project_domain_id')
       is_expected.to contain_aodh_config('service_credentials/user_domain_name').with_value('Default')
-      is_expected.to_not contain_aodh_config('service_credentials/user_domain_id')
+      is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_aodh_config('service_credentials/auth_type').with_value('password')
       is_expected.to contain_aodh_config('service_credentials/username').with_value('aodh')
       is_expected.to contain_aodh_config('service_credentials/password').with_value('password').with_secret(true)
@@ -38,6 +34,18 @@ describe 'aodh::service_credentials' do
       it { is_expected.to contain_aodh_config('service_credentials/interface').with_value(params[:interface]) }
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_aodh_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({