diff --git a/puppet-{{cookiecutter.project_name}}/manifests/keystone/authtoken.pp b/puppet-{{cookiecutter.project_name}}/manifests/keystone/authtoken.pp
index 7fa6c49..cf0e222 100644
--- a/puppet-{{cookiecutter.project_name}}/manifests/keystone/authtoken.pp
+++ b/puppet-{{cookiecutter.project_name}}/manifests/keystone/authtoken.pp
@@ -27,6 +27,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@@ -194,6 +198,7 @@ class {{cookiecutter.project_name}}::keystone::authtoken(
   $project_name                   = 'services',
   $user_domain_name               = 'Default',
   $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
   $insecure                       = $::os_service_default,
   $auth_section                   = $::os_service_default,
   $auth_type                      = 'password',
@@ -239,6 +244,7 @@ class {{cookiecutter.project_name}}::keystone::authtoken(
     auth_section                   => $auth_section,
     user_domain_name               => $user_domain_name,
     project_domain_name            => $project_domain_name,
+    system_scope                   => $system_scope,
     insecure                       => $insecure,
     cache                          => $cache,
     cafile                         => $cafile,
diff --git a/puppet-{{cookiecutter.project_name}}/spec/classes/{{cookiecutter.project_name}}_keystone_authtoken_spec.rb b/puppet-{{cookiecutter.project_name}}/spec/classes/{{cookiecutter.project_name}}_keystone_authtoken_spec.rb
index 0631cd9..49b1ffd 100644
--- a/puppet-{{cookiecutter.project_name}}/spec/classes/{{cookiecutter.project_name}}_keystone_authtoken_spec.rb
+++ b/puppet-{{cookiecutter.project_name}}/spec/classes/{{cookiecutter.project_name}}_keystone_authtoken_spec.rb
@@ -17,6 +17,7 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
           :project_name                   => 'services',
           :user_domain_name               => 'Default',
           :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
           :insecure                       => '<SERVICE DEFAULT>',
           :auth_section                   => '<SERVICE DEFAULT>',
           :auth_type                      => 'password',
@@ -61,6 +62,7 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',
@@ -102,6 +104,7 @@ describe '{{cookiecutter.project_name}}::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',