diff --git a/masakari/compute/nova.py b/masakari/compute/nova.py
index ebd40ba0..c3f5a929 100644
--- a/masakari/compute/nova.py
+++ b/masakari/compute/nova.py
@@ -112,7 +112,8 @@ def novaclient(context, timeout=None):
         password=context.auth_token,
         project_name=context.project_name,
         user_domain_name=CONF.os_user_domain_name,
-        project_domain_name=CONF.os_project_domain_name)
+        project_domain_name=CONF.os_project_domain_name,
+        system_scope=CONF.os_system_scope)
     session_loader = keystoneauth1.loading.session.Session()
     keystone_session = session_loader.load_from_options(
         auth=auth, cacert=CONF.nova_ca_certificates_file,
diff --git a/masakari/conf/nova.py b/masakari/conf/nova.py
index 542f6e01..e4700367 100644
--- a/masakari/conf/nova.py
+++ b/masakari/conf/nova.py
@@ -53,6 +53,8 @@ nova_opts = [
                default="default",
                help='Project domain name associated with the OpenStack '
                     'privileged account.'),
+    cfg.StrOpt('os_system_scope',
+               help='Scope for system operations.'),
 ]
 
 
diff --git a/masakari/tests/unit/compute/test_nova.py b/masakari/tests/unit/compute/test_nova.py
index dc106b17..0642112d 100644
--- a/masakari/tests/unit/compute/test_nova.py
+++ b/masakari/tests/unit/compute/test_nova.py
@@ -52,7 +52,8 @@ class NovaClientTestCase(test.TestCase):
         p_plugin_loader.return_value.load_from_options.assert_called_once_with(
             auth_url='http://keystonehost/identity',
             password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
         )
         p_client.assert_called_once_with(
             p_api_version(nova.NOVA_API_VERSION),
@@ -72,7 +73,8 @@ class NovaClientTestCase(test.TestCase):
         p_plugin_loader.return_value.load_from_options.assert_called_once_with(
             auth_url='http://keystonehost/identity',
             password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
         )
         p_client.assert_called_once_with(
             p_api_version(nova.NOVA_API_VERSION),
@@ -94,7 +96,8 @@ class NovaClientTestCase(test.TestCase):
         p_plugin_loader.return_value.load_from_options.assert_called_once_with(
             auth_url='http://keystonehost/identity',
             password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
         )
         p_client.assert_called_once_with(
             p_api_version(nova.NOVA_API_VERSION),
@@ -115,7 +118,8 @@ class NovaClientTestCase(test.TestCase):
         p_plugin_loader.return_value.load_from_options.assert_called_once_with(
             auth_url='http://keystonehost/identity',
             password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
         )
         p_client.assert_called_once_with(
             p_api_version(nova.NOVA_API_VERSION),
@@ -125,6 +129,21 @@ class NovaClientTestCase(test.TestCase):
             cacert=None, timeout=None, global_request_id=self.ctx.global_id,
             extensions=nova.nova_extensions)
 
+    @mock.patch('novaclient.api_versions.APIVersion')
+    @mock.patch('novaclient.client.Client')
+    @mock.patch('keystoneauth1.loading.get_plugin_loader')
+    @mock.patch('keystoneauth1.session.Session')
+    def test_nova_client_system_scope(self, p_session, p_plugin_loader,
+                                      p_client, p_api_version):
+        self.override_config('os_system_scope', 'all')
+        nova.novaclient(self.ctx)
+        p_plugin_loader.return_value.load_from_options.assert_called_once_with(
+            auth_url='http://keystonehost/identity',
+            password='strongpassword', project_domain_name='default',
+            project_name=None, user_domain_name='default',
+            system_scope='all', username='adminuser'
+        )
+
 
 class NovaApiTestCase(test.TestCase):
     def setUp(self):
diff --git a/releasenotes/notes/blueprint-support-nova-system-scope-policies-c4dbd244dd3fcf1a.yaml b/releasenotes/notes/blueprint-support-nova-system-scope-policies-c4dbd244dd3fcf1a.yaml
new file mode 100644
index 00000000..03fdb421
--- /dev/null
+++ b/releasenotes/notes/blueprint-support-nova-system-scope-policies-c4dbd244dd3fcf1a.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Allows to use system-scoped tokens when contacting Nova.
+    `Blueprint support-nova-system-scope-policies <https://blueprints.launchpad.net/masakari/+spec/support-nova-system-scope-policies>`__