diff --git a/manifests/json_rpc.pp b/manifests/json_rpc.pp
index f2044059..b9fe3d46 100644
--- a/manifests/json_rpc.pp
+++ b/manifests/json_rpc.pp
@@ -65,6 +65,10 @@
 #   (optional) The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*allowed_roles*]
 #   (optional) List of roles allowed to use JSON RPC.
 #   Defaults to $::os_service_default
@@ -91,11 +95,22 @@ class ironic::json_rpc (
   $password                  = $::os_service_default,
   $user_domain_name          = 'Default',
   $project_domain_name       = 'Default',
+  $system_scope              = $::os_service_default,
   $allowed_roles             = $::os_service_default,
   $endpoint_override         = $::os_service_default,
   $region_name               = $::os_service_default,
 ) {
 
+  include ironic::deps
+
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'json_rpc/auth_strategy':             value => $auth_strategy;
     'json_rpc/http_basic_auth_user_file': value => $http_basic_auth_user_file;
@@ -106,9 +121,10 @@ class ironic::json_rpc (
     'json_rpc/username':                  value => $username;
     'json_rpc/password':                  value => $password, secret => true;
     'json_rpc/auth_url':                  value => $auth_url;
-    'json_rpc/project_name':              value => $project_name;
+    'json_rpc/project_name':              value => $project_name_real;
     'json_rpc/user_domain_name':          value => $user_domain_name;
-    'json_rpc/project_domain_name':       value => $project_domain_name;
+    'json_rpc/project_domain_name':       value => $project_domain_name_real;
+    'json_rpc/system_scope':              value => $system_scope;
     'json_rpc/allowed_roles':             value => join(any2array($allowed_roles), ',');
     'json_rpc/endpoint_override':         value => $endpoint_override;
     'json_rpc/region_name':               value => $region_name;
diff --git a/releasenotes/notes/system_scope-keystone-json_rpc-2c706e14a959dc89.yaml b/releasenotes/notes/system_scope-keystone-json_rpc-2c706e14a959dc89.yaml
new file mode 100644
index 00000000..775a3f83
--- /dev/null
+++ b/releasenotes/notes/system_scope-keystone-json_rpc-2c706e14a959dc89.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``ironic::json_rpc::system_scope`` parameter has been added.
diff --git a/spec/classes/ironic_json_rpc_spec.rb b/spec/classes/ironic_json_rpc_spec.rb
index bcfbc5da..586f7dcd 100644
--- a/spec/classes/ironic_json_rpc_spec.rb
+++ b/spec/classes/ironic_json_rpc_spec.rb
@@ -48,6 +48,7 @@ describe 'ironic::json_rpc' do
       is_expected.to contain_ironic_config('json_rpc/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('json_rpc/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('json_rpc/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('json_rpc/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('json_rpc/allowed_roles').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('json_rpc/endpoint_override').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('json_rpc/region_name').with_value('<SERVICE DEFAULT>')
@@ -71,12 +72,26 @@ describe 'ironic::json_rpc' do
         is_expected.to contain_ironic_config('json_rpc/auth_type').with_value(p[:auth_type])
         is_expected.to contain_ironic_config('json_rpc/username').with_value(p[:username])
         is_expected.to contain_ironic_config('json_rpc/password').with_value(p[:password]).with_secret(true)
+        is_expected.to contain_ironic_config('json_rpc/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('json_rpc/allowed_roles').with_value('admin,service')
         is_expected.to contain_ironic_config('json_rpc/endpoint_override').with_value(p[:endpoint_override])
         is_expected.to contain_ironic_config('json_rpc/region_name').with_value(p[:region_name])
       end
     end
 
+    context 'when system_scope is set' do
+      before :each do
+        params.merge!(
+          :system_scope => 'all',
+        )
+      end
+
+      it 'should configure system-scoped credential' do
+        is_expected.to contain_ironic_config('json_rpc/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('json_rpc/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('json_rpc/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({