diff --git a/manifests/cinder.pp b/manifests/cinder.pp
index f51723a1..d5169416 100644
--- a/manifests/cinder.pp
+++ b/manifests/cinder.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to cinder in admin context
 #   through the OpenStack Identity service.
@@ -57,18 +61,30 @@ class ironic::cinder (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
+  include ironic::deps
+
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'cinder/auth_type':           value => $auth_type;
     'cinder/username':            value => $username;
     'cinder/password':            value => $password, secret => true;
     'cinder/auth_url':            value => $auth_url;
-    'cinder/project_name':        value => $project_name;
+    'cinder/project_name':        value => $project_name_real;
     'cinder/user_domain_name':    value => $user_domain_name;
-    'cinder/project_domain_name': value => $project_domain_name;
+    'cinder/project_domain_name': value => $project_domain_name_real;
+    'cinder/system_scope':        value => $system_scope;
     'cinder/region_name':         value => $region_name;
     'cinder/endpoint_override':   value => $endpoint_override;
   }
diff --git a/manifests/glance.pp b/manifests/glance.pp
index 03c8aaf9..0c2108ff 100644
--- a/manifests/glance.pp
+++ b/manifests/glance.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to glance in admin context
 #   through the OpenStack Identity service.
@@ -103,6 +107,7 @@ class ironic::glance (
   $password                   = $::os_service_default,
   $user_domain_name           = 'Default',
   $project_domain_name        = 'Default',
+  $system_scope               = $::os_service_default,
   $region_name                = $::os_service_default,
   $num_retries                = $::os_service_default,
   $api_insecure               = $::os_service_default,
@@ -117,6 +122,8 @@ class ironic::glance (
   $swift_account_project_name = undef,
 ) {
 
+  include ironic::deps
+
   if $api_servers {
     warning("The ironic::glance::api_servers parameter is deprecated and \
 has no effect. Please use ironic::glance::endpoint_override instead.")
@@ -130,14 +137,23 @@ has no effect. Please use ironic::glance::endpoint_override instead.")
     fail('swift_account_project_name and swift_account can not be specified in the same time.')
   }
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'glance/auth_type':               value => $auth_type;
     'glance/username':                value => $username;
     'glance/password':                value => $password, secret => true;
     'glance/auth_url':                value => $auth_url;
-    'glance/project_name':            value => $project_name;
+    'glance/project_name':            value => $project_name_real;
     'glance/user_domain_name':        value => $user_domain_name;
-    'glance/project_domain_name':     value => $project_domain_name;
+    'glance/project_domain_name':     value => $project_domain_name_real;
+    'glance/system_scope':            value => $system_scope;
     'glance/region_name':             value => $region_name;
     'glance/num_retries':             value => $num_retries;
     'glance/insecure':                value => $api_insecure;
diff --git a/manifests/inspector/ironic.pp b/manifests/inspector/ironic.pp
index 73c4429a..f31568c8 100644
--- a/manifests/inspector/ironic.pp
+++ b/manifests/inspector/ironic.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to ironic in admin context
 #   through the OpenStack Identity service.
@@ -65,20 +69,30 @@ class ironic::inspector::ironic (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
   $max_retries         = $::os_service_default,
   $retry_interval      = $::os_service_default,
 ) {
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_inspector_config {
     'ironic/auth_type':           value => $auth_type;
     'ironic/username':            value => $username;
     'ironic/password':            value => $password, secret => true;
     'ironic/auth_url':            value => $auth_url;
-    'ironic/project_name':        value => $project_name;
+    'ironic/project_name':        value => $project_name_real;
     'ironic/user_domain_name':    value => $user_domain_name;
-    'ironic/project_domain_name': value => $project_domain_name;
+    'ironic/project_domain_name': value => $project_domain_name_real;
+    'ironic/system_scope':        value => $system_scope;
     'ironic/region_name':         value => $region_name;
     'ironic/endpoint_override':   value => $endpoint_override;
     'ironic/max_retries':         value => $max_retries;
diff --git a/manifests/inspector/service_catalog.pp b/manifests/inspector/service_catalog.pp
index c37e3253..dcf2aa04 100644
--- a/manifests/inspector/service_catalog.pp
+++ b/manifests/inspector/service_catalog.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for accessing Keystone catalog
 #   through the OpenStack Identity service.
@@ -57,20 +61,30 @@ class ironic::inspector::service_catalog (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
   include ironic::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_inspector_config {
     'service_catalog/auth_type':           value => $auth_type;
     'service_catalog/username':            value => $username;
     'service_catalog/password':            value => $password, secret => true;
     'service_catalog/auth_url':            value => $auth_url;
-    'service_catalog/project_name':        value => $project_name;
+    'service_catalog/project_name':        value => $project_name_real;
     'service_catalog/user_domain_name':    value => $user_domain_name;
-    'service_catalog/project_domain_name': value => $project_domain_name;
+    'service_catalog/project_domain_name': value => $project_domain_name_real;
+    'service_catalog/system_scope':        value => $system_scope;
     'service_catalog/region_name':         value => $region_name;
     'service_catalog/endpoint_override':   value => $endpoint_override;
   }
diff --git a/manifests/inspector/swift.pp b/manifests/inspector/swift.pp
index e8934658..a891d4ea 100644
--- a/manifests/inspector/swift.pp
+++ b/manifests/inspector/swift.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to swift in admin context
 #   through the OpenStack Identity service.
@@ -67,20 +71,30 @@ class ironic::inspector::swift (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
   $container           = $::os_service_default,
   $delete_after        = $::os_service_default,
 ) {
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_inspector_config {
     'swift/auth_type':           value => $auth_type;
     'swift/username':            value => $username;
     'swift/password':            value => $password, secret => true;
     'swift/auth_url':            value => $auth_url;
-    'swift/project_name':        value => $project_name;
+    'swift/project_name':        value => $project_name_real;
     'swift/user_domain_name':    value => $user_domain_name;
-    'swift/project_domain_name': value => $project_domain_name;
+    'swift/project_domain_name': value => $project_domain_name_real;
+    'swift/system_scope':        value => $system_scope;
     'swift/region_name':         value => $region_name;
     'swift/endpoint_override':   value => $endpoint_override;
     'swift/container':           value => $container;
diff --git a/manifests/neutron.pp b/manifests/neutron.pp
index 04eb95bf..05b3afec 100644
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to neutron in admin context
 #   through the OpenStack Identity service.
@@ -72,6 +76,7 @@ class ironic::neutron (
   $password                      = $::os_service_default,
   $user_domain_name              = 'Default',
   $project_domain_name           = 'Default',
+  $system_scope                  = $::os_service_default,
   $region_name                   = $::os_service_default,
   $endpoint_override             = $::os_service_default,
   $dhcpv6_stateful_address_count = $::os_service_default,
@@ -84,14 +89,23 @@ class ironic::neutron (
 has no effect. Please use ironic::neutron::endpoint_override instead.")
   }
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'neutron/auth_type':                     value => $auth_type;
     'neutron/username':                      value => $username;
     'neutron/password':                      value => $password, secret => true;
     'neutron/auth_url':                      value => $auth_url;
-    'neutron/project_name':                  value => $project_name;
+    'neutron/project_name':                  value => $project_name_real;
     'neutron/user_domain_name':              value => $user_domain_name;
-    'neutron/project_domain_name':           value => $project_domain_name;
+    'neutron/project_domain_name':           value => $project_domain_name_real;
+    'neutron/system_scope':                  value => $system_scope;
     'neutron/region_name':                   value => $region_name;
     'neutron/endpoint_override':             value => $endpoint_override;
     'neutron/dhcpv6_stateful_address_count': value => $dhcpv6_stateful_address_count;
diff --git a/manifests/service_catalog.pp b/manifests/service_catalog.pp
index 9a55e4a7..9065d6d9 100644
--- a/manifests/service_catalog.pp
+++ b/manifests/service_catalog.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for accessing Keystone catalog
 #   through the OpenStack Identity service.
@@ -57,20 +61,30 @@ class ironic::service_catalog (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
   include ironic::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'service_catalog/auth_type':           value => $auth_type;
     'service_catalog/username':            value => $username;
     'service_catalog/password':            value => $password, secret => true;
     'service_catalog/auth_url':            value => $auth_url;
-    'service_catalog/project_name':        value => $project_name;
+    'service_catalog/project_name':        value => $project_name_real;
     'service_catalog/user_domain_name':    value => $user_domain_name;
-    'service_catalog/project_domain_name': value => $project_domain_name;
+    'service_catalog/project_domain_name': value => $project_domain_name_real;
+    'service_catalog/system_scope':        value => $system_scope;
     'service_catalog/region_name':         value => $region_name;
     'service_catalog/endpoint_override':   value => $endpoint_override;
   }
diff --git a/manifests/swift.pp b/manifests/swift.pp
index 0484fc25..c13ba4d2 100644
--- a/manifests/swift.pp
+++ b/manifests/swift.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to swift in admin context
 #   through the OpenStack Identity service.
@@ -57,18 +61,30 @@ class ironic::swift (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
+  include ironic::deps
+
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'swift/auth_type':           value => $auth_type;
     'swift/username':            value => $username;
     'swift/password':            value => $password, secret => true;
     'swift/auth_url':            value => $auth_url;
-    'swift/project_name':        value => $project_name;
+    'swift/project_name':        value => $project_name_real;
     'swift/user_domain_name':    value => $user_domain_name;
-    'swift/project_domain_name': value => $project_domain_name;
+    'swift/project_domain_name': value => $project_domain_name_real;
+    'swift/system_scope':        value => $system_scope;
     'swift/region_name':         value => $region_name;
     'swift/endpoint_override':   value => $endpoint_override;
   }
diff --git a/releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml b/releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml
new file mode 100644
index 00000000..f5e4f150
--- /dev/null
+++ b/releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    The new ``system_scope`` parameter has been added to the following classes.
+
+    - ``ironic::cinder``
+    - ``ironic::glance``
+    - ``ironic::neutron``
+    - ``ironic::service_catalog``
+    - ``ironic::swift``
+    - ``ironic::inspector::ironic``
+    - ``ironic::inspector::swift``
diff --git a/spec/classes/ironic_cinder_spec.rb b/spec/classes/ironic_cinder_spec.rb
index 60cd1b35..669e9f0b 100644
--- a/spec/classes/ironic_cinder_spec.rb
+++ b/spec/classes/ironic_cinder_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::cinder' do
       is_expected.to contain_ironic_config('cinder/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('cinder/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('cinder/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('cinder/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::cinder' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::cinder' do
         is_expected.to contain_ironic_config('cinder/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('cinder/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('cinder/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('cinder/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('cinder/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('cinder/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('cinder/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_glance_spec.rb b/spec/classes/ironic_glance_spec.rb
index c8a9a95a..402453b7 100644
--- a/spec/classes/ironic_glance_spec.rb
+++ b/spec/classes/ironic_glance_spec.rb
@@ -41,37 +41,38 @@ describe 'ironic::glance' do
       is_expected.to contain_ironic_config('glance/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('glance/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('glance/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/insecure').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/num_retries').with_value('<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_account').with(:value => '<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_container').with(:value => '<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_endpoint_url').with(:value => '<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_temp_url_key').with(:value => '<SERVICE DEFAULT>').with_secret(true)
-      is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_account').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_container').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_endpoint_url').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_temp_url_key').with_value('<SERVICE DEFAULT>').with_secret(true)
+      is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
 
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type               => 'noauth',
-            :auth_url                => 'http://example.com',
-            :project_name            => 'project1',
-            :username                => 'admin',
-            :password                => 'pa$$w0rd',
-            :user_domain_name        => 'NonDefault',
-            :project_domain_name     => 'NonDefault',
-            :region_name             => 'regionTwo',
-            :api_servers             => '10.0.0.1:9292',
-            :api_insecure            => true,
-            :num_retries             => 42,
-            :swift_account           => '00000000-0000-0000-0000-000000000000',
-            :swift_container         => 'glance',
-            :swift_endpoint_url      => 'http://example2.com',
-            :swift_temp_url_key      => 'the-key',
-            :swift_temp_url_duration => 3600,
-            :endpoint_override   => 'http://example2.com',
+          :auth_type               => 'noauth',
+          :auth_url                => 'http://example.com',
+          :project_name            => 'project1',
+          :username                => 'admin',
+          :password                => 'pa$$w0rd',
+          :user_domain_name        => 'NonDefault',
+          :project_domain_name     => 'NonDefault',
+          :region_name             => 'regionTwo',
+          :api_servers             => '10.0.0.1:9292',
+          :api_insecure            => true,
+          :num_retries             => 42,
+          :swift_account           => '00000000-0000-0000-0000-000000000000',
+          :swift_container         => 'glance',
+          :swift_endpoint_url      => 'http://example2.com',
+          :swift_temp_url_key      => 'the-key',
+          :swift_temp_url_duration => 3600,
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -83,6 +84,7 @@ describe 'ironic::glance' do
         is_expected.to contain_ironic_config('glance/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('glance/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('glance/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('glance/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('glance/insecure').with_value(p[:api_insecure])
         is_expected.to contain_ironic_config('glance/num_retries').with_value(p[:num_retries])
@@ -106,6 +108,18 @@ describe 'ironic::glance' do
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('glance/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('glance/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('glance/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_inspector_ironic_spec.rb b/spec/classes/ironic_inspector_ironic_spec.rb
index f5b83d4f..0e4f5ded 100644
--- a/spec/classes/ironic_inspector_ironic_spec.rb
+++ b/spec/classes/ironic_inspector_ironic_spec.rb
@@ -42,6 +42,7 @@ describe 'ironic::inspector::ironic' do
       is_expected.to contain_ironic_inspector_config('ironic/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value('<SERVICE DEFAULT>')
@@ -51,17 +52,17 @@ describe 'ironic::inspector::ironic' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
-            :max_retries         => 30,
-            :retry_interval      => 2,
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
+          :max_retries         => 30,
+          :retry_interval      => 2,
         )
       end
 
@@ -73,6 +74,7 @@ describe 'ironic::inspector::ironic' do
         is_expected.to contain_ironic_inspector_config('ironic/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value(p[:endpoint_override])
         is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value(p[:max_retries])
@@ -80,6 +82,18 @@ describe 'ironic::inspector::ironic' do
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_inspector_service_catalog_spec.rb b/spec/classes/ironic_inspector_service_catalog_spec.rb
index 90def994..da236cca 100644
--- a/spec/classes/ironic_inspector_service_catalog_spec.rb
+++ b/spec/classes/ironic_inspector_service_catalog_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::inspector::service_catalog' do
       is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::inspector::service_catalog' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::inspector::service_catalog' do
         is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_inspector_swift_spec.rb b/spec/classes/ironic_inspector_swift_spec.rb
index 90f70797..3f848ae7 100644
--- a/spec/classes/ironic_inspector_swift_spec.rb
+++ b/spec/classes/ironic_inspector_swift_spec.rb
@@ -42,6 +42,7 @@ describe 'ironic::inspector::swift' do
       is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('swift/region_name').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('swift/container').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value('<SERVICE DEFAULT>')
@@ -50,17 +51,17 @@ describe 'ironic::inspector::swift' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
-            :container           => 'mycontainer',
-            :delete_after        => 0,
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
+          :container           => 'mycontainer',
+          :delete_after        => 0,
         )
       end
 
@@ -73,12 +74,25 @@ describe 'ironic::inspector::swift' do
         is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value(p[:project_domain_name])
         is_expected.to contain_ironic_inspector_config('swift/region_name').with_value(p[:region_name])
+        is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value(p[:endpoint_override])
         is_expected.to contain_ironic_inspector_config('swift/container').with_value(p[:container])
         is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value(0)
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('swift/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_neutron_spec.rb b/spec/classes/ironic_neutron_spec.rb
index 02fe2d43..6b82d4b6 100644
--- a/spec/classes/ironic_neutron_spec.rb
+++ b/spec/classes/ironic_neutron_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::neutron' do
       is_expected.to contain_ironic_config('neutron/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('neutron/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/endpoint_override').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value('<SERVICE DEFAULT>')
@@ -49,16 +50,16 @@ describe 'ironic::neutron' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type                     => 'noauth',
-            :auth_url                      => 'http://example.com',
-            :project_name                  => 'project1',
-            :username                      => 'admin',
-            :password                      => 'pa$$w0rd',
-            :user_domain_name              => 'NonDefault',
-            :project_domain_name           => 'NonDefault',
-            :region_name                   => 'regionTwo',
-            :endpoint_override             => 'http://example2.com',
-            :dhcpv6_stateful_address_count => 8,
+          :auth_type                     => 'noauth',
+          :auth_url                      => 'http://example.com',
+          :project_name                  => 'project1',
+          :username                      => 'admin',
+          :password                      => 'pa$$w0rd',
+          :user_domain_name              => 'NonDefault',
+          :project_domain_name           => 'NonDefault',
+          :region_name                   => 'regionTwo',
+          :endpoint_override             => 'http://example2.com',
+          :dhcpv6_stateful_address_count => 8,
         )
       end
 
@@ -70,12 +71,25 @@ describe 'ironic::neutron' do
         is_expected.to contain_ironic_config('neutron/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('neutron/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('neutron/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('neutron/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('neutron/endpoint_override').with_value(p[:endpoint_override])
         is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value(p[:dhcpv6_stateful_address_count])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('neutron/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_service_catalog_spec.rb b/spec/classes/ironic_service_catalog_spec.rb
index 786a1472..ec4e9c88 100644
--- a/spec/classes/ironic_service_catalog_spec.rb
+++ b/spec/classes/ironic_service_catalog_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::service_catalog' do
       is_expected.to contain_ironic_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::service_catalog' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::service_catalog' do
         is_expected.to contain_ironic_config('service_catalog/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('service_catalog/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_swift_spec.rb b/spec/classes/ironic_swift_spec.rb
index 1564bf1d..38a190d0 100644
--- a/spec/classes/ironic_swift_spec.rb
+++ b/spec/classes/ironic_swift_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::swift' do
       is_expected.to contain_ironic_config('swift/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('swift/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('swift/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('swift/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::swift' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::swift' do
         is_expected.to contain_ironic_config('swift/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('swift/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('swift/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('swift/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('swift/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('swift/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('swift/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({