diff --git a/manifests/agents/ml2/networking_baremetal.pp b/manifests/agents/ml2/networking_baremetal.pp
index 71943736b..1b37b7d8f 100644
--- a/manifests/agents/ml2/networking_baremetal.pp
+++ b/manifests/agents/ml2/networking_baremetal.pp
@@ -51,6 +51,10 @@
 #   (optional) The ironic endpoint URL for requests
 #   Defaults to $::os_service_default
 #
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to 'Default'
+#
 # [*username*]
 #   (optional) Username for connection to ironic in admin context
 #   Defaults to 'ironic'
@@ -63,9 +67,9 @@
 #   (optional) Project name to scope to
 #   Defaults to 'services'
 #
-# [*user_domain_name*]
-#   (Optional) Name of domain for $username
-#   Defaults to 'Default'
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
 #
 # [*region_name*]
 #   (optional) Name of region to use. Useful if keystone manages more than one
@@ -123,10 +127,11 @@ class neutron::agents::ml2::networking_baremetal (
   $insecure                = $::os_service_default,
   $auth_type               = 'password',
   $auth_url                = 'http://127.0.0.1:5000',
+  $user_domain_name        = 'Default',
   $username                = 'ironic',
   $project_domain_name     = 'Default',
   $project_name            = 'services',
-  $user_domain_name        = 'Default',
+  $system_scope            = $::os_service_default,
   $region_name             = $::os_service_default,
   $status_code_retry_delay = $::os_service_default,
   $status_code_retries     = $::os_service_default,
@@ -182,6 +187,14 @@ Use status_code_retries instead.')
   $status_code_retry_delay_real = pick($retry_interval, $status_code_retry_delay)
   $status_code_retries_real = pick($max_retries, $status_code_retries)
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_neutron_agent_config {
     'ironic/endpoint_override':       value => $endpoint_override_real;
     'ironic/cafile':                  value => $cafile;
@@ -190,11 +203,12 @@ Use status_code_retries instead.')
     'ironic/insecure':                value => $insecure;
     'ironic/auth_type':               value => $auth_type;
     'ironic/auth_url':                value => $auth_url;
+    'ironic/user_domain_name':        value => $user_domain_name;
     'ironic/username':                value => $username;
     'ironic/password':                value => $password, secret => true;
-    'ironic/project_domain_name':     value => $project_domain_name;
-    'ironic/project_name':            value => $project_name;
-    'ironic/user_domain_name':        value => $user_domain_name;
+    'ironic/project_domain_name':     value => $project_domain_name_real;
+    'ironic/project_name':            value => $project_name_real;
+    'ironic/system_scope':            value => $system_scope;
     'ironic/region_name':             value => $region_name;
     'ironic/status_code_retry_delay': value => $status_code_retry_delay_real;
     'ironic/status_code_retries':     value => $status_code_retries_real;
diff --git a/manifests/server/notifications/ironic.pp b/manifests/server/notifications/ironic.pp
index 2d2c20fb8..880e1d286 100644
--- a/manifests/server/notifications/ironic.pp
+++ b/manifests/server/notifications/ironic.pp
@@ -24,21 +24,25 @@
 #   The value should contain auth plugin name
 #   Defaults to 'password'
 #
+# [*user_domain_name*]
+#   (optional) Name of domain for $username
+#   Defaults to 'Default'
+#
 # [*username*]
 #   (optional) Username for connection to ironic in admin context
 #   Defaults to 'ironic'
 #
 # [*project_domain_name*]
-#   (Optional) Name of domain for $project_name
+#   (optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
 # [*project_name*]
 #   (optional) ironic project's name
 #   Defaults to 'services'
 #
-# [*user_domain_name*]
-#   (Optional) Name of domain for $username
-#   Defaults to 'Default'
+# [*system_scope*]
+#   (optional) Scope for system operations
+#   Defaults to $::os_service_default
 #
 # [*auth_url*]
 #   (optional) Authorization URL for connection to ironic in admin context.
@@ -64,9 +68,10 @@ class neutron::server::notifications::ironic (
   $password,
   $auth_type            = 'password',
   $username             = 'ironic',
+  $user_domain_name     = 'Default',
   $project_domain_name  = 'Default',
   $project_name         = 'services',
-  $user_domain_name     = 'Default',
+  $system_scope         = $::os_service_default,
   $auth_url             = 'http://127.0.0.1:5000',
   $region_name          = $::os_service_default,
   $valid_interfaces     = $::os_service_default,
@@ -75,15 +80,24 @@ class neutron::server::notifications::ironic (
 
   include neutron::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   neutron_config {
-    'ironic/auth_url':             value => $auth_url;
+    'ironic/auth_type':            value => $auth_type;
+    'ironic/user_domain_name':     value => $user_domain_name;
     'ironic/username':             value => $username;
     'ironic/password':             value => $password, secret => true;
-    'ironic/project_domain_name':  value => $project_domain_name;
-    'ironic/project_name':         value => $project_name;
-    'ironic/user_domain_name':     value => $user_domain_name;
+    'ironic/project_domain_name':  value => $project_domain_name_real;
+    'ironic/project_name':         value => $project_name_real;
+    'ironic/system_scope':         value => $system_scope;
+    'ironic/auth_url':             value => $auth_url;
     'ironic/region_name':          value => $region_name;
-    'ironic/auth_type':            value => $auth_type;
     'ironic/valid_interfaces':     value => join(any2array($valid_interfaces), ',');
     'ironic/enable_notifications': value => $enable_notifications;
   }
diff --git a/releasenotes/notes/system_scope-ironic-6fabfa5afe2150cf.yaml b/releasenotes/notes/system_scope-ironic-6fabfa5afe2150cf.yaml
new file mode 100644
index 000000000..3f0e1e1a4
--- /dev/null
+++ b/releasenotes/notes/system_scope-ironic-6fabfa5afe2150cf.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to the following two classes.
+
+    - ``neutron::server::notifications::ironic``
+    - ``neutron::agents::ml2::networking_baremetal``
diff --git a/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb b/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb
index 3c2b49971..6594da2a3 100644
--- a/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb
+++ b/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb
@@ -42,11 +42,12 @@ describe 'neutron::agents::ml2::networking_baremetal' do
       should contain_ironic_neutron_agent_config('ironic/keyfile').with_value('<SERVICE DEFAULT>')
       should contain_ironic_neutron_agent_config('ironic/auth_type').with_value(p[:auth_type])
       should contain_ironic_neutron_agent_config('ironic/auth_url').with_value(p[:auth_url])
+      should contain_ironic_neutron_agent_config('ironic/user_domain_name').with_value(p[:user_domain_name])
       should contain_ironic_neutron_agent_config('ironic/username').with_value(p[:username])
       should contain_ironic_neutron_agent_config('ironic/password').with_value(p[:password]).with_secret(true)
       should contain_ironic_neutron_agent_config('ironic/project_domain_name').with_value(p[:project_domain_name])
       should contain_ironic_neutron_agent_config('ironic/project_name').with_value(p[:project_name])
-      should contain_ironic_neutron_agent_config('ironic/user_domain_name').with_value(p[:user_domain_name])
+      should contain_ironic_neutron_agent_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
       should contain_ironic_neutron_agent_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
       should contain_ironic_neutron_agent_config('ironic/status_code_retry_delay').with_value('<SERVICE DEFAULT>')
       should contain_ironic_neutron_agent_config('ironic/status_code_retries').with_value('<SERVICE DEFAULT>')
@@ -89,6 +90,20 @@ describe 'neutron::agents::ml2::networking_baremetal' do
         should contain_service('ironic-neutron-agent-service').that_notifies('Anchor[neutron::service::end]')
       end
     end
+
+    context 'when system_scope is set' do
+      before :each do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+
+      it 'should configure system scope credential' do
+        should contain_ironic_neutron_agent_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
+        should contain_ironic_neutron_agent_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
+        should contain_ironic_neutron_agent_config('ironic/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/neutron_server_notifications_ironic_spec.rb b/spec/classes/neutron_server_notifications_ironic_spec.rb
index 582655bb6..178d2ed3f 100644
--- a/spec/classes/neutron_server_notifications_ironic_spec.rb
+++ b/spec/classes/neutron_server_notifications_ironic_spec.rb
@@ -31,12 +31,14 @@ describe 'neutron::server::notifications::ironic' do
   shared_examples 'neutron::server::notifications::ironic' do
     it 'configure neutron.conf' do
       should contain_neutron_config('ironic/auth_type').with_value('password')
-      should contain_neutron_config('ironic/auth_url').with_value('http://127.0.0.1:5000')
+      should contain_neutron_config('ironic/user_domain_name').with_value('Default')
       should contain_neutron_config('ironic/username').with_value('ironic')
       should contain_neutron_config('ironic/password').with_value('secrete').with_secret( true )
-      should contain_neutron_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
       should contain_neutron_config('ironic/project_domain_name').with_value('Default')
-      should contain_neutron_config('ironic/user_domain_name').with_value('Default')
+      should contain_neutron_config('ironic/project_name').with_value('services')
+      should contain_neutron_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
+      should contain_neutron_config('ironic/auth_url').with_value('http://127.0.0.1:5000')
+      should contain_neutron_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
       should contain_neutron_config('ironic/valid_interfaces').with_value('<SERVICE DEFAULT>')
       should contain_neutron_config('ironic/enable_notifications').with_value('<SERVICE DEFAULT>')
     end
@@ -44,25 +46,28 @@ describe 'neutron::server::notifications::ironic' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-          :auth_url             => 'http://keystone:5000/v3',
           :auth_type            => 'password',
-          :username             => 'joe',
-          :region_name          => 'MyRegion',
-          :project_domain_name  => 'Default_1',
           :user_domain_name     => 'Default_2',
+          :username             => 'joe',
+          :project_domain_name  => 'Default_1',
+          :project_name         => 'alt_services',
+          :auth_url             => 'http://keystone:5000/v3',
+          :region_name          => 'MyRegion',
           :valid_interfaces     => 'internal,public',
           :enable_notifications => false,
         )
       end
 
       it 'should configure neutron server with overrided parameters' do
-        should contain_neutron_config('ironic/auth_url').with_value('http://keystone:5000/v3')
         should contain_neutron_config('ironic/auth_type').with_value('password')
+        should contain_neutron_config('ironic/user_domain_name').with_value('Default_2')
         should contain_neutron_config('ironic/username').with_value('joe')
         should contain_neutron_config('ironic/password').with_value('secrete').with_secret(true)
-        should contain_neutron_config('ironic/region_name').with_value('MyRegion')
         should contain_neutron_config('ironic/project_domain_name').with_value('Default_1')
-        should contain_neutron_config('ironic/user_domain_name').with_value('Default_2')
+        should contain_neutron_config('ironic/project_name').with_value('alt_services')
+        should contain_neutron_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('ironic/auth_url').with_value('http://keystone:5000/v3')
+        should contain_neutron_config('ironic/region_name').with_value('MyRegion')
         should contain_neutron_config('ironic/valid_interfaces').with_value('internal,public')
         should contain_neutron_config('ironic/enable_notifications').with_value(false)
       end
@@ -79,6 +84,20 @@ describe 'neutron::server::notifications::ironic' do
         should contain_neutron_config('ironic/valid_interfaces').with_value('internal,public')
       end
     end
+
+    context 'when system_scope is set' do
+      before :each do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+
+      it 'should configure system scope credential' do
+        should contain_neutron_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('ironic/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({