diff --git a/manifests/key_manager/barbican/service_user.pp b/manifests/key_manager/barbican/service_user.pp
index 0773c97..4e6b810 100644
--- a/manifests/key_manager/barbican/service_user.pp
+++ b/manifests/key_manager/barbican/service_user.pp
@@ -20,7 +20,8 @@
 #  (Required) The URL to use for authentication.
 #
 # [*project_name*]
-#  (Required) Service project name
+#  (Optional) Service project name
+#  Defaults to $::os_service_default
 #
 # [*user_domain_name*]
 #  (Optional) Name of domain for $username
@@ -30,6 +31,10 @@
 #  (Optional) Name of domain for $project_name
 #  Defaults to $::os_service_default
 #
+# [*system_scope*]
+#  (Optional) Scope for system operations.
+#  Defaults to $::os_service_default
+#
 # [*insecure*]
 #  (Optional) If true, explicitly allow TLS without checking server cert
 #  against any certificate authorities.  WARNING: not recommended.  Use with
@@ -65,9 +70,10 @@ define oslo::key_manager::barbican::service_user(
   $username,
   $password,
   $auth_url,
-  $project_name,
+  $project_name            = $::os_service_default,
   $user_domain_name        = $::os_service_default,
   $project_domain_name     = $::os_service_default,
+  $system_scope            = $::os_service_default,
   $insecure                = $::os_service_default,
   $auth_type               = $::os_service_default,
   $auth_version            = $::os_service_default,
@@ -77,6 +83,16 @@ define oslo::key_manager::barbican::service_user(
   $region_name             = $::os_service_default,
 ) {
 
+  if is_service_default($system_scope) {
+    $project_name_real        = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    # When system scope is used, project parameters should be removed otherwise
+    # project scope is used.
+    $project_name_real        = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   $service_user_options = {
     'barbican_service_user/auth_type'           => {'value' => $auth_type},
     'barbican_service_user/auth_version'        => {'value' => $auth_version},
@@ -88,8 +104,9 @@ define oslo::key_manager::barbican::service_user(
     'barbican_service_user/username'            => {'value' => $username},
     'barbican_service_user/password'            => {'value' => $password, 'secret' => true},
     'barbican_service_user/user_domain_name'    => {'value' => $user_domain_name},
-    'barbican_service_user/project_name'        => {'value' => $project_name},
-    'barbican_service_user/project_domain_name' => {'value' => $project_domain_name},
+    'barbican_service_user/project_name'        => {'value' => $project_name_real},
+    'barbican_service_user/project_domain_name' => {'value' => $project_domain_name_real},
+    'barbican_service_user/system_scope'        => {'value' => $system_scope},
     'barbican_service_user/insecure'            => {'value' => $insecure},
   }
 
diff --git a/releasenotes/notes/system_scope-barbican_service_user-3e9cba1bba4f22b8.yaml b/releasenotes/notes/system_scope-barbican_service_user-3e9cba1bba4f22b8.yaml
new file mode 100644
index 0000000..9ca3b62
--- /dev/null
+++ b/releasenotes/notes/system_scope-barbican_service_user-3e9cba1bba4f22b8.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``oslo::key_manager::barbican::service_user`` resource type now
+    supports the ``system_scope`` parameter.
diff --git a/spec/defines/oslo_key_manager_barbican_service_user_spec.rb b/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
index b4ad3bf..50809d7 100644
--- a/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
+++ b/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
@@ -7,8 +7,7 @@ describe 'oslo::key_manager::barbican::service_user' do
   let :params do
     { :username     => 'keystone',
       :password     => 'secret',
-      :auth_url     => 'http://127.0.0.1:5000',
-      :project_name => 'services' }
+      :auth_url     => 'http://127.0.0.1:5000' }
   end
 
   shared_examples 'oslo::key_manager::barbican::service_user' do
@@ -17,8 +16,9 @@ describe 'oslo::key_manager::barbican::service_user' do
         is_expected.to contain_keystone_config('barbican_service_user/username').with_value('keystone')
         is_expected.to contain_keystone_config('barbican_service_user/password').with_value('secret').with_secret(true)
         is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
-        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/auth_type').with_value('<SERVICE DEFAULT>')
@@ -55,6 +55,7 @@ describe 'oslo::key_manager::barbican::service_user' do
         is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
         is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value(params[:user_domain_name])
         is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value(params[:insecure])
         is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value(params[:auth_version])
         is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
@@ -71,11 +72,20 @@ describe 'oslo::key_manager::barbican::service_user' do
       it { expect { is_expected.to raise_error(Puppet::Error) } }
     end
 
-    context 'without specify project' do
-      let :params do
-        params.delete(:project_name)
+    context 'with system_scope' do
+      before do
+        params.merge!({
+          :project_name        => 'NoProject',
+          :project_domain_name => 'OurDomain',
+          :system_scope        => 'all',
+        })
+      end
+
+      it 'configures system_scope' do
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value(params[:system_scope])
       end
-      it { expect { is_expected.to raise_error(Puppet::Error) } }
     end
   end