diff --git a/manifests/api/service_credentials.pp b/manifests/api/service_credentials.pp
index d3289a1c..dbd7edc3 100644
--- a/manifests/api/service_credentials.pp
+++ b/manifests/api/service_credentials.pp
@@ -29,6 +29,10 @@
 #   (optional) the keystone user domain name for trove services
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 class trove::api::service_credentials (
   $password,
   $auth_url            = 'http://127.0.0.1:5000',
@@ -37,16 +41,26 @@ class trove::api::service_credentials (
   $project_name        = 'services',
   $project_domain_name = 'Default',
   $user_domain_name    = 'Default',
+  $system_scope        = $::os_service_default,
 ) {
 
   include trove::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   trove_config {
     'service_credentials/auth_url':            value => $auth_url;
     'service_credentials/username':            value => $username;
     'service_credentials/password':            value => $password, secret => true;
-    'service_credentials/project_name':        value => $project_name;
-    'service_credentials/project_domain_name': value => $project_domain_name;
+    'service_credentials/project_name':        value => $project_name_real;
+    'service_credentials/project_domain_name': value => $project_domain_name_real;
+    'service_credentials/system_scope':        value => $system_scope;
     'service_credentials/user_domain_name':    value => $user_domain_name;
     'service_credentials/region_name':         value => $region_name;
   }
diff --git a/manifests/guestagent/service_credentials.pp b/manifests/guestagent/service_credentials.pp
index 382c37be..61612dc1 100644
--- a/manifests/guestagent/service_credentials.pp
+++ b/manifests/guestagent/service_credentials.pp
@@ -29,6 +29,10 @@
 #   (optional) the keystone user domain name for trove services
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 class trove::guestagent::service_credentials (
   $password,
   $auth_url            = 'http://127.0.0.1:5000',
@@ -37,17 +41,27 @@ class trove::guestagent::service_credentials (
   $project_name        = 'services',
   $project_domain_name = 'Default',
   $user_domain_name    = 'Default',
+  $system_scope        = $::os_service_default,
 ) {
 
   include trove::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   trove_guestagent_config {
     'service_credentials/auth_url':            value => $auth_url;
     'service_credentials/username':            value => $username;
     'service_credentials/password':            value => $password, secret => true;
-    'service_credentials/project_name':        value => $project_name;
-    'service_credentials/project_domain_name': value => $project_domain_name;
+    'service_credentials/project_name':        value => $project_name_real;
+    'service_credentials/project_domain_name': value => $project_domain_name_real;
     'service_credentials/user_domain_name':    value => $user_domain_name;
+    'service_credentials/system_scope':        value => $system_scope;
     'service_credentials/region_name':         value => $region_name;
   }
 
diff --git a/releasenotes/notes/system_scope-all-b264889f42741908.yaml b/releasenotes/notes/system_scope-all-b264889f42741908.yaml
new file mode 100644
index 00000000..fc882edc
--- /dev/null
+++ b/releasenotes/notes/system_scope-all-b264889f42741908.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The new ``system_scope`` parameter has been added to the following classes.
+
+    - ``trove::api::service_credentials``
+    - ``trove::guestagent::service_credentials``
diff --git a/spec/classes/trove_api_service_credentials_spec.rb b/spec/classes/trove_api_service_credentials_spec.rb
index 3241cf1c..ea28babd 100644
--- a/spec/classes/trove_api_service_credentials_spec.rb
+++ b/spec/classes/trove_api_service_credentials_spec.rb
@@ -19,45 +19,58 @@ describe 'trove::api::service_credentials' do
 
   shared_examples 'trove::api::service_credentials' do
 
-    context 'with default parameters' do
-      let :params do
-        {
-          :auth_url => 'http://127.0.0.1:5000/v3',
-          :password => 'verysecrete'
-        }
-      end
+    let :params do
+      {
+        :password => 'verysecrete'
+      }
+    end
 
+    context 'with default parameters' do
       it 'configures service credentials with default parameters' do
-        is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3')
+        is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000')
         is_expected.to contain_trove_config('service_credentials/username').with_value('trove')
         is_expected.to contain_trove_config('service_credentials/password').with_value('verysecrete').with_secret(true)
         is_expected.to contain_trove_config('service_credentials/project_name').with_value('services')
         is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionOne')
         is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('Default')
         is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('Default')
+        is_expected.to contain_trove_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
       end
     end
 
     context 'when overriding defaults' do
-      let :params do
-        {
-          :auth_url            => 'http://127.0.0.1:5000/v3',
-          :password            => 'verysecrete',
+      before do
+        params.merge!({
+          :auth_url            => 'http://localhost:5000',
           :username            => 'trove2',
           :project_name        => 'services2',
           :region_name         => 'RegionTwo',
           :user_domain_name    => 'MyDomain',
           :project_domain_name => 'MyDomain',
-        }
+        })
       end
 
       it 'configures service credentials with default parameters' do
-        is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3')
+        is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://localhost:5000')
         is_expected.to contain_trove_config('service_credentials/username').with_value('trove2')
         is_expected.to contain_trove_config('service_credentials/project_name').with_value('services2')
         is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionTwo')
         is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('MyDomain')
         is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('MyDomain')
+        is_expected.to contain_trove_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_config('service_credentials/system_scope').with_value('all')
       end
     end
   end
@@ -65,6 +78,10 @@ describe 'trove::api::service_credentials' do
   on_supported_os({
     :supported_os   => OSDefaults.get_supported_os
   }).each do |os,facts|
+    let (:facts) do
+      facts.merge!(OSDefaults.get_facts())
+    end
+
     context "on #{os}" do
       it_configures 'trove::api::service_credentials'
     end
diff --git a/spec/classes/trove_guestagent_service_credentials_spec.rb b/spec/classes/trove_guestagent_service_credentials_spec.rb
index 865e0bad..a8f5a7ca 100644
--- a/spec/classes/trove_guestagent_service_credentials_spec.rb
+++ b/spec/classes/trove_guestagent_service_credentials_spec.rb
@@ -19,11 +19,13 @@ describe 'trove::guestagent::service_credentials' do
 
   shared_examples 'trove::guestagent::service_credentials' do
 
-    context 'with default parameters' do
-      let :params do
-        { :password => 'verysecrete' }
-      end
+    let :params do
+      {
+        :password => 'verysecrete'
+      }
+    end
 
+    context 'with default parameters' do
       it 'configures service credentials with default parameters' do
         is_expected.to contain_trove_guestagent_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000')
         is_expected.to contain_trove_guestagent_config('service_credentials/username').with_value('trove')
@@ -32,20 +34,20 @@ describe 'trove::guestagent::service_credentials' do
         is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionOne')
         is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('Default')
         is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('Default')
+        is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
       end
     end
 
     context 'when overriding defaults' do
-      let :params do
-        {
+      before do
+        params.merge!({
           :auth_url            => 'http://localhost:5000',
-          :password            => 'verysecrete',
           :username            => 'trove2',
           :project_name        => 'services2',
           :region_name         => 'RegionTwo',
           :user_domain_name    => 'MyDomain',
           :project_domain_name => 'MyDomain',
-        }
+        })
       end
 
       it 'configures service credentials with default parameters' do
@@ -55,6 +57,20 @@ describe 'trove::guestagent::service_credentials' do
         is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionTwo')
         is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('MyDomain')
         is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('MyDomain')
+        is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_guestagent_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('all')
       end
     end
   end
@@ -62,6 +78,10 @@ describe 'trove::guestagent::service_credentials' do
   on_supported_os({
     :supported_os   => OSDefaults.get_supported_os
   }).each do |os,facts|
+    let (:facts) do
+      facts.merge!(OSDefaults.get_facts())
+    end
+
     context "on #{os}" do
       it_configures 'trove::guestagent::service_credentials'
     end