diff --git a/manifests/watcher_clients_auth.pp b/manifests/watcher_clients_auth.pp
index 6985cb8..3fa5a6c 100644
--- a/manifests/watcher_clients_auth.pp
+++ b/manifests/watcher_clients_auth.pp
@@ -27,6 +27,10 @@
 #   (Optional) User Domain name.
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 # [*auth_type*]
 #   (Optional) Authentication type to load.
 #   Defaults to 'password'
@@ -55,6 +59,7 @@ class watcher::watcher_clients_auth (
   $project_name        = 'services',
   $project_domain_name = 'Default',
   $user_domain_name    = 'Default',
+  $system_scope        = $::os_service_default,
   $auth_type           = 'password',
   $insecure            = $::os_service_default,
   $certfile            = $::os_service_default,
@@ -69,10 +74,16 @@ class watcher::watcher_clients_auth (
     fail('password is required')
   }
 
+  if is_service_default($system_scope) {
+    $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name)
+    $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name)
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   $auth_url_real = pick($::watcher::api::watcher_client_auth_url, $auth_url)
   $username_real = pick($::watcher::api::watcher_client_username, $username)
-  $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name)
-  $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name)
   $user_domain_name_real = pick($::watcher::api::watcher_client_user_domain_name, $user_domain_name)
   $auth_type_real = pick($::watcher::api::watcher_client_auth_type, $auth_type)
   $insecure_real = pick($::watcher::api::watcher_client_insecure, $insecure)
@@ -87,6 +98,7 @@ class watcher::watcher_clients_auth (
     'watcher_clients_auth/project_name':        value => $project_name_real;
     'watcher_clients_auth/project_domain_name': value => $project_domain_name_real;
     'watcher_clients_auth/user_domain_name':    value => $user_domain_name_real;
+    'watcher_clients_auth/system_scope':        value => $system_scope;
     'watcher_clients_auth/insecure':            value => $insecure_real;
     'watcher_clients_auth/auth_type':           value => $auth_type_real;
     'watcher_clients_auth/cafile':              value => $cafile_real;
diff --git a/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml b/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml
new file mode 100644
index 0000000..1cfa095
--- /dev/null
+++ b/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``watcher::watcher_clients_auth::system_scope`` parameter has been
+    added.
diff --git a/spec/classes/watcher_watcher_clients_auth_spec.rb b/spec/classes/watcher_watcher_clients_auth_spec.rb
index a35e904..6c4e7a8 100644
--- a/spec/classes/watcher_watcher_clients_auth_spec.rb
+++ b/spec/classes/watcher_watcher_clients_auth_spec.rb
@@ -15,6 +15,7 @@ describe 'watcher::watcher_clients_auth' do
         should contain_watcher_config('watcher_clients_auth/project_name').with_value('services')
         should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('Default')
         should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('Default')
+        should contain_watcher_config('watcher_clients_auth/system_scope').with_value('<SERVICE DEFAULT>')
         should contain_watcher_config('watcher_clients_auth/insecure').with_value('<SERVICE DEFAULT>')
         should contain_watcher_config('watcher_clients_auth/certfile').with_value('<SERVICE DEFAULT>')
         should contain_watcher_config('watcher_clients_auth/cafile').with_value('<SERVICE DEFAULT>')
@@ -43,12 +44,26 @@ describe 'watcher::watcher_clients_auth' do
         should contain_watcher_config('watcher_clients_auth/project_name').with_value('alt_services')
         should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('user_domain')
         should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('project_domain')
+        should contain_watcher_config('watcher_clients_auth/system_scope').with_value('<SERVICE DEFAULT>')
         should contain_watcher_config('watcher_clients_auth/insecure').with_value(false)
         should contain_watcher_config('watcher_clients_auth/certfile').with_value('path_to_cert')
         should contain_watcher_config('watcher_clients_auth/cafile').with_value('path_to_ca')
         should contain_watcher_config('watcher_clients_auth/keyfile').with_value('path_to_key')
       end
     end
+
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_watcher_config('watcher_clients_auth/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_watcher_config('watcher_clients_auth/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({