diff --git a/examples/ansible.cfg b/examples/ansible.cfg
index 3800a9ea464..ac10f62d9e9 100644
--- a/examples/ansible.cfg
+++ b/examples/ansible.cfg
@@ -71,6 +71,11 @@ timeout = 10
 # this can also be set to 'merge'.
 #hash_behaviour = replace
 
+# by default, variables from roles will be visible in the global variable
+# scope. To prevent this, the following option can be enabled, and only
+# tasks and handlers within the role will see the variables there
+#private_role_vars = yes
+
 # list any Jinja2 extensions to enable here:
 #jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
 
diff --git a/lib/ansible/constants.py b/lib/ansible/constants.py
index db0cabb10fa..b291c371b89 100644
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@@ -129,6 +129,7 @@ DEFAULT_MANAGED_STR       = get_config(p, DEFAULTS, 'ansible_managed',  None,
 DEFAULT_SYSLOG_FACILITY   = get_config(p, DEFAULTS, 'syslog_facility',  'ANSIBLE_SYSLOG_FACILITY', 'LOG_USER')
 DEFAULT_KEEP_REMOTE_FILES = get_config(p, DEFAULTS, 'keep_remote_files', 'ANSIBLE_KEEP_REMOTE_FILES', False, boolean=True)
 DEFAULT_HASH_BEHAVIOUR    = get_config(p, DEFAULTS, 'hash_behaviour', 'ANSIBLE_HASH_BEHAVIOUR', 'replace')
+DEFAULT_PRIVATE_ROLE_VARS = get_config(p, DEFAULTS, 'private_role_vars', 'ANSIBLE_PRIVATE_ROLE_VARS', False, boolean=True)
 DEFAULT_JINJA2_EXTENSIONS = get_config(p, DEFAULTS, 'jinja2_extensions', 'ANSIBLE_JINJA2_EXTENSIONS', None)
 DEFAULT_EXECUTABLE        = get_config(p, DEFAULTS, 'executable', 'ANSIBLE_EXECUTABLE', '/bin/sh')
 DEFAULT_GATHERING         = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower()
diff --git a/lib/ansible/vars/__init__.py b/lib/ansible/vars/__init__.py
index 4e8d6bda3c3..6531b6a3209 100644
--- a/lib/ansible/vars/__init__.py
+++ b/lib/ansible/vars/__init__.py
@@ -197,8 +197,10 @@ class VariableManager:
                     #        whether or not vars files errors should be fatal at this
                     #        stage, or just base it on whether a host was specified?
                     pass
-            for role in play.get_roles():
-                all_vars = self._combine_vars(all_vars, role.get_vars())
+
+            if not C.DEFAULT_PRIVATE_ROLE_VARS:
+                for role in play.get_roles():
+                    all_vars = self._combine_vars(all_vars, role.get_vars())
 
         if host:
             all_vars = self._combine_vars(all_vars, self._vars_cache.get(host.get_name(), dict()))