diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40e7cdb94c..f985538b42 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -145,6 +145,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7628](https://github.com/apache/trafficcontrol/pull/7628) *Traffic Ops* Fixes an issue where certificate chain validation failed based on leading or trailing whitespace.
 - [#7596](https://github.com/apache/trafficcontrol/pull/7596) *Traffic Ops* Fixes `federation_resolvers` v5 apis to respond with `RFC3339` date/time Format.
 - [#7660](https://github.com/apache/trafficcontrol/pull/7660) *Traffic Ops* Fixes `deliveryServices` v5 apis to respond with `RFC3339` date/time Format.
+- [#7686](https://github.com/apache/trafficcontrol/pull/7686) *Traffic Ops* Fixes secured parameters being visible when role has proper permissions.
 - [#7697](https://github.com/apache/trafficcontrol/pull/7697) *Traffic Ops* Fixes `iloPassword` and `xmppPassword` checking for priv-level instead of using permissions.
 
 ### Removed
diff --git a/traffic_ops/traffic_ops_golang/parameter/parameters.go b/traffic_ops/traffic_ops_golang/parameter/parameters.go
index 167019fbc3..3595ced557 100644
--- a/traffic_ops/traffic_ops_golang/parameter/parameters.go
+++ b/traffic_ops/traffic_ops_golang/parameter/parameters.go
@@ -176,10 +176,18 @@ func (param *TOParameter) Read(h http.Header, useIMS bool) ([]interface{}, error
 			return nil, nil, errors.New("scanning " + param.GetType() + ": " + err.Error()), http.StatusInternalServerError, nil
 		}
 		if p.Secure != nil && *p.Secure {
-			if param.ReqInfo.Version.Major >= 4 &&
-				param.ReqInfo.Config.RoleBasedPermissions &&
-				!param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
-				p.Value = &HiddenField
+			if param.ReqInfo.Version.Major >= 5 {
+				if !param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
+					p.Value = &HiddenField
+				}
+			} else if param.ReqInfo.Version.Major == 4 {
+				if param.ReqInfo.Config.RoleBasedPermissions {
+					if !param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
+						p.Value = &HiddenField
+					}
+				} else if param.ReqInfo.User.PrivLevel < auth.PrivLevelAdmin {
+					p.Value = &HiddenField
+				}
 			} else if param.ReqInfo.User.PrivLevel < auth.PrivLevelAdmin {
 				p.Value = &HiddenField
 			}