diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c2dcaa096..9d4a6b9388 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7113](https://github.com/apache/trafficcontrol/pull/7113) *Traffic Portal* Minimize the Server Server Capability part of the *Traffic Servers* section of the Snapshot Diff
 - [#7273](https://github.com/apache/trafficcontrol/pull/7273) *Traffic Ops* Adds SSL-KEY-EXPIRATION:READ permission to operations, portal, read-only, federation and steering roles
 - [#7296](https://github.com/apache/trafficcontrol/pull/7296) *Traffic Portal* New configuration option in `traffic_portal_properties.json` at `deliveryServices.exposeInactive` controls exposing APIv5 DS Active State options in the TP UI.
+- [#7332](https://github.com/apache/trafficcontrol/pull/7332) *Traffic Ops* Creates new role needed for TR to watch TO resources.
 
 ### Changed
 - [#7224](https://github.com/apache/trafficcontrol/pull/7224) *Traffic Ops* Required Capabilities are now a part of the `DeliveryService` structure.
diff --git a/traffic_ops/app/db/migrations/2023012316280200_create_new_role.down.sql b/traffic_ops/app/db/migrations/2023012316280200_create_new_role.down.sql
new file mode 100644
index 0000000000..a3b117f4df
--- /dev/null
+++ b/traffic_ops/app/db/migrations/2023012316280200_create_new_role.down.sql
@@ -0,0 +1,18 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+DELETE FROM public."role" r WHERE r.name='trouter';
diff --git a/traffic_ops/app/db/migrations/2023012316280200_create_new_role.up.sql b/traffic_ops/app/db/migrations/2023012316280200_create_new_role.up.sql
new file mode 100644
index 0000000000..383bc64928
--- /dev/null
+++ b/traffic_ops/app/db/migrations/2023012316280200_create_new_role.up.sql
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+INSERT INTO public."role" (name, description, priv_level)
+VALUES('trouter', 'Limited role for Traffic Router calls to Traffic Ops', 10);
+
+INSERT INTO public.role_capability (role_id, cap_name)
+    VALUES (
+        (SELECT id FROM role WHERE name='trouter'),
+        UNNEST(ARRAY[
+            'CDN:READ',
+            'DELIVERY-SERVICE:READ',
+            'DNS-SEC:READ',
+            'STEERING:READ',
+            'FEDERATION-RESOLVER:READ',
+            'DS-SECURITY-KEY:READ']
+        )
+    );