diff --git a/galaxy_ng/app/migrations/0053_create_system_auditor_role.py b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py
new file mode 100644
index 0000000000..731b8a9337
--- /dev/null
+++ b/galaxy_ng/app/migrations/0053_create_system_auditor_role.py
@@ -0,0 +1,40 @@
+# Generated by Django 4.2.13 on 2024-06-06 19:13
+
+from django.db import migrations
+
+
+def create_system_auditor_role(apps, schema_editor):
+    Role = apps.get_model("core", "Role")
+    Permission = apps.get_model("auth", "Permission")
+
+    # Create the role
+    role, created = Role.objects.get_or_create(
+        name='galaxy.auditor',
+        defaults={'description': 'Role with read-only permissions to all resources'}
+    )
+
+    for permission in Permission.objects.filter(codename__icontains='view'):
+        role.permissions.add(permission)
+
+
+def delete_system_auditor_role(apps, schema_editor):
+    Role = apps.get_model("core", "Role")
+
+    try:
+        role = Role.objects.get(name='galaxy.auditor')
+    except Role.DoesNotExist:
+        return
+
+    # Delete the role
+    role.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("galaxy", "0052_alter_organization_created_by_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_system_auditor_role, delete_system_auditor_role),
+    ]
diff --git a/galaxy_ng/tests/integration/api/test_system_auditor.py b/galaxy_ng/tests/integration/api/test_system_auditor.py
new file mode 100644
index 0000000000..93248901cd
--- /dev/null
+++ b/galaxy_ng/tests/integration/api/test_system_auditor.py
@@ -0,0 +1,39 @@
+import json
+import os
+import uuid
+
+import pytest
+
+
+pytestmark = pytest.mark.qa  # noqa: F821
+
+
+@pytest.mark.deployment_standalone
+@pytest.mark.min_hub_version("4.10dev")
+@pytest.mark.skipif(
+    os.getenv("ENABLE_DAB_TESTS"),
+    reason="Skipping test because ENABLE_DAB_TESTS is set"
+)
+def test_system_auditor_role_permissions_without_gateway(galaxy_client):
+    """Tests the galaxy.system_auditor role can be added to a user and has the right perms."""
+
+    gc = galaxy_client("admin", ignore_cache=True)
+
+    # make a random user
+    username = str(uuid.uuid4())
+    uinfo = gc.post(
+        "_ui/v1/users/",
+        body=json.dumps({"username": username, "password": "redhat1234"})
+    )
+    uid = uinfo["id"]
+
+    # assign the galaxy.system_auditor role to the user
+    rinfo = gc.post(
+        f"pulp/api/v3/users/{uid}/roles/",
+        body=json.dumps({'content_object': None, 'role': 'galaxy.auditor'})
+    )
+
+    # check that all the permssions are view_* only ...
+    for perm_code in rinfo["permissions"]:
+        perm_name = perm_code.split(".", 1)[1]
+        assert "view_" in perm_name, f"{perm_code} is not a view-only permission"