diff --git a/internal/mesh/internal/types/proxy_state_template.go b/internal/mesh/internal/types/proxy_state_template.go
index c71ecd9de8e9d..73839825e80f3 100644
--- a/internal/mesh/internal/types/proxy_state_template.go
+++ b/internal/mesh/internal/types/proxy_state_template.go
@@ -28,15 +28,27 @@ func RegisterProxyStateTemplate(r resource.Registry) {
 		Validate: nil,
 		ACLs: &resource.ACLHooks{
 			Read: func(authorizer acl.Authorizer, id *pbresource.ID) error {
-				return authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy))
+				// Check service:read and operator:read permissions.
+				// If service:read is not allowed, check operator:read.
+				serviceReadErr := authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy))
+				operatorReadErr := authorizer.ToAllowAuthorizer().OperatorReadAllowed(resource.AuthorizerContext(id.Tenancy))
+
+				switch {
+				case serviceReadErr != nil:
+					return serviceReadErr
+				case operatorReadErr != nil:
+					return operatorReadErr
+				}
+
+				return nil
 			},
 			Write: func(authorizer acl.Authorizer, p *pbresource.Resource) error {
 				// Require operator:write only for "break-glass" scenarios as this resource should be mostly
-				// be managed by the mesh controller.
+				// managed by a controller.
 				return authorizer.ToAllowAuthorizer().OperatorWriteAllowed(resource.AuthorizerContext(p.Id.Tenancy))
 			},
 			List: func(authorizer acl.Authorizer, tenancy *pbresource.Tenancy) error {
-				// No-op List permission as we want to default to filtering resource resources
+				// No-op List permission as we want to default to filtering resources
 				// from the list using the Read enforcement.
 				return nil
 			},