diff --git a/internal/mesh/internal/types/proxy_state_template.go b/internal/mesh/internal/types/proxy_state_template.go
index c71ecd9de8e9..7f46190ea015 100644
--- a/internal/mesh/internal/types/proxy_state_template.go
+++ b/internal/mesh/internal/types/proxy_state_template.go
@@ -28,15 +28,29 @@ func RegisterProxyStateTemplate(r resource.Registry) {
 		Validate: nil,
 		ACLs: &resource.ACLHooks{
 			Read: func(authorizer acl.Authorizer, id *pbresource.ID) error {
-				return authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy))
+				// Check service:read and operator:read permissions.
+				// If service:read is not allowed, check operator:read. We want to allow both as this
+				// resource is mostly useful for debuggability and we want to cover
+				// the most cases that serve that purpose.
+				serviceReadErr := authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy))
+				operatorReadErr := authorizer.ToAllowAuthorizer().OperatorReadAllowed(resource.AuthorizerContext(id.Tenancy))
+
+				switch {
+				case serviceReadErr != nil:
+					return serviceReadErr
+				case operatorReadErr != nil:
+					return operatorReadErr
+				}
+
+				return nil
 			},
 			Write: func(authorizer acl.Authorizer, p *pbresource.Resource) error {
 				// Require operator:write only for "break-glass" scenarios as this resource should be mostly
-				// be managed by the mesh controller.
+				// managed by a controller.
 				return authorizer.ToAllowAuthorizer().OperatorWriteAllowed(resource.AuthorizerContext(p.Id.Tenancy))
 			},
 			List: func(authorizer acl.Authorizer, tenancy *pbresource.Tenancy) error {
-				// No-op List permission as we want to default to filtering resource resources
+				// No-op List permission as we want to default to filtering resources
 				// from the list using the Read enforcement.
 				return nil
 			},
diff --git a/proto-public/pbmesh/v1alpha1/proxy_state.pb.go b/proto-public/pbmesh/v1alpha1/proxy_state.pb.go
index ab763966485f..cb858b6d1d78 100644
--- a/proto-public/pbmesh/v1alpha1/proxy_state.pb.go
+++ b/proto-public/pbmesh/v1alpha1/proxy_state.pb.go
@@ -105,7 +105,8 @@ type ProxyState struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// identity is a reference to the WorkloadIdentity associated with this proxy.
+	// id is this proxy's identity. This should correspond to the workload identity that this proxy of
+	// the workload this proxy represents.
 	Identity *pbresource.Reference `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
 	// listeners is a list of listeners for this proxy.
 	Listeners []*pbproxystate.Listener `protobuf:"bytes,2,rep,name=listeners,proto3" json:"listeners,omitempty"`