diff --git a/internal/auth/internal/controllers/trafficpermissions/builder.go b/internal/auth/internal/controllers/trafficpermissions/builder.go
index 3fa129f999..88018c20f0 100644
--- a/internal/auth/internal/controllers/trafficpermissions/builder.go
+++ b/internal/auth/internal/controllers/trafficpermissions/builder.go
@@ -41,7 +41,7 @@ func newTrafficPermissionsBuilder(expander expander.SamenessGroupExpander, sgMap
 
 // track will use all associated XTrafficPermissions to create new ComputedTrafficPermissions samenessGroupsForTrafficPermission
 func track[S types.XTrafficPermissions](tpb *trafficPermissionsBuilder, xtp *resource.DecodedResource[S]) {
-	missingSamenessGroups := tpb.sgExpander.Expand(xtp.Data, tpb.sgMap)
+	permissions, missingSamenessGroups := tpb.sgExpander.Expand(xtp.Data, tpb.sgMap)
 
 	if len(missingSamenessGroups) > 0 {
 		tpb.missing[resource.NewReferenceKey(xtp.Id)] = missingSamenessGroupReferences{
@@ -53,9 +53,9 @@ func track[S types.XTrafficPermissions](tpb *trafficPermissionsBuilder, xtp *res
 	tpb.isDefault = false
 
 	if xtp.Data.GetAction() == pbauth.Action_ACTION_ALLOW {
-		tpb.allowedPermissions = append(tpb.allowedPermissions, xtp.Data.GetPermissions()...)
+		tpb.allowedPermissions = append(tpb.allowedPermissions, permissions...)
 	} else {
-		tpb.denyPermissions = append(tpb.denyPermissions, xtp.Data.GetPermissions()...)
+		tpb.denyPermissions = append(tpb.denyPermissions, permissions...)
 	}
 }
 
diff --git a/internal/auth/internal/controllers/trafficpermissions/expander/expander_ce/expander_ce.go b/internal/auth/internal/controllers/trafficpermissions/expander/expander_ce/expander_ce.go
index 0ae1436230..a69020b0e5 100644
--- a/internal/auth/internal/controllers/trafficpermissions/expander/expander_ce/expander_ce.go
+++ b/internal/auth/internal/controllers/trafficpermissions/expander/expander_ce/expander_ce.go
@@ -23,10 +23,9 @@ func New() *SamenessGroupExpander {
 	return &SamenessGroupExpander{}
 }
 
-func (sgE *SamenessGroupExpander) Expand(_ types.XTrafficPermissions,
-	_ map[string][]*pbmulticluster.SamenessGroupMember) []string {
-	// no-op for CE
-	return nil
+func (sgE *SamenessGroupExpander) Expand(xtp types.XTrafficPermissions,
+	_ map[string][]*pbmulticluster.SamenessGroupMember) ([]*pbauth.Permission, []string) {
+	return xtp.GetPermissions(), nil
 }
 
 func (sgE *SamenessGroupExpander) List(_ context.Context, _ controller.Runtime,
diff --git a/internal/auth/internal/controllers/trafficpermissions/expander/interface.go b/internal/auth/internal/controllers/trafficpermissions/expander/interface.go
index 421f41c9c5..ea050aeb47 100644
--- a/internal/auth/internal/controllers/trafficpermissions/expander/interface.go
+++ b/internal/auth/internal/controllers/trafficpermissions/expander/interface.go
@@ -8,11 +8,13 @@ import (
 
 	"github.com/hashicorp/consul/internal/auth/internal/types"
 	"github.com/hashicorp/consul/internal/controller"
+
+	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1"
 	pbmulticluster "github.com/hashicorp/consul/proto-public/pbmulticluster/v2beta1"
 )
 
 // SamenessGroupExpander is used to expand sameness group for a ComputedTrafficPermission resource
 type SamenessGroupExpander interface {
-	Expand(types.XTrafficPermissions, map[string][]*pbmulticluster.SamenessGroupMember) []string
+	Expand(types.XTrafficPermissions, map[string][]*pbmulticluster.SamenessGroupMember) ([]*pbauth.Permission, []string)
 	List(context.Context, controller.Runtime, controller.Request) (map[string][]*pbmulticluster.SamenessGroupMember, error)
 }