diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index d8803f6712cf3de414c904114187dd188ecca0e3..a45b5100638d01e93912b2b60f7cc0f4808a3596 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -25,14 +25,7 @@ class BasePolicy < DeclarativePolicy::Base
   desc "User is an instance admin"
   with_options scope: :user, score: 0
   condition(:admin) do
-    next false if @user&.from_ci_job_token?
-    next true if user_is_user? && @user.admin_bot?
-
-    if Gitlab::CurrentSettings.admin_mode
-      @user&.admin? && Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?
-    else
-      @user&.admin?
-    end
+    user_is_admin?
   end
 
   desc "The current instance is a GitLab Dedicated instance"
@@ -109,11 +102,13 @@ class BasePolicy < DeclarativePolicy::Base
     ::Gitlab::ExternalAuthorization.perform_check?
   end
 
+  condition(:user_can_read_cross_project, scope: :user, score: 0) do
+    user_can_read_cross_project?
+  end
+
   rule { ~in_current_organization }.prevent_all
 
-  rule { external_authorization_enabled & ~can?(:read_all_resources) }.policy do
-    prevent :read_cross_project
-  end
+  rule { external_authorization_enabled & ~user_can_read_cross_project }.prevent :read_cross_project
 
   rule { admin }.policy do
     # Only for actual administrator accounts, behavior affected by admin mode application setting
@@ -140,6 +135,17 @@ def user_is_user?
     user.is_a?(User)
   end
 
+  def user_is_admin?
+    return false if @user&.from_ci_job_token?
+    return true if user_is_user? && @user.admin_bot?
+
+    if Gitlab::CurrentSettings.admin_mode
+      @user&.admin? && Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?
+    else
+      @user&.admin?
+    end
+  end
+
   def owns_organization?(org)
     return false unless org.present?
     return false unless user_is_user?
@@ -158,6 +164,10 @@ def admin_mode_required?
 
     !Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?
   end
+
+  def user_can_read_cross_project?
+    user_is_admin?
+  end
 end
 
 BasePolicy.prepend_mod_with('BasePolicy')
diff --git a/ee/app/policies/ee/base_policy.rb b/ee/app/policies/ee/base_policy.rb
index 05c2b1a6dbe08736d68ba8a2cfebf76cd6401602..9a4412b05a69262015d4b2543b2bdc5d6d5336c6 100644
--- a/ee/app/policies/ee/base_policy.rb
+++ b/ee/app/policies/ee/base_policy.rb
@@ -7,10 +7,7 @@ module BasePolicy
     prepended do
       with_scope :user
       condition(:auditor, score: 0) do
-        # We pass in Gitlab::Auth::GroupSaml::TokenActor to policies via
-        # Groups::SsoController#check_user_can_sign_in_with_provider.
-        # However, only User can be an auditor.
-        @user.respond_to?(:auditor?) && @user.auditor?
+        user_is_auditor?
       end
 
       with_scope :user
@@ -39,11 +36,24 @@ module BasePolicy
       end
 
       # token_info is set when authenticating user with a token. ai_workflows scope is used only by requests sent by Duo
-      # Workflow.This is a temporary solution until https://gitlab.com/gitlab-org/gitlab/-/issues/468370 is done.
+      # Workflow. This is a temporary solution until https://gitlab.com/gitlab-org/gitlab/-/issues/468370 is done.
       with_scope :user
       condition(:duo_workflow_token, score: 0) do
         ::Current.token_info.present? && Array.wrap(Current.token_info[:token_scopes]).include?(:ai_workflows)
       end
+
+      private
+
+      def user_is_auditor?
+        # We pass in Gitlab::Auth::GroupSaml::TokenActor to policies via
+        # Groups::SsoController#check_user_can_sign_in_with_provider.
+        # However, only User can be an auditor.
+        @user.respond_to?(:auditor?) && @user.auditor?
+      end
+
+      def user_can_read_cross_project?
+        user_is_auditor? | user_is_admin?
+      end
     end
   end
 end