Any third party GraphQL library worth its salt should implement some kind of ACL. It seems to be the case with the most popular ones [1] [2]. One simple idea is to implement authorization in the data models. GraphQL delegate ~get~ and ~list~ to ressource model that could implement authorization based on the context of the request.