that grabs all the User data, what I want is the Admin role to be able to see the email address but not the User role or the client, but with the User collection I created I need to set the permissions to read true for both the regular user role and the public client. How do I prevent the email field being request-able by those roles, and be able to request the email from admin role with the same getUsers query?
It is not possible to hide only some fields with ABAC rules.
The workaround for Graphql to separate fields with permissions is to make a separate UserProfile type that is separate from an UserAccount type, where the former can be more public and the latter requires admin permissions.
This is also possible in plain FQL by, for example, specifying a user permission to have access to a UDF that that gets the user document and only returns the white-listed fields. But this kind of tight control is not yet available with the GraphQL API. You could create a new @embedded type that is a simplified version of the User info, but then you’ll lose benefits of the relationships, since @relation is not permitted on embedded types.