You can also have to separate UDF functions that can be accessed according to the ABAC user roles you set. For example:
type Query {
getUsers: [User]
getUsersForAdmin: [User]
}
Then in the FQL of the UDFs, you can hide specific values that are returned back with the Merge function. Here is a solution someone else implemented. Hiding some fields in the return model - #6 by Luigi_Servini