The option to look for, irrespective of language of implementation, is "context". An example of usage may be found in https://github.com/graphql/express-graphql. Basically the context (session or user data) is passed into any resolve function you define, so you may relate operations to permissions using some mechanism you define.

Edit: grammar