ACL is currently an enterprise edition feature, so you would need to get a license or implement your own workaround. For what it’s worth, an ACL can be expressed natively as a graph. Depending on your preferred access structure (role-based, discretionary, mandatory, etc.), you could probably apply some middleware that: 1) parses any given GraphQL± query; 2) applies a transformation that results in all components of the underlying query also being described in their relation to the access control structure for a given user; 3) passes the transformed query to Dgraph; and 4) processes the result to perform any remaining access validation while transforming the result structure back to the shape of the original untransformed query.
This approach would very likely not be as performant as the enterprise feature, but it’s something.