I've realized that in implementing the full refresh feature that it's currently reading from the spec and then revoking from the list of databases and schemas in the spec. But this doesn't work well if a role currently has permissions on something and then you want to revoke those permissions. By removing the object from the spec the revoke would be skipped. It should use the results of `show grants`and iterate through the dbs and schemas there to generate the revokes.