Add role revocation when comparing permissions to spec
As a part of ensuring that the state of the permissions on Snowflake matches the spec definition, a first iteration is to validate role memberships first and revoke roles from users and other roles if they don't match.