diff --git a/pkg/resources/grant_helpers.go b/pkg/resources/grant_helpers.go
index 13b64ce8b8..7e777707c9 100644
--- a/pkg/resources/grant_helpers.go
+++ b/pkg/resources/grant_helpers.go
@@ -267,26 +267,39 @@ func readGenericGrant(
 		}
 	}
 
-	existingRoles := d.Get("roles").(*schema.Set)
+	var existingRoles *schema.Set
+	if v, ok := d.GetOk("roles"); ok {
+		existingRoles = v.(*schema.Set)
+	}
 	multipleGrantFeatureFlag := d.Get("enable_multiple_grants").(bool)
 	var roles, shares []string
-
-	// Now see which roles have our privilege
+	// Now see which roles have our privilege.
 	for roleName, privileges := range rolePrivileges {
-		// Where priv is not all so it should match exactly
-		// Match to currently assigned roles or let everything through if no specific role grants
-		if privileges.hasString(priv) && !multipleGrantFeatureFlag {
-			roles = append(roles, roleName)
-		} else if privileges.hasString(priv) && (existingRoles.Contains(roleName) || existingRoles.Len() == 0) && multipleGrantFeatureFlag {
-			roles = append(roles, roleName)
+		if privileges.hasString(priv) {
+			// If multiple grants is not enabled then we care about what roles have privilige.
+			if !multipleGrantFeatureFlag {
+				roles = append(roles, roleName)
+				// otherwise we only care if the role is something we are already managing, or if future object grants are enabled.
+			} else if existingRoles.Contains(roleName) && !futureObjects {
+				roles = append(roles, roleName)
+			}
 		}
 	}
 
-	// Now see which shares have our privilege
+	var existingShares *schema.Set
+	if v, ok := d.GetOk("shares"); ok {
+		existingShares = v.(*schema.Set)
+	}
+	// Now see which shares have our privilege.
 	for shareName, privileges := range sharePrivileges {
-		// Where priv is not all so it should match exactly
 		if privileges.hasString(priv) {
-			shares = append(shares, shareName)
+			// If multiple grants is not enabled then we care about what shares have privilige.
+			if !multipleGrantFeatureFlag {
+				shares = append(shares, shareName)
+			} else if existingShares.Contains(shareName) && !futureObjects {
+				// otherwise we only care if the share is something we are already managing or if future object grants are enabled.
+				shares = append(shares, shareName)
+			}
 		}
 	}