The documentation on ALTER DEFAULT PRIVILEGES currently defines the
parameter target_role like this:
> The name of an existing role of which the current role is a member. If FOR
ROLE is omitted, the current role is assumed.
To be honest, this didn't help me to understand the purpose of the FOR ROLE
clause. And the rest of the section doesn't really explain it, either.
Also, the first part doesn't seem to be true. I mean, as user postgres,
something like this succeeds:
> ALTER DEFAULT PRIVILEGES FOR ROLE juser IN SCHEMA public GRANT select ON
TABLES TO backenduser;
ALTER DEFAULT PRIVILEGES
Seems like a contradiction to the first sentence because user postgres
(although it's a superuser) isn't a member of role juser.
What I expected from that section is an explanation of the FOR ROLE
My current understanding is this: default privileges definitions are bound
to one or multiple roles. That means that only when the FOR ROLE role(s)
create(s) a specified object then the specified GRANT is automatically
applied to it. Other roles aren't affected by that default privileges