Received-SPF: Pass (protection.outlook.com: domain of niwa.co.nz designates
 104.47.71.168 as permitted sender) receiver=protection.outlook.com;
 client-ip=104.47.71.168; helo=AUS01-SY4-obe.outbound.protection.outlook.com;
 pr=C
From: Brent Wood <Brent.Wood@niwa.co.nz>
To: Andreas Joseph Krogh <andreas@visena.com>
CC: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM
 PUBLIC
Thread-Topic: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM
 PUBLIC
Thread-Index: AQHbBMWnf9hAXuNPkUGaVRlrp4U9tLJTkTOAgAABt8M=
Date: Thu, 12 Sep 2024 04:48:23 +0000
Message-ID:
 <SY7P300MB07611F2D0067FA7A417DCB29A1642@SY7P300MB0761.AUSP300.PROD.OUTLOOK.COM>
References:
 <VisenaEmail.0.81936c517b2d9cfe.191e44de951@origo-test01.app.internal.visena.net>
 <3952715.1726115805@sss.pgh.pa.us>
In-Reply-To: <3952715.1726115805@sss.pgh.pa.us>
Accept-Language: en-US
Content-Language: en-US
msip_labels:
Authentication-Results-Original: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=niwa.co.nz;
x-ms-traffictypediagnostic:
	SY7P300MB0761:EE_|SY3PPF9AB546352:EE_|SY3PEPF0000A726:EE_|ME0P300MB0425:EE_
X-MS-Office365-Filtering-Correlation-Id: c36775ad-86f3-4bf0-78eb-08dcd2e62481
x-niwa-seemail: Out
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted:
 BCL:0;ARA:13230040|366016|69100299015|1800799024|376014|38070700018;
X-Microsoft-Antispam-Message-Info-Original:
 =?us-ascii?Q?0SAcO36IACpjov/FTYhuHvfWM/hIaqwsIqyyBA6dIq6vhlusvg5FnoAciwZl?=
 =?us-ascii?Q?FS9gOnbgwYEs6/K8hMukVvN6NKgHSpPF4WSJMqo0scupGwzw5qOoShe5uy5T?=
 =?us-ascii?Q?WQX4lB5MhqY2mYISCBGQy+JC8sa2GoASjK7Tv3dMWtZ8yUUKlRqZavf4Yar4?=
 =?us-ascii?Q?Sj+R0ZqjDE944d+PBIVVj/GpoRGQsFcViMTgYZOlLK5HygNNCGnzWeWKejxw?=
 =?us-ascii?Q?FtAH2m/uW9oAylWRxsuzVRzL/Tp/aAoNlGmLufAP0UuS/26LsBXquu8TM62B?=
 =?us-ascii?Q?TIVu1S+nUonLXwQMj3l+Ech1xVL4OhTZ7EivaqfsvIQTn6MLsYynZQIi109y?=
 =?us-ascii?Q?u5T9b5/J2E64xV3Lzvii/3kJq/pNkG6l17ZE6PIR+Xq6432sq9naxwQpzmxS?=
 =?us-ascii?Q?kDUbTPM+0XC9EH1X4vXLlie8imdoBgK9zbxgFkAP4/8yafPW7/nM1nhz//xM?=
 =?us-ascii?Q?1RiT1LpUjP5vDqMJgoDLX2QNDynAuxqh37YXT025aXQfzGSj0orAXTjZkznY?=
 =?us-ascii?Q?iAK7XocD9axcCf9yUt0P1ORUAlucOcxPlw8cxO1duIYHuIFwZKffJ53wikdM?=
 =?us-ascii?Q?OcJi9oICBTkGBFBte0tUWwNsjnl6CEuEDwWUomwDH6GmfgPzUkwC/kMOdh7m?=
 =?us-ascii?Q?YpW3zDJ/y/m4XL8+lVvlUJ2nMXkAe4kvuVK+Z3gDD9YKTvSt3yyfBfaC/66Y?=
 =?us-ascii?Q?4TiJHdzBqwiombGOkODr+WyArmB5dXtnsirRj5DVLrYTtGKTMDEy1eovbUAG?=
 =?us-ascii?Q?nYYd/6egXZjp79dh3a52sN2Fa7eyOV5J0heXADr0yM4YPWdrfCHPppSdV1u2?=
 =?us-ascii?Q?0C1PdU7HpmrTxzl5LP3zjxuU/iekcGvR4mS4Uf/d/S9NSBMnsfpEWKzB3VNj?=
 =?us-ascii?Q?9vcrGPpHIbttDCUpfHaTHF+94EdtPVbAVOoUh0CAnTwtwU29/voS17hw+hNP?=
 =?us-ascii?Q?4fWGN/dMY8GXziEqTyajAHft2v05tTPYyWzQ6693ABE9RkWnDvrQJgm5q47c?=
 =?us-ascii?Q?xvtU/1VnuWW6jZNJBWWJlH8yz7HpD8HNzSjZstPDzZAyu7uM5UP4P2zi+nBp?=
 =?us-ascii?Q?D0ZZx6w2OyAvZzNeXbWtuyYgjsKzjLEEkDZE4TDutF/tQCq4KElNRN8UA4nT?=
 =?us-ascii?Q?jLnEtt5FNPx/Zl7+5fCzUMSLlNalIBtoARddWSwqkpns+6wWdA8Jd+gLovQG?=
 =?us-ascii?Q?AsqLXObUiI6ai3oixWV1HNRoJsOUUzPpK4hGJk5eTLd9KJ2ez6yoQtDGsh9g?=
 =?us-ascii?Q?B/H/oChNq42CzWCwU7Tjr06tyyqDmfz22sovIk3EMJ1STnTfUH4vSF3isDw9?=
 =?us-ascii?Q?det8VjCCPFeKBiqQUf0WWFjLgCwN2d6CZMsATf3r3T1/N7Flz8ndojumxiv9?=
 =?us-ascii?Q?CCVJDUcSO+lD7rddXne6RevNLUPsk/hduN+6I4sLbSZtO/UQSw=3D=3D?=
X-Forefront-Antispam-Report-Untrusted:
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SY7P300MB0761.AUSP300.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(69100299015)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
Content-Type: multipart/alternative;
	boundary="_000_SY7P300MB07611F2D0067FA7A417DCB29A1642SY7P300MB0761AUSP_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY3PPF9AB546352
X-EOPAttributedMessage: 0
X-MS-Exchange-SkipListedInternetSender:
 ip=[104.47.71.168];domain=AUS01-SY4-obe.outbound.protection.outlook.com
X-MS-Exchange-ExternalOriginalInternetSender:
 ip=[104.47.71.168];domain=AUS01-SY4-obe.outbound.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
 SY3PEPF0000A726.ausprd01.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
	7561cf11-eb01-433a-8a38-08dcd2e62249
X-Microsoft-Antispam:
	BCL:0;ARA:13230040|82310400026|69100299015|36860700013|1800799024|1032899013|35042699022|376014;
X-Microsoft-Antispam-Message-Info:
	lnmLD0fv/TPGUyEdex/96cQORrKX2lRVg15O51/1+o35wKJYCj5IttkooiH2RLTknBTJyzzDjNEPhMwj0ld/Rxk9JiN6t1y+RxMFPkb2WVoQGagJdqODcK0znBjSJXIBGAMvrjQy/nvYFKuJfIKAffYNtEojf54196MrS7w1otTZ5JnlGDC4bDwwofv+72lXmNlvrteItO8yiVvYxYQ2zg9SnHvmDCgErYU35/RqNn3l+gLirB49HGgtSpFqe7r1nrLxN/0KZAN+1EKXOVcot7G7mCwjnpF51BryhqJaXZp6eP6daq8lwJqlsc5o2BXRtS3aj8Sx0AsScrdjrO6cxEhzP+Uu8pLGYCqMxnTCTNeryLHZ/ISrz72fLQ5dieHvdxAkyVvT7P6VzwzmmmqDCK9EtAIcLVnWBBZ7cSp6kkQGUCVikZmnBusJDdsJ7+2xEuCNqKo4ITZUNNDw6d7G0gHq+B0sxANadpEziBeGk8d60LjNWHH9+4bXfC0/N95xqL/ZxD0bYVG0W5s8bElo+91LN1tT13akTAkwWJUBl4gg380PERxoTLCVLDGEJPB9h9bj1LVnRzeFtlZgnEuGX2jZQheqt4UnKVwlfNOAjxghpNrGI8Fh82995Ga6SsKAB3U0iVYq1GYlEJxi2c1H8uMSgG16OZrgxFTKRLC3rUWQYBiCjLT/1hNIAlpQqw263xG2z+J6tUxQm9nEGewl11LO0k/vltIBeZ5suwVXu2ZvPQsjhOcpHZn+eT7oavAl9/+3QYbLsYkEHh2KE2JH2q34Fbe5TJlcsETs8lnPZB+LbNzeoyHUFXGLecKoCPK8w53SAQBFhYn7jKHKXXK5kQ==
X-Forefront-Antispam-Report:
	CIP:103.229.249.34;CTRY:AU;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AUS01-SY4-obe.outbound.protection.outlook.com;PTR:mail-sy4aus01lp2168.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(82310400026)(69100299015)(36860700013)(1800799024)(1032899013)(35042699022)(376014);DIR:OUT;SFP:1102;
X-OriginatorOrg: niwa.co.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Sep 2024 04:48:27.5293
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c36775ad-86f3-4bf0-78eb-08dcd2e62481
X-MS-Exchange-CrossTenant-Id: 41caed73-6a0c-468a-ba49-9ff6aafd1c77
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=41caed73-6a0c-468a-ba49-9ff6aafd1c77;Ip=[103.229.249.34];Helo=[hamlmail.dmz.niwa.co.nz]
X-MS-Exchange-CrossTenant-AuthSource:
	SY3PEPF0000A726.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME0P300MB0425
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/SY7P300MB07611F2D0067FA7A417DCB29A1642%40SY7P300MB0761.AUSP300.PROD.OUTLOOK.COM>
Precedence: bulk

--_000_SY7P300MB07611F2D0067FA7A417DCB29A1642SY7P300MB0761AUSP_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Could you use FDW's in another completely separate db for them to access so=
 they have no direct access to the source data (or database), only the link=
ed tables which have no local data, other users, etc,  present at all?

Which is sort of what was suggested: "Put some kind of restrictive app in f=
ront of the database." This other db could be that app?

Brent Wood

Principal Technician, Fisheries
NIWA
DDI:  +64 (4) 3860529

________________________________
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Thursday, September 12, 2024 16:36
To: Andreas Joseph Krogh <andreas@visena.com>
Cc: pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
Subject: Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FR=
OM PUBLIC

Andreas Joseph Krogh <andreas@visena.com> writes:
> Motivation: I have PowerBI users, with a separate =91reporting=92-role, a=
ccessing
> a database and I want to prevent them from listing all tables, users, dat=
abases
> and view-definitions (to not see the underlying query).

Postgres is not designed to support this requirement.

> I'm evaluating this:
> REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC; REVOKE SELE=
CT ON
> ALL TABLES IN SCHEMA information_schema FROM PUBLIC;
> Will this affect =93normal behaviour=94, ie. prevent the planner, or othe=
r
> internal mechanisms, from working properly for sessions logged in with th=
e
> =91reporting=92-role?

Probably 95% of that stuff will still work.  By the same token, there
are plenty of information-leaking code pathways that will still leak.
For instance, your restricted user will have no trouble discovering
the OIDs and names of all extant tables, using something like

do $$ begin
for tid in 1..1000000 loop
  if tid::regclass::text !=3D tid::text then
    raise notice 'tid % is %', tid, tid::regclass;
  end if; end loop;
end $$;

Functions such as pg_describe_object still work fine, too.

Experimenting with psql, a lot of stuff is broken as expected:

busted=3D> \d mytable
ERROR:  permission denied for table pg_class

but some things still work:

busted=3D> \sf sin
CREATE OR REPLACE FUNCTION pg_catalog.sin(double precision)
 RETURNS double precision
 LANGUAGE internal
 IMMUTABLE PARALLEL SAFE STRICT
AS $function$dsin$function$

This is pretty much the other side of the same coin.
The reason you can still parse and plan a query is that
it does not occur to large parts of the backend that there
should be any reason to refuse to read a system catalog.
That carries over to these operations as well.

This recent thread might be enlightening:

https://www.postgresql.org/message-id/flat/18604-04d64b68e981ced6%40postgre=
sql.org<https://www.postgresql.org/message-id/flat/18604-04d64b68e981ced6%4=
0postgresql.org>

If you have a requirement like this, I think the only safe
way to meet it is to not give those users direct SQL access.
Put some kind of restrictive app in front of the database.

                        regards, tom lane


[https://www.niwa.co.nz/static/niwa-2018-horizontal-180.png] <https://www.n=
iwa.co.nz/>
Brent Wood
Principal Technician - GIS and Spatial Data Management
Programme Leader - Environmental Information Delivery
+64-4-386-0529

National Institute of Water & Atmospheric Research Ltd (NIWA)
301 Evans Bay Parade Hataitai Wellington New Zealand
Connect with NIWA: niwa.co.nz<https://www.niwa.co.nz/> Facebook<https://www=
.facebook.com/nzniwa> LinkedIn<https://www.linkedin.com/company/niwa> Twitt=
er<https://twitter.com/niwa_nz> Instagram<https://www.instagram.com/niwa_sc=
ience> YouTube<https://www.youtube.com/channel/UCJ-j3MLMg1H59Ak2UaNLL3A>
To ensure compliance with legal requirements and to maintain cyber security=
 standards, NIWA's IT systems are subject to ongoing monitoring, activity l=
ogging and auditing. This monitoring and auditing service may be provided b=
y third parties. Such third parties can access information transmitted to, =
processed by and stored on NIWA's IT systems.
Note: This email is intended solely for the use of the addressee and may co=
ntain information that is confidential or subject to legal professional pri=
vilege. If you receive this email in error please immediately notify the se=
nder and delete the email.

--_000_SY7P300MB07611F2D0067FA7A417DCB29A1642SY7P300MB0761AUSP_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c=
olor: rgb(0, 0, 0);">
Could you use FDW's in another completely separate db for them to access so=
 they have no direct access to the source data (or database), only the link=
ed tables which have no local data, other users, etc,&nbsp; present at all?=
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c=
olor: rgb(0, 0, 0);">
Which is sort of what was suggested: &quot;Put some kind of restrictive app=
 in front of the database.&quot; This other db could be that app?</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div id=3D"Signature" style=3D"color: inherit;">
<div style=3D"margin-right: 0px; margin-left: 0px; font-family: Calibri, Ar=
ial, Helvetica, sans-serif;">
Brent Wood<br>
<br>
Principal Technician, Fisheries<br>
NIWA<br>
DDI:&nbsp; +64 (4) 3860529</div>
</div>
<div id=3D"appendonsend" style=3D"color: inherit;"></div>
<div style=3D"font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, =
Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr style=3D"display: inline-block; width: 98%;">
<div id=3D"divRplyFwdMsg" dir=3D"ltr" style=3D"color: inherit;"><span style=
=3D"font-family: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);=
"><b>From:</b>&nbsp;Tom Lane &lt;tgl@sss.pgh.pa.us&gt;<br>
<b>Sent:</b>&nbsp;Thursday, September 12, 2024 16:36<br>
<b>To:</b>&nbsp;Andreas Joseph Krogh &lt;andreas@visena.com&gt;<br>
<b>Cc:</b>&nbsp;pgsql-general@lists.postgresql.org &lt;pgsql-general@lists.=
postgresql.org&gt;<br>
<b>Subject:</b>&nbsp;Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA p=
g_catalog FROM PUBLIC</span>
<div>&nbsp;</div>
</div>
<div style=3D"font-size: 11pt;">Andreas Joseph Krogh &lt;andreas@visena.com=
&gt; writes:<br>
&gt; Motivation: I have PowerBI users, with a separate =91reporting=92-role=
, accessing<br>
&gt; a database and I want to prevent them from listing all tables, users, =
databases<br>
&gt; and view-definitions (to not see the underlying query).<br>
<br>
Postgres is not designed to support this requirement.<br>
<br>
&gt; I'm evaluating this:<br>
&gt; REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC; REVOKE S=
ELECT ON<br>
&gt; ALL TABLES IN SCHEMA information_schema FROM PUBLIC;<br>
&gt; Will this affect =93normal behaviour=94, ie. prevent the planner, or o=
ther<br>
&gt; internal mechanisms, from working properly for sessions logged in with=
 the<br>
&gt; =91reporting=92-role?<br>
<br>
Probably 95% of that stuff will still work.&nbsp; By the same token, there<=
br>
are plenty of information-leaking code pathways that will still leak.<br>
For instance, your restricted user will have no trouble discovering<br>
the OIDs and names of all extant tables, using something like<br>
<br>
do $$ begin<br>
for tid in 1..1000000 loop<br>
&nbsp; if tid::regclass::text !=3D tid::text then<br>
&nbsp;&nbsp;&nbsp; raise notice 'tid % is %', tid, tid::regclass;<br>
&nbsp; end if; end loop;<br>
end $$;<br>
<br>
Functions such as pg_describe_object still work fine, too.<br>
<br>
Experimenting with psql, a lot of stuff is broken as expected:<br>
<br>
busted=3D&gt; \d mytable<br>
ERROR:&nbsp; permission denied for table pg_class<br>
<br>
but some things still work:<br>
<br>
busted=3D&gt; \sf sin<br>
CREATE OR REPLACE FUNCTION pg_catalog.sin(double precision)<br>
&nbsp;RETURNS double precision<br>
&nbsp;LANGUAGE internal<br>
&nbsp;IMMUTABLE PARALLEL SAFE STRICT<br>
AS $function$dsin$function$<br>
<br>
This is pretty much the other side of the same coin.<br>
The reason you can still parse and plan a query is that<br>
it does not occur to large parts of the backend that there<br>
should be any reason to refuse to read a system catalog.<br>
That carries over to these operations as well.<br>
<br>
This recent thread might be enlightening:<br>
<br>
<a href=3D"https://www.postgresql.org/message-id/flat/18604-04d64b68e981ced=
6%40postgresql.org" id=3D"OWA2309d720-c1db-7380-83b6-95f31fdb37fc" class=3D=
"OWAAutoLink" data-auth=3D"NotApplicable">https://aus01.safelinks.protectio=
n.outlook.com/?url=3Dhttps%3A%2F%2Fwww.postgresql.org%2Fmessage-id%2Fflat%2=
F18604-04d64b68e981ced6%2540postgresql.org&amp;data=3D05%7C02%7CBrent.Wood%=
40niwa.co.nz%7Cd471a43339634ba57f4208dcd2e48c6a%7C41caed736a0c468aba499ff6a=
afd1c77%7C0%7C0%7C638617126279440102%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj=
AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&amp;sdata=
=3DQbk8QFtdRcaWAzgvEHEA0kKTVIu4umFtqfNcYjCzJj4%3D&amp;reserved=3D0</a><br>
<br>
If you have a requirement like this, I think the only safe<br>
way to meet it is to not give those users direct SQL access.<br>
Put some kind of restrictive app in front of the database.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; regards, to=
m lane<br>
<br>
<br>
</div>
<table style=3D"width: 600px; font-size: 8pt; font-family: Arial" cellspaci=
ng=3D"20">
<tbody>
<tr>
<td><a href=3D"https://www.niwa.co.nz/"><img src=3D"https://www.niwa.co.nz/=
static/niwa-2018-horizontal-180.png">
</a></td>
<td>
<table style=3D"width: 500px">
<tbody>
<span>Brent Wood <br>
<font color=3D"#1793d2">Principal Technician - GIS and Spatial Data Managem=
ent</font><br>
<font color=3D"#1793d2">Programme Leader - Environmental Information Delive=
ry</font><br>
+64-4-386-0529<br>
<br>
National Institute of Water &amp; Atmospheric Research Ltd (NIWA)<br>
301 Evans Bay Parade Hataitai Wellington New Zealand<br>
<b>Connect with NIWA:</b> <a href=3D"https://www.niwa.co.nz/">niwa.co.nz</a=
> <a href=3D"https://www.facebook.com/nzniwa">
Facebook</a> <a href=3D"https://www.linkedin.com/company/niwa">LinkedIn</a>=
 <a href=3D"https://twitter.com/niwa_nz">
Twitter</a> <a href=3D"https://www.instagram.com/niwa_science">Instagram</a=
> <a href=3D"https://www.youtube.com/channel/UCJ-j3MLMg1H59Ak2UaNLL3A">
YouTube</a> </span>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<font face=3D"Arial" size=3D"1">To ensure compliance with legal requirement=
s and to maintain cyber security standards, NIWA's IT systems are subject t=
o ongoing monitoring, activity logging and auditing. This monitoring and au=
diting service may be provided by third
 parties. Such third parties can access information transmitted to, process=
ed by and stored on NIWA's IT systems.
<br>
Note: This email is intended solely for the use of the addressee and may co=
ntain information that is confidential or subject to legal professional pri=
vilege. If you receive this email in error please immediately notify the se=
nder and delete the email.
</font>
</body>
</html>

--_000_SY7P300MB07611F2D0067FA7A417DCB29A1642SY7P300MB0761AUSP_--