diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
index 8b03e80d9b..404930cc15 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
@@ -192,6 +192,19 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_forbidden_orderby', __( 'Sorry, you are not allowed to order users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
+		if ( ! empty( $request['who'] ) ) {
+			$can_view = false;
+			$types = get_post_types( array( 'show_in_rest' => true ), 'objects' );
+			foreach ( $types as $type ) {
+				if ( current_user_can( $type->cap->edit_posts ) ) {
+					$can_view = true;
+				}
+			}
+			if ( ! $can_view ) {
+				return new WP_Error( 'rest_forbidden_who', __( 'Sorry, you are not allowed to query users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) );
+			}
+		}
+
 		return true;
 	}
 
@@ -256,7 +269,9 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			$prepared_args['orderby'] = $orderby_possibles[ $request['orderby'] ];
 		}
 
-		if ( ! current_user_can( 'list_users' ) ) {
+		if ( isset( $registered['who'] ) && ! empty( $request['who'] ) && 'authors' === $request['who'] ) {
+			$prepared_args['who'] = 'authors';
+		} elseif ( ! current_user_can( 'list_users' ) ) {
 			$prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' );
 		}
 
@@ -1372,6 +1387,14 @@ class WP_REST_Users_Controller extends WP_REST_Controller {
 			),
 		);
 
+		$query_params['who'] = array(
+			'description' => __( 'Limit result set to users who are considered authors.' ),
+			'type'        => 'string',
+			'enum'        => array(
+				'authors',
+			),
+		);
+
 		/**
 		 * Filter collection parameters for the users controller.
 		 *
diff --git a/tests/phpunit/tests/rest-api/rest-users-controller.php b/tests/phpunit/tests/rest-api/rest-users-controller.php
index 8c43f36089..06687054d3 100644
--- a/tests/phpunit/tests/rest-api/rest-users-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-users-controller.php
@@ -14,6 +14,7 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 	protected static $user;
 	protected static $editor;
 	protected static $draft_editor;
+	protected static $subscriber;
 	protected static $authors = array();
 	protected static $posts   = array();
 	protected static $site;
@@ -42,6 +43,13 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 				'user_email' => 'draft-editor@example.com',
 			)
 		);
+		self::$subscriber    = $factory->user->create(
+			array(
+				'role'         => 'subscriber',
+				'display_name' => 'subscriber',
+				'user_email'   => 'subscriber@example.com',
+			)
+		);
 
 		foreach ( array( true, false ) as $show_in_rest ) {
 			foreach ( array( true, false ) as $public ) {
@@ -166,6 +174,7 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 				'roles',
 				'search',
 				'slug',
+				'who',
 			), $keys
 		);
 	}
@@ -784,6 +793,43 @@ class WP_Test_REST_Users_Controller extends WP_Test_REST_Controller_Testcase {
 		$this->assertEquals( array(), $data );
 	}
 
+	public function test_get_items_who_author_query() {
+		wp_set_current_user( self::$superadmin );
+		// First request should include subscriber in the set.
+		$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+		$request->set_param( 'search', 'subscriber' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$this->assertCount( 1, $response->get_data() );
+		// Second request should exclude subscriber.
+		$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+		$request->set_param( 'who', 'authors' );
+		$request->set_param( 'search', 'subscriber' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$this->assertCount( 0, $response->get_data() );
+	}
+
+	public function test_get_items_who_invalid_query() {
+		wp_set_current_user( self::$user );
+		$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+		$request->set_param( 'who', 'editor' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+	}
+
+	/**
+	 * Any user with 'edit_posts' on a show_in_rest post type
+	 * can view authors. Others (e.g. subscribers) cannot.
+	 */
+	public function test_get_items_who_unauthorized_query() {
+		wp_set_current_user( self::$subscriber );
+		$request = new WP_REST_Request( 'GET', '/wp/v2/users' );
+		$request->set_param( 'who', 'authors' );
+		$response = rest_get_server()->dispatch( $request );
+		$this->assertErrorResponse( 'rest_forbidden_who', $response, 403 );
+	}
+
 	public function test_get_item() {
 		$user_id = $this->factory->user->create();
 		wp_set_current_user( self::$user );