---
features:
  - >
    [`blueprint pci-dss-query-password-expired-users <https://blueprints.launchpad.net/keystone/+spec/pci-dss-query-password-expired-users>`_]
    Added a ``password_expires_at`` query to ``/v3/users`` and
    ``/v3/groups/{group_id}/users``. The ``password_expires_at`` query is
    comprised of two parts, an ``operator`` (valid choices listed below)
    and a ``timestamp`` (of form ``YYYY-MM-DDTHH:mm:ssZ``). The APIs will
    filter the list of users based on the ``operator`` and ``timestamp`` given.
      * lt - password expires before the timestamp
      * lte - password expires at or before timestamp
      * gt - password expires after the timestamp
      * gte - password expires at or after the timestamp
      * eq - password expires at the timestamp
      * neq - password expires not at the timestamp