How do ACL s get counted?

We are confused.
How do the ACL s get counted?

We think we have four ACL entries?

BUT the billing page says that we are using 2 out of 5 allowed.

Here is an anonymized version of our ACL s:

{
	// Declare static groups of users beyond those in the identity service.
	"groups": {
		"group:grp-example-1":      ["user1@example.com", "user2@example.com", "user3@example.com"],
		"group:grp-example-2": ["user4@example.com", "user5@example.com", "user2@example.com"],
		"group:grp-example-3": [
			"user6@example.com",
			"user7@example.com",
			"user8@example.com",
			"user9@example.com",
		],
		"group:grp-example-4": ["user10@example.com", "user4@example.com", "user6@example.com", "user1@example.com"],
	},
	// Declare convenient hostname aliases to use in place of IP addresses.
	"hosts": {
		"ts-dns": "100.100.100.100",
	},
	// Access control lists.
	"acls": [
		// Match absolutely everything. Comment out this section if you want
		// to define specific ACL restrictions.
		// { "action": "accept", "users": ["*"], "ports": ["*:*"] },
		{"action": "accept", "users": ["group:grp-example-1"], "ports": ["*:22,443"]},
		{"action": "accept", "users": ["group:grp-example-2"], "ports": ["*:443"]},
		{"action": "accept", "users": ["group:grp-example-3"], "ports": ["*:80,443"]},
		{"action": "accept", "users": ["group:grp-example-4"], "ports": ["*:22,80,443"]},
	],
}

How do they get counted?

Thanks.

It measures Named ACL users, which currently means any e-mail address that is a current tailscale user and is mentioned as a

• Group member
• Tag Owner
• ACL source (or “users”)
• SSH source