Maybe I am missing something, but I am a little confused by the need to use public address space.  With logging enabled on your perimeter devices, I would imagine you'd be able to monitor activity regardless of whether the IP address is public or not. Juniper logs will have the information regarding which IP address is assigned to which user.

Also, do you have 10 different groups of users, or are the roles just being created to accommodate the 10 subnets? Based on your use case, assuming you just need two roles (Students, and Staff), I would create a role one for each group, then I'd create a corresponding NC connection profile for each of the roles. Depending upon your desired IP space distribution, you can place 5 subnets into each connection profile, or just distribute them as you see fit.

It will depend on the access mechanism you choose.

If you use pure L3 VPN style access mechanism then 1 realm, 2 roles and 2 'VPN Tunneling Connection profiles' will suffice as for L3 VPN the SA preserves the source IP that was assigned to the tunnel interface

(Note: 1 realm will suffice assuming your authentication server can return an attribute that allows the SSL VPN gateway to map staff/student to the appropriate role)

However if you use any other access method like web(rewrite), File browsing, Secure Application Manager (SAM ), etc then this will get very tricky as by default the SSL VPN gateway sources traffic for all these access methods using its internal interface IP. You could over-ride the default behaviour by using the role level option called Source IP. However that was designed to be used on a per role basis rather than per user basis. Which is why in your use case it will be tricky (i.e. will need one role per user)

I have 10 discontiguous public IP subnets (/24) and 2 groups of users, staff and students.  I was told that I have to create 10 vlans (one for each subnet) and create 10 roles and asign it to 2 realms.   Is this the best way of doing it? I dont want to use private Ip as we need to keep track of the users activities.   What is the best way to setup so that when the  staff user sign in, the vpn will allocate an ip address for the user on the staff subnet/vlan and check that the subnet is not runing out of IP address, same goes for student user, sign in and get a stduent ip adress on student subnet/vlan

It is hard to tell from the brief description what would be best.  But I believe you are describing a need for just two roles.  Roles are just what a user will get access to once connected and the above implies you have just two roles.
Networking is separate from access control.  So in this case I would consider creating a private ip space for each of the two roles that is not in use on the network.  Place the SA into this space and then route the space to have access to the 10 subnet.

Divide the space in half and use the top have for staff and the bottom half for students.  These then are your network connect ip pools.  Now when a user connections and is assigned an address they have access to all the subnets from a routing perspective.  This would allow you to apply different routing or firewall poliies inside your network based on which space the connection is coming from.

Now when you create the role you can apply access control lists based on the staff and student role as to where they can go once connected. Inside the SA you have very granular ACL controls by role.

Are you trying to do VPN-based access, web-based access, RDP-based, or some other form?

NC access