Here are the requirements:

A. Create a Custom Investment Object (Master) with a sub-object (Subobject)

B. Rights need to be controlled via
a. Group and
b. OBS Unit Rights 

C. Resources:
a. need access to view the Master and Subobject instances
b. will not be able to delete any Master or Subobject instances, even their own.

If attempted, the following error will appear:
API-1007 : You are not authorized to process request. Contact your system administrator for necessary security rights.

Release : 16.0.3+

The following is needed to provide the minimal setup/implementation:

A. Create a Custom Investment Object (Master) with a sub-object (Subobject)

B. Add a resource to a Group containing the needed global rights:

1. Custom Investment - Navigate
2. [Master] - View All
3. [Subobject] - View All 
4. [Subobject]- Create

This will allow the resource to view all Master Subobject instances and only create subobject instances.

If more control is needed, such as viewing and deleting specific instances, the following can be performed and tested.

Rights at the resource level can be added at the
a. Resource > Access Rights > Instance level 
b. Resource > Access Rights > OBS Unit level

for the [Master] - Create - [Subobject]

with the following rights:
[Subobject] - Delete
[Subobject] - View

For additional protection, use field-level security (FLS) to prevent accidental editing or viewing of an instance.