Can these sub-allocation objects be created by the user/reseller/downstream provider?
No. Normally only the LIR will have the password for the mntner in the mnt-lower attribute of the allocation inetnum object, and so the LIR should create and maintain sub-allocation objects. When an LIR keeps their mntner in the mnt-by of an object, they retain control over an object. This may be useful to ensure that the address space is not retained by a downstream network if the reseller ceases to receive connectivity from the LIRs network. In addition, the LIR is contractually responsible for ensuring the address space allocated to it is used in accordance with the RIPE community’s policies. Sub-allocations cannot be further sub-allocated by user/reseller/downstream providers.