Symptoms

User was able to approve a change request on behalf of another user.

Release

Kingston Patch 2

Cause

User that was able to approve on behalf had the "approval_admin" role.

According to the role's description:

Use the approval_admin role to allow users to view or modify approval requests not directly assigned to them.
Use the approver_user role to allow approvers to only view or modify requests directly assigned to them.
Use of this role requires a Fulfiller license. Use of the approver_user role requires an Approver license. 

Resolution

This is the expected behavior when a user has the "approval_admin" role. To change the behavior, customers need to review their role assignments.