User was able to approve a change request on behalf of another user.
Kingston Patch 2
User that was able to approve on behalf had the "approval_admin" role.
According to the role's description:
Use the approval_admin role to allow users to view or modify approval requests not directly assigned to them.
Use the approver_user role to allow approvers to only view or modify requests directly assigned to them.
Use of this role requires a Fulfiller license. Use of the approver_user role requires an Approver license.
This is the expected behavior when a user has the "approval_admin" role. To change the behavior, customers need to review their role assignments.