The remove access "-" button is enabled even if the access is not assigned to the user under the Applications tab in the Access > Request for Self. 

Is there any way to ensure that only user assigned with the access can see or click the button?

<Please see attached file for image>

This is the expected behavior. However it is configurable. 
In Identity Portal's Admin UI, go to Environment -> UI Configuration screen and look for the field "strict cart mode". 
Change the value from "false" to "true" and save. This should achieve the behavior you would expect.