The remove access "-" button is enabled even if the access is not assigned to the user under the Applications tab in the Access > Request for Self.
Is there any way to ensure that only user assigned with the access can see or click the button?
<Please see attached file for image>
This is the expected behavior. However it is configurable.
In Identity Portal's Admin UI, go to Environment -> UI Configuration screen and look for the field "strict cart mode".
Change the value from "false" to "true" and save. This should achieve the behavior you would expect.