Hi Dan,
as an organisational solution (1) you could (let) check and adapt the permissions of a user, when his userid is added to an approver-group. An alternative with only nearly the same effect, (2) you could use Exit-7, when PECBSFCD equal to 2,3,4,5, and do a RACROUTE REQUEST=AUTH to check if the user has permission to approve packages and then deny the package-action in exit-7.
If your intention is to enforce the four-eyes-principle, (3) you could use exit-7 PRCBSFCD equal 0 (approve-action) and check and deny this package-action, if the userid is the same as userid of cast and/or creation etc.
Success!
Josef