Brad Buckingham of Red Hat reports:
After settings a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.
External reference:
http://projects.theforeman.org/issues/18838